Microsoft Defender scores full marks in Windows 11 LSASS credential dump protect...

Microsoft Defender scores full marks in Windows 11 LSASS credential dump protection test

We have been covering AV-Comparatives reports about the performance of Microsoft Defender over the last several months. Microsoft's in-house solution has generally done well with some setbacks here and there. The tested products are for home users.

Recently, however, the security assessment firm conducted an LSASS credential dumping protection test on enterprise-class anti-malware solutions. Among the tested products was Microsoft's Defender for Endpoint and it scored the full marks in the evaluation.

The Local Security Authority Subsystem Service (LSASS) authenticates users who sign in on a Windows computer. Threat actors often use this LSASS process to steal useful credentials from domain users using dumping. These can then be used to move laterally within the targeted network.

In this LSASS credential dump test, 15 different attack methods were used and Defender for Endpoint did well to block them all. The other tested products also did equally well. The table below includes results for the following products (with LSASS protection settings enabled): Avast Ultimate Business Security, Bitdefender GravityZone Business Security Enterprise, Kaspersky Endpoint Detection and Response Expert and Microsoft Defender for Endpoint.

In the case of Microsoft Defender for Endpoint, the block was successfully made thanks to Protected Process Light (PPL) and Attack Surface Reduction (ASR) hardening. PPL is enabled by default on Windows 11 and recently, ASR rule for blocking credential stealing was also enabled by default.

Source: AV-Comparatives