|
|
|
|
|
|
by kevin_b_er
2930 days ago
|
|
|
So is Defender. The scanner runs as NT AUTHORITY/SYSTEM without any sandbox. One flaw in the scanner is a widespread and nearly wormable exploit. You can infect an entire company by just spamming them if you found an exploit in the file type parsers it uses. Here's a bug found by Project Zero. The researcher had trouble getting the test case to Microsoft because Defender was running on their middleware boxes and would automatically scan it and die from the exploit testcase. https://bugs.chromium.org/p/project-zero/issues/detail?id=12... |
|
|
Defender has some advantages, notably not disabling security settings like ASLR or injecting DLLs.