Author Archives: ericlaw

Attack Techniques: RMM Abuse

After you sign up on the Social Security Administration’s website, they’ll send you a yearly email inviting you to check out your benefits. Flipping through my Junk Mail folder this afternoon, I found the following email: It looks reasonably plausible, except for the return address (cuonlineedu.in, a university in India). I’m always game to lookContinue reading “Attack Techniques: RMM Abuse”

Understanding Defender AV Scans

Microsoft Defender Antivirus Defender is intended to operate silently in the background, without requiring any active attention from the user. Because Defender is included for free as a component of Windows, it doesn’t need to nag or otherwise bother the user for attention in an attempt to “prove its value”, unlike some antivirus products thatContinue reading “Understanding Defender AV Scans”

Windows: Choose Where To Get Apps

Modern versions of Windows offer a setting named “Choose where to get apps” which can reduce attack surface by limiting the locations from which applications can be installed. Internally, we’ve called this feature “Smart Install”. By default, this option is set to “Anywhere“, which means that Windows will allow an executable downloaded from the InternetContinue reading “Windows: Choose Where To Get Apps”

Security Software False Positives

Software developers and end-users are often interested in understanding how to resolve incorrect detections from their antivirus/security software, including Microsoft Defender. Such False Positives (FPs) can disrupt your use of your device by incorrectly blocking innocuous files or processes. However, you should take extreme care before concluding that a given detection is a false positiveContinue reading “Security Software False Positives”