Explore a DEF CON 31 conference talk that reveals critical vulnerabilities in Windows Defender's signature update process. Dive deep into Windows Defender architecture, signature database format, and update process security verification logic to understand how unprivileged users can potentially compromise Windows systems without requiring a rogue certificate. Learn about Defender-Pretender, a tool demonstrating how attackers can neutralize EDR capabilities, enabling malicious code execution without detection and potentially causing irreversible system damage through forced deletion of critical files. Discover the implications of manipulating Defender's detection and mitigation logic, highlighting significant security risks in what should be a highly secured update process.
Overview
Syllabus
DEF CON 31 - Defender Pretender When Windows Defender Updates Become a Security Risk -Bar, Attias
Taught by
DEFCONConference