You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I was introduced to this project yesterday and began some tests to see how they perform against Windows Defender Application Control policies and Microsoft Defender, here are my findings:
Part 1: Malicious files
One of the main problems is using the phrase Living Off The Land, which are supposed to be legitimate non-malicious files that can be misused to circumvent security solutions, but what I'm seeing is straight up malware that Microsoft Defender already detects and blocks.
So, to prevent redundancy, I suggest removing those files from the driver package and instead let default security solution take care of them.
For the rest of the files, there is automatic sample submission and the global MAPS and ISG networks that get notified about these files every time they are run.
Part 2: Non-Malicious files
These are another story. I couldn't find a clear reason for each file as to why it's labeled as LOLDriver.
The questions I'd have in mind (and most likely businesses/enterprises too) about each file is:
What role does it play in circumventing security measures?
Does it help bypass WDAC? (If so, it should be reported to Microsoft as well to be added to the official recommended block rules)
Is there a PoC for it bypassing security measures?
Does Smart App Control (that uses Intelligent Secure Graph) block them?
Are some of these drivers also included in Microsoft recommended driver block rules? (to prevent duplication when merging with a WDAC policy)
Microsoft Defender results after running all of the driver files, these are the ones I was referring to that are redundant:
Hi,
I was introduced to this project yesterday and began some tests to see how they perform against Windows Defender Application Control policies and Microsoft Defender, here are my findings:
Part 1: Malicious files
One of the main problems is using the phrase Living Off The Land, which are supposed to be legitimate non-malicious files that can be misused to circumvent security solutions, but what I'm seeing is straight up malware that Microsoft Defender already detects and blocks.
So, to prevent redundancy, I suggest removing those files from the driver package and instead let default security solution take care of them.
For the rest of the files, there is automatic sample submission and the global MAPS and ISG networks that get notified about these files every time they are run.
Part 2: Non-Malicious files
These are another story. I couldn't find a clear reason for each file as to why it's labeled as LOLDriver.
The questions I'd have in mind (and most likely businesses/enterprises too) about each file is:
Microsoft Defender results after running all of the driver files, these are the ones I was referring to that are redundant:
The following drivers are blocked when Default Windows WDAC policy is deployed, A total of 431 drivers:
Download file: 馃憞馃憞
Blocked by Default Windows Policy.md
The script i used to automate the tests
Execution
Increase Code Integrity Operational log size
Logs gathering
The text was updated successfully, but these errors were encountered: