<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Minerva’s Anti-Evasion Platform Working with Windows Defender Antivirus

Minerva’s solution augments antivirus or EPP solutions without interfering or overlapping with their functionality.

Therefore, enterprises can deploy Anti-Evasion Platform without formal code-level integration between Anti-Evasion Platform and a tool such as Windows Defender Antivirus. However, Minerva is able to integrate with Windows Defender AV to provider additional visibility to organizations that also employ Minerva’s technology.

Consider the example of Saturn ransomware. As captured in Figure 1, Windows Defender AV recognizes the malicious pattern inside the runsvr.exe file, fingerprints it as a Saturn.A ransomware sample, and blocks this malware from running on the system. However, attackers can bypass antivirus detection, by using a variety of evasion tools that exist for this purpose. For instance, using an open source tool that encodes the original malicious file into a PowerShell script, allows the adversary to incorporate some “fileless” capabilities into this threat. This allows Saturn ransomware to exist in its original form in memory of the endpoint, evading Windows Defender AV.

Figure 1: Windows Defender detects the malicious Saturn file runsvr.exe.

Figure 1: Windows Defender detects the malicious Saturn file runsvr.exe.

Although evasion tools can turn known malware files into threats that antivirus cannot detect, Minerva’s Anti-Evasion Platform is designed for the very purpose of breaking or otherwise interfering with such attempts. As the result, Minerva’s solution automatically prevents the infection by the evasive variant of Saturn, accomplishing this without any code-level integration with Windows Defender AV.

Minerva is able to turn Saturn's own evasive nature against itself. In this case, the solution interferes with the sample’s attempt to unpack itself into memory of the PowerShell process. After preventing the infection, Minerva’s Anti-Evasion Platform generates the event shown in Figure 2 that provides information about the context of the attempted attack.

Figure 2: Minerva automatically disrupts the evasive version of Saturn

Figure 2: Minerva automatically disrupts the evasive version of Saturn.

Moreover, Minerva can optionally integrate with Windows Defender Antivirus using Microsoft’s Antimalware Scan Interface (AMSI), which is an API designed for such interactions. In this case, when Minerva’s solution blocks the evasive Saturn threat, it uses AMSI to supply decoded memory contents that contain Saturn to Windows Defender Antivirus. Since the memory buffer now contains decoded (and neutralized) version of Saturn, Windows Defender AV is able to recognize it and generate the event captured in Figure 3, which tells the security administrator the malware family name of the threat that Minerva blocked.

Figure 3: Windows Defender AV identified the malware family name of the Minerva-blocked threat

Figure 3: Windows Defender AV identified the malware family name of the Minerva-blocked threat.

When Windows Defender Antivirus is on the endpoint together with Minerva’s Anti-Evasion Platform, the organization is protected against a diverse variety of threats, including traditional malware as well as many variations of evasive attacks. Minerva’s capability outlined above is an example of our Memory Injection Prevention feature; the Anti-Evasion Platform fights other forms of evasion to augment the protection of antivirus or EPP products without overlapping with them.

Microsoft’s various “Windows Defender” and “Advanced Threat Protection” technologies provide capabilities that offer alternatives to antivirus, EPP, and EDR products offered by other vendors. Some of these capabilities are available as free components of modern Windows OS versions, while others require additional commercial licenses. Enterprises need to understand their own requirements as well as the capabilities offered by Microsoft and its competitors in the endpoint security space to decide which security layers to obtain from which sources.

Regardless of these decisions, Minerva provides a unique approach to cover the gap inherent to any detection-based solution, be it provided by Microsoft or another party. Minerva’s Anti-Evasion Platform works together with the organization’s existing security controls to prevent attacks that would’ve otherwise succeeded at compromising the company’s defenses.

To better understand the way in which Microsoft’s various Windows Defender technologies fit into an endpoint security architecture, read our whitepaper on the topic.

  

 REQUEST A DEMO

Subscribe to Our Blog