Microsoft Defender will be able to block Windows password theft

As you can see, Microsoft Defender does not have all the advanced security technologies that a commercial antivirus product expects from a commercial antivirus product. But that will change in the near future.

Although it is presented as a security product with basic functionality, the Microsoft Defender antivirus is far from being a voluntary act of generosity on the part of the Windows developer. Its role is clearly defined, even essential, to limit as much as possible the potential for exploiting the many Windows security issues, gaining time for the development and distribution of patches that will close them permanently.

The fact that Microsoft Defender is receiving a new security mechanism called Attack Surface Reduction is just a consequence of a chronic Windows security problem, with hackers increasingly able to spread attacks on the local corporate network by exploiting the Local Security Authority Server Service (LSASS) process. . Basically, starting from a single compromised PC to which hackers gained access rights at the Administrator level, extracting the LSASS process from RAM allows obtaining cryptographic hashes (NTLM) for all users who logged on to that PC to other services on the local network. These are then decrypted to obtain passwords in clear form, opening access to other devices on the network.

The new functionality of Microsoft Defender antivirus directly targets the source of the problems, blocking possible memory dump attempts, isolating the LSASS process using virtualization technologies, in a protected memory space.

The problem is that the new security mechanism may raise some conflicts with system or application drivers, some of which may simply stop working. In such cases, system administrators will be able to manually uncheck the new Attack Surface Reduction (ASR) rule, which Microsoft has enabled by default.