[German]Symbolic links allow to disable Defender as antivirus protection under Windows without disabling features like Tamper Protection. The approach simply lets Defender run into the woods during scanning, because the virus scanner is redirected to other folders. I came across some advice to this effect some time ago, which I'd like to discuss briefly.
Advertising
The attac vector came to my attention via the following tweet, the related explanations can be found in the article Killing Defender through NT symbolic links redirection.
It only requires administrator privileges to prevent Defender from doing its job under Windows. It is not even necessary to access the GUI of the operating system to disable Tamper Protection. All you need to do is to use the NT symbolic link
\Device\BootDevice
redirect. The directory specification is part of the NT path from which the WdFilter driver binary is loaded by Defender. When loading a driver in Windows, there are two ways to specify where the driver binary is located in the file system: Win32 paths and NT paths.
Advertising
Win32 paths are a stripped-down version of the more comprehensive NT paths and rely heavily on NT symbolic links. A Win32 path to the filter driver then looks like this:
C:\Windows\System32\Driver\wd\WdFilter.sys
while the NT path is written as follows:
\Device\HarddiskVolume4\Windows\System32\Driver\wd\WdFilter.sy
NT paths can contain symbolic NT links. The authors of the linked article have created code to redirect the NT paths in question to other directory contents on a drive using symbolic links. Defender then continues to run, but can no longer scan anything useful.
This technique can also be used to make Defender load an arbitrary driver that cannot be found by any tool, but which does not survive a reboot. The code to do this is in APTortellini's Github repository unDefender. Details of the concept can be found in the article here.
