Microsoft Defender adds a new rule to prevent password theft

If you’re running Windows 11 or a recent version of Windows Server, the Microsoft Defender antivirus that’s part of the operating system can now prevent your passwords from being stolen.

The new feature has been introduced via an Antimalware Scan Interface (ASR) rule, which is a set of rules used by Microsoft Defender to scan files and block malware. 

The rule uses machine learning to identify malicious processes that do not need access to the LSA functions in Windows but are trying to access them anyway. 

How LSASS operate

The Local Security Authority Subsystem Service (LSASS) is a process in Windows that handles logins and other security-related tasks, so once malware has access to LSA functions, it can steal credentials from memory or other methods from Windows security features.

Microsoft’s Credential Guard authenticates users logging onto a computer, protecting the system with its Defender component. The issue with this is that not all environments will have Credential Guard enabled, as it is not compatible with all programs.

The memory dump file that is created when an attacker has breached a user’s computer can contain the user’s password and username. This file is made possible with the use of Mimikatz, a special tool designed for this purpose.

Attackers can use a legitimate process that exists on the operating system to get full access to the system and transmit memory dumps containing credentials to remote locations. 

Defender will not block this action because the process is legitimate and the action is not harmful. Defender only detects malicious use of processes and cannot prevent their creation or transmission.

Microsoft Defender’s updates

Microsoft has addressed this security issue with the introduction of a new security rule called Attack Surface Reduction (ASR). 

This rule will prevent programs from opening LSASS, and in turn, will also prevent them from creating the memory dump. It will block access to LSASS even if a program that has elevated rights tries to open the process.

Since only programs with administrator privileges can open LSASS, this block also prevents them from accessing other protected processes that might be running on the computer. 

The rule also blocks the protected process itself from opening its own image, making it impossible to capture or modify data in protected memory.

This default setting results in this ASR rule being enabled, while all other rules related to it remain in their default state.

Advantages and disadvantages

Microsoft Defender does use a detection system that detects both known and unknown malware, but it is not foolproof. Malware writers are always searching for new ways to protect their malware from being detected.

If, however, you are using third-party antivirus software on your computer, the ASR rule is unavailable. The lack of the ASR rule enables hackers to bypass Microsoft Defender’s restriction as well as its exclusion paths. 

A number of Windows security researchers have already bypassed the ASR rule for Defender, exploiting its exclusion paths to gain access to the Lsass.exe file. 

The report mentions that because Defender already has multiple exclusions in place—for example, it allows certain administrative users to ask and respond to ASR requests—this allows hackers to exploit those rules while they discover new ways to target computers. 

This means that only users on the Enterprise and Pro versions of Windows 11 will be protected by the improved ASR rule.

However, the new ASR rule has been welcomed by security researchers. As it makes Windows a little more secure, the fewer stolen passwords there are, the better, as everyone will benefit from that.

The latest version of Microsoft Defender, known as Microsoft Defender Preview, offers a dashboard where you can manage the security of your devices.

Is the new Microsoft defender upgrade promising in terms of windows security according to you? Give us your thoughts in the comments section below.