726 matches found
Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to...
Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to...
Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)
Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit DCU, announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the...
Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)
Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit DCU, announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the...
Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run...
Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run...
New tech support scam launches communication or phone call app
A new tech support scam technique streamlines the entire scam experience, leaving potential victims only one click or tap away from speaking with a scammer. We recently found a new tech support scam website that opens your default communication or phone call app, automatically prompting you to ca...
#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP
On November 10, 2017, a vulnerability called AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file. Windows Defender Antivirus and other Microsoft antimalware products, including System...
Detecting reflective DLL loading with Windows Defender ATP
Today's attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In...
Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
The threat to sensitive financial information is greater than ever. Data breaches, phishing attacks, and other forms of information theft are all too common in today’s threat landscape. Point-of-sale systems and ATMs have been targeted by hackers. Information-stealing trojans pose a risk to data...
Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
Windows Defender Exploit Guard is a new set of intrusion prevention capabilities that ships with the Windows 10 Fall Creators Update. The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly us...
Making Microsoft Edge the most secure browser with Windows Defender Application Guard
Innovation in the attack space is constant as adversaries increase in both determination and sophistication. In response to increased investments in defense, attackers are adapting and improving tactics at breakneck speed. The good news is that defenders are also innovating and disrupting long...
Introducing Windows Defender Application Control
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control flips the model from one where all applications are assumed trustworthy by default t...
Hardening the system and maintaining integrity with Windows Defender System Guard
One of the things we spend a great deal of time thinking about here at Microsoft is how attackers will attempt to persist and evade detection once they’ve successfully compromised a device. With Windows 10 we’ve made it more difficult to find ways to exploit potential entry points, and it’s clear...
Move away from passwords, deploy Windows Hello. Today!
Something we understood from the very beginning with Windows Hello for Business is our customers would approach Windows 10 in a series of phases. The first phase is to simply deploy the platform itself. From there, additional phases would follow to take advantage of optional Windows 10 technologi...
Stopping ransomware where it counts: Protecting your data with Controlled folder access
Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities included with Windows 10 Fall Creators Update. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files. Encryption should protect...
Browser security beyond sandboxing
Security is now a strong differentiator in picking the right browser. We all use browsers for day-to-day activities like staying in touch with loved ones, but also for editing sensitive private and corporate documents, and even managing our financial assets. A single compromise through a web...
Announcing the Windows Defender Advanced Threat Protection ISO 27001 audit assessment report
The security and privacy of customer data are our top priority. Our goals are simple: to operate our services with the security and privacy you expect from Microsoft, and to give you accurate assurances about our security and privacy practices. In line with our commitment to provide customers the...
Exploit for CVE-2017-8759 detected and neutralized
The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat. The vulnerability, classified as...
Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene
In the first six months of 2017, ransomware threats reached new levels of sophistication. The same period also saw the reversal of a six-month downward trend in ransomware encounters. New ransomware code was released at a higher rate with increasing complexity. Two high-profile ransomware inciden...
Microsoft to remove WoSign and StartCom certificates in Windows 10
Microsoft has concluded that the Chinese Certificate Authorities CAs WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certifica...
Links in phishing-like emails lead to tech support scam
Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines. You can also read our latest blog, New tech support scam launches communication or phone call app. Tech support scams continue to...
Windows Defender ATP machine learning: Detecting new and unusual breach activity
Microsoft has been investing heavily in next-generation security technologies. These technologies use our ability to consolidate large sets of data and build intelligent systems that learn from that data. These machine learning ML systems flag and surface threats that would otherwise remain...
Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware
For cybercriminals, speed is the name of the game. It takes newly released malware an average of just four hours to achieve its goal—steal financial information, extort money, or cause widespread damage. In a recent report, the Federal Trade Commission FTC said that cybercriminals will use hacked...
Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing
Advanced cyberattacks emphasize stealth and persistence: the longer they stay under the radar, the more they can move laterally, exfiltrate data, and cause damage. To avoid detection, attackers are increasingly turning to cross-process injection. Cross-process injection gives attackers the abilit...
Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation
Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene. On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsa...
Windows 10 platform resilience against the Petya ransomware attack
Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene. The Petya ransomware attack on June 27, 2017 which we analyzed in-depth in this blog may have been perceived as an outbreak worse than last month's...
New ransomware, old techniques: Petya adds worm capabilities
Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: Windows 10 platform resilience against the Petya ransomware attack. Read our latest comprehensive report on...
What’s new in Windows Defender ATP Fall Creators Update
When we introduced Windows Defender Advanced Threat Protection Windows Defender ATP, our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer ...
Understanding the true size of “Fireball”
Keeping tabs on the movement of cybersecurity threats, understanding the size and scope of attacks, and disrupting cybercriminal campaigns through next-gen technologies are fundamental parts of our day-to-day work at Microsoft Windows Defender Research. So when recent reports of the "Fireball"...
Partnering with the AV ecosystem to protect our Windows 10 customers
On Friday May 12th, and for several days afterwards, more than a quarter-million computers around the world fell victim to the ransomware known as WannaCrypt or WannaCry. As that recent event has shown, malicious actors bring nearly boundless time and skill to commit cybercrime that can cause har...
Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security
On April 14, a group calling themselves the Shadow Brokers caught the attention of the security community by releasing a set of weaponized exploits. Shortly thereafter, one of these exploits was used to create wormable malware that we now know as WannaCrypt, which targeted a large number of...
MSRT June 2017: Removing sneaky Xiazai
In the June release of the Microsoft Malicious Software Removal Tool MSRT, we’re adding Xiazai, a widespread family of browser modifiers that we have blocked and removed from millions of computers since 2015. Xiazai is a software bundler that can sneak in additional changes. Xiazai does not insta...
Windows 10 Creators Update provides next-gen ransomware protection
Multiple high-profile incidents have demonstrated that ransomware can have catastrophic effects on all of us. From personally losing access to your own digital property, to being impacted because critical infrastructure or health care services are unexpectedly unavailable for extended periods of...
PLATINUM continues to evolve, find ways to maintain invisibility
Back in April 2016, we released the paper PLATINUM: Targeted attacks in South and Southeast Asia, where we detailed the tactics, techniques, and procedures of the PLATINUM activity group. We described a group that was well-resourced and quickly adopted advanced techniques, such as hot patching to...
WannaCrypt ransomware worm targets out-of-date systems
Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene. On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security update...
Antivirus evolved
Some say antivirus is an outdated technology. What does “antivirus” even mean? For us, antivirus is the most commonly recognized term that means for customers “a product that stops bad programs from infecting my device.” Saying “antivirus” is similar to when you hear a Southerner like myself say...
Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack
Several weeks ago, the Windows Defender Advanced Threat Protection Windows Defender ATP research team noticed security alerts that demonstrated an intriguing attack pattern. These early alerts uncovered a well-planned, finely orchestrated cyberattack that targeted several high-profile technology...
Combating a spate of Java malware with machine learning in real-time
In recent weeks, we have seen a surge in emails carrying fresh malicious Java .jar malware that use new techniques to evade antivirus protection. But with our research team’s automated expert systems and machine learning models, Windows 10 PCs get real-time protection against these latest threats...
Tech support scams persist with increasingly crafty techniques
Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines. You can also read our latest blog, New tech support scam launches communication or phone call app. Millions of users continue to...
World Backup Day is as good as any to back up your data
In today’s security landscape, there are more threats to data than ever before. Beyond corruption caused by hardware or human failure, malware and cyberattacks can put data in serious danger. That’s why it’s imperative for enterprises, small-and-medium businesses, and individuals to back up data...
Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
On March 14, 2017, Microsoft released security bulletin MS17-013 to address CVE-2017-0005, a vulnerability in the Windows Win32k component that could potentially allow elevation of privileges. A report from a trusted partner identified a zero-day exploit for this vulnerability. The exploit target...
Tax-themed phishing and malware attacks proliferate during the tax filing season
Tax-themed scams and social engineering attacks are as certain as death or tax itself. Every year we see these attacks, and 2017 is no different. These attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months...
Ransomware operators are hiding malware deeper in installer packages
Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene. We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by...
Uncovering cross-process injection with Windows Defender ATP
Windows Defender Advanced Threat Protection Windows Defender ATP is a post-breach solution that alerts security operations SecOps personnel about hostile activity. As the nature of attacks evolve, Windows Defender ATP must advance so that it continues to help SecOps personnel uncover and address...
Breaking down a notably sophisticated tech support scam M.O.
Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines. You can also read our latest blog, New tech support scam launches communication or phone call app. The cornerstone of tech support sca...
MSRT February 2017: Chuckenit detection completes MSRT solution for one malware suite
In September 2016, we started adding to Microsoft Malicious Software Removal Tool MSRT a malware suite of browser modifiers and other Trojans installed by software bundlers. We documented how the malware in this group install other malware or applications silently, without your consent. This...
Ransomware: A declining nuisance or an evolving menace?
Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene. The volume of ransomware encounters is on a downward trend. Are we seeing the beginning of the end of this vicious threat? Unfortunately, a look at the...
Improved scripts in .lnk files now deliver Kovter in addition to Locky
Cybercriminals are using a combination of improved script and well-maintained download sites to attempt installing Locky and Kovter on more computers. A few months ago, we reported an email campaign distributing .lnk files with a malicious script that delivered Locky ransomware. Opening the...
Averting ransomware epidemics in corporate networks with Windows Defender ATP
Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene. Microsoft security researchers continue to observe ransomware campaigns blanketing the market and indiscriminately hitting potential targets...