Great deep dive! Always wondered about the details around this topic.<p>Did a bit of red teaming around the topic of reverse shells and privilege escalation and was pleasantly surprised, how much Windows Defender catches. Our IT Department recently switched away from a paid McAfee service doing end point security, which failed to detect unauthorized access in many instances.<p>Also, I totally read the intro as "addressing the ERP use-case"
I wish that on a positive find Defender had a "for the nerds" section that says what exactly was found. Was there a URL Regex match, like this article gives an example for? Tell me that. I get enough false positives that I want to be able to vet them myself, but that's hard to do without just trusting the source if all get is a "This has been quarantined" without telling me why beyond a broad class of types of malware.
Nice big attack surface there. I wonder what's to stop someone modifying the vdx virus definition files to include something like Edge.exe or Explorer.exe?
MDE plan 2 had problems where MS was pushing out under-tested signatures. One time, they pushed out defs that deleted all menu shortcuts for some users, leading them to believe all of their software had been uninstalled.