Get the latest tech news

An unexpected journey into Microsoft Defender's signature World

Introduction Microsoft Defender is the endpoint security solution preinstalled on every Windows machine since Windows 7. It's a fairly complex piece of software, addressing both EDR and EPP use cases.

IDSIGNATURE TYPE97 SIGNATURE_TYPE_PEHSTR 120 SIGNATURE_TYPE_PEHSTR_EXT 133 SIGNATURE_TYPE_PEHSTR_EXT2 140 SIGNATURE_TYPE_ELFHSTR_EXT 141 SIGNATURE_TYPE_MACHOHSTR_EXT 142 SIGNATURE_TYPE_DOSHSTR_EXT 143 SIGNATURE_TYPE_MACROHSTR_EXT 190 SIGNATURE_TYPE_DEXHSTR_EXT 191 SIGNATURE_TYPE_JAVAHSTR_EXT 197 SIGNATURE_TYPE_ARHSTR_EXT 209 SIGNATURE_TYPE_SWFHSTR_EXT 211 SIGNATURE_TYPE_AUTOITHSTR_EXT 212 SIGNATURE_TYPE_INNOHSTR_EXT 215 SIGNATURE_TYPE_CMDHSTR_EXT 228 SIGNATURE_TYPE_MDBHSTR_EXT 234 SIGNATURE_TYPE_DMGHSTR_EXT In order to set this new group of handlers for the HSTR signature family, it first computes the number of records and allocates a contiguous memory area of 0x14 * hstr_total_cnt(line 148 of the disassembled code below shows the example for the PEHSTR sub-family). Despite the incorporation of wildcards and complex patterns to enhance flexibility and strength, the fact remains that rules based solely on byte and string matching are relatively easy to bypass. Of course a proper emulation goes beyond a pattern based detection, but nevertheless it's an interesting case study to showcase the importance of understanding the internals of security solutions.

Get the Android app