An unexpected journey into Microsoft Defender's signature World

A note to the author: if you are going to include “ EDR and EPP” in the intro, please spell them out on first use

Great deep dive! Always wondered about the details around this topic.<p>Did a bit of red teaming around the topic of reverse shells and privilege escalation and was pleasantly surprised, how much Windows Defender catches. Our IT Department recently switched away from a paid McAfee service doing end point security, which failed to detect unauthorized access in many instances.<p>Also, I totally read the intro as &quot;addressing the ERP use-case&quot;

I wish that on a positive find Defender had a &quot;for the nerds&quot; section that says what exactly was found. Was there a URL Regex match, like this article gives an example for? Tell me that. I get enough false positives that I want to be able to vet them myself, but that&#x27;s hard to do without just trusting the source if all get is a &quot;This has been quarantined&quot; without telling me why beyond a broad class of types of malware.

Nice big attack surface there. I wonder what&#x27;s to stop someone modifying the vdx virus definition files to include something like Edge.exe or Explorer.exe?

MDE plan 2 had problems where MS was pushing out under-tested signatures. One time, they pushed out defs that deleted all menu shortcuts for some users, leading them to believe all of their software had been uninstalled.

Thaught it would mention at least the slow-down bug, that slows some systems to a crawl as soon as defender scans some folders.