Windows 11: Defender LSA bug fixed by "removing settings", and more Defender/FASR issues …

Windows[German]Microsoft's unconventional solution for the so-called LSA bug caused by a Defender update in Windows 11. Users got to see the message "Local Security Authority protection is disabled …", but could no longer enable this feature. After several "repair" attempts, Microsoft has now announced a "fix" for Windows 11: They removed the option from the Windows 11 settings. In addition, new kernel protection features (e.g. FASR) have been introduced, but they cause issues. There are several requirements to be met to enable the new features. I'll summarize the information in a collective article.


Advertising

Review of the LSA bug

Windows 11 users ran into issues in March 2023 when update KB5007651 updated Defender's anti-malware platform. After the update, the Security Center showed disabled device security protection. This was known as the "LSA bug" (Local Security Authority issue).

I had written something about this Local Security Authority (LSA) bug in March 2023 in the blog post Windows 11 22H2 Defender causes "Local Security Authority protection is off" warning. Microsoft later confirmed the problem (see my article Windows 11 22H2: Microsoft confirms Defender bug "Local security protection is disabled"). The bug then grew into a never-ending story. In the blog post Windows 11: Defender update KB5007651 brings FASR, fixes LAS bug, but still causes issues I had reported about another update that supposedly fixed this LSA bug – but caused other problems (see below).

Microsoft reports a fix

While browsing Microsoft's Windows 11 Know-Issues section, I had already come across the entry Local Security Authority protection is off." with persistent restart – and in this comment, a reader also points it out. Microsoft reconfirms that after installing "Update KB5007651 for Microsoft Defender Antivirus Platform – (Version 1.0.2302.21002)" users may receive a security message or warning stating that "local security protection is disabled. Your device may be vulnerable" (see the figure above). This warning does not go away even after a reboot – which is known and confirmed.

On April 25, 2023, Microsoft then announced in the entry that this problem, which affects Windows 11 version 22H2 and 21H2, was fixed by an update KB5007651 for Microsoft Defender antivirus platform (version 1.0.2303.27001). To do this, the user must have Windows 11 check for updates. Sounds good, the colleagues from Bleeping Computer write in the article Microsoft removes LSA Protection from Windows settings to fix bug that Microsoft has resorted to a special solution. The relevant display has simply been removed in the Windows settings page or in Windows Security. As a result, the warning is no longer displayed.

LSA protection is probably still present under the hood. Administrators should still be able to enable or disable this LSA protection via group policies. According to Bleeping Computer, it should be possible to check whether the function is enabled with the help of the Windows Event Viewer. If a Wininit event 12 is found in the Event Viewer stating that "LSASS.exe was started as a protected process with level:4", this means that the process is isolated and monitored by LSA protection.


Advertising

At this point, I asked my German readers (I can't test it currently) whether in the reliability history, which rehashes entries from the event viewer, the entry that "Security Health Service exe" is no longer works still appears. Several readers confirmed that they still have entries about a crashing service in event viewer.

Issues with HW enforce"Stack Protection"

With the update KB5007651 for Microsoft Defender antivirus platform, Microsoft has also introduced som new features like Kernel-mode Hardware-enforced Stack Protection. However, these enhancements are causing other issues.

Problem Memory integrity

I had already reported about another Defender update in the blog post Windows 11: Defender update KB5007651 brings FASR, fixes LAS bug, but still causes issues. This one should show a new Memory integrity option under the Core isolation category, which should be able to be turned on or off.

 "Kernel-mode Hardware-enforced Stack Protection"

The option Memory integrity shown in the above screenshotdid show up among users, but the switch to turn it on/off is not present everywhere. In the linked blog post, there are more screenshots from affected users that show that the switch is missing.

It then turned out that the function including the respective option only comes into effect when an Intel CPU of the 11th generation (or newer) – or a corresponding counterpart from AMD – is installed (the CPU needs Intel CET or AMD shadow stack support).

FASR issues

Microsoft is experimenting with another new feature in Windows Defender called FASR (Firmware Attack Surface Reduction). I had given some hints about this feature in the blog post Windows 11: Defender update KB5007651 brings FASR, fixes LAS bug, but still causes issues. But the problem is that even the new FASR feature only runs on new CPU generations on Windows 11. A Greman reader had pointed out to me that his Windows 11 shows a strange state (see the following German screenshot).

On the one hand, Windows 11 reports that Microsoft's FASR protection has been enabled and protects the device. But the option in the settings page is permanently set to Off. I had pointed this out in the German blog post Windows 11: Neuer Fehler im Defender; "Hardware-gestützter Stapelschutz im Kernel-Modus" (FASR). A user pointed out via comment with the following text that the support must be enabled in the BIOS for this to be visible at all:

The core isolation must be enabled in the BIOS so that the new FASR feature is visible & enabled at all. The setting in the BIOS should be "Kernel DMA Protection"!

Whether it really is "Kernel DMA Protection" remains open, because another user writes the following, for example:

I enabled SVM mode in the BIOS, after which core isolation appeared in the security center, as well as two new sliders within core isolation: memory isolation and stack protection. I was able to activate both sliders despite the aforementioned "active despite off" problem, even though the one for stack protection was slightly bogged down visually when switching. After restarting the computer, all error messages in the security center disappeared and the missing green check mark was there again.

(or the user quoted above made a mistake in the name of the option when writing the comment).

The abbreviation SVM stands for Secure Virtual Machine (see). Security expert Stefan Kanthat points out in subsequent comments that the feature "Shadow Stacks" (belongs to "Control-Flow Enforcement Technology") must be enabled in the BIOS.

This seems to be the crucial point. In the meantime, there is feedback from several users with corresponding systems who were able to use this function in Windows 11 in Defender after activating the BIOS option (SVM mode). Windows 11 and Defender are becoming more and more like a surprise bag – if you look inside, there is always a surprise. None of the above calamities have been so documented by Microsoft in the support pages I know of.

Tip for users who want to check if the processor supports CET_SSS for "supervisor shadow stacks" or CET_SS for "user-mode shadow stacks". Stefan Kanthak has linked two small tools in this comment that list CPU properties. The command line program CPUPRINT.EXE (32-bit) or CPUPRINT.EXE (64-bit) described on his website CPUID Enumerator and Decoder gives detailed information about the features supported by the respective processor. It should be reported something like this:

| CET_SS    (Control-Flow Enforcement Technology Shadow Stacks,
IA32_INTERRUPT_SPP_TABLE_ADDR/IA32_PL0_SSP/IA32_PL1_SSP/IA32_PL2_SSP/IA32_PL3_SSP Model Specific Registers)
| CET_IBT   (Control-Flow Enforcement Technology Indirect Branch Tracking, ENDBR32/ENDBR64 Instructions)
| CET_SSS   (Control-Flow Enforcement Technology Supervisor Shadow Stacks)
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| CET_U     (Control-Flow Enforcement Technology User Mode Support)
| CET_S     (Control-Flow Enforcement Technology Supervisor Mode Support)

If a Defender warning appears when you visit the page that a threat has been detected and removed. Stefan Kanthak allows himself the fun of linking the Eicar test virus as a DATA item in the page header in the meta data. Then Defender jumps on it and tries to remove the supposed threat.

Similar articles:
Windows 11 22H2 Defender causes "Local Security Authority protection is off" warning
Windows 11 22H2: Microsoft confirms Defender bug "Local security protection is disabled"
Windows 11: Defender update KB5007651 brings FASR, fixes LAS bug, but still causes issues


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *