Last month, anti-malware assessment firm, AV-Comparatives, released results for a test that evaluated LSASS credential dumping protection capabilities of enterprise-class antivirus products. The LSASS or Local Security Authority Subsystem Service authenticates users who sign in on a Windows computer. Threat actors often use this LSASS process to steal useful credentials from domain users using dumping. These can then be used to move laterally within the targeted network.
In AV-Comparatives testing, Microsoft's Defender for Endpoint did really well, scoring full marks in the test. A total of 15 test cases were conducted. In a blog post, the Redmond giant praised itself for the achievement, as it is clearly elated by the test results. It says:
In May 2022, Microsoft participated in an evaluation conducted by independent testing organization AV-Comparatives specifically on detecting and blocking the LSASS credential dumping technique. The test, which evaluated several endpoint protection platforms (EPP) and endpoint detection and response (EDR) vendors, is the first time AV-Comparatives focused on a single attack technique, and we’re happy to report that Defender for Endpoint passed all 15 test cases used to dump user OS credentials from the LSASS process, achieving 100% detection and prevention scores.
Notably, we also passed all test cases with only Defender for Endpoint’s default settings configured, that is, with LSASS ASR and Protective Process Light (PPL) turned off to validate our antivirus protection durability in itself. Such results demonstrate our continued commitment to provide organizations with industry-leading defense.
However, it was not all smooth sailing initially for Defender. AV-Comparatives found that out of the 15 test cases, Defender initially missed four of them (cases 01, 03, 09, and 10):
Microsoft made improvements after this and in the August retest, it had the 100% detection rate like the final results showed. Microsoft acknowledged this and has thanked AV-Comparatives for helping it improve its solution. Additionally, it is also itching to go for the next set of tests:
We’d like to thank AV-Comparatives for this thorough test, which led us to improve our protection and detection capabilities in Defender for Endpoint. These improvements have already been rolled out to benefit our customers, and we’re looking forward to the next similar test.
You can read Microsoft's blog post here.