Kinda science: Monitoring the Windows Defender Threat Catalog

Ever since that Vista thing hit the market, all the Windows Update workers got much more busy than before. We’ve entered the times of constant updates, because no matter when was the last check, it’s almost 100% there’s been a new “Definition Update for Windows Defender” released. Defender was universally hated: it was considered to be a tool that protects against nothing, while eating the system resources. Six long years must have passed for Defender to grow up and incorporate the anti-virus mode to the already existing anti-spyware engine. In Windows 8 the underlying “Malware Protection Engine” finally started making sense: before that, it was only used for the spyware, antivirus had to be installed separately and since all good AVs also protect against spyware anyway, it basically meant either the feature duplication or wasting the integrated scanner.

Windows Defender’s evolution did not mean that the former duality was gone: previous systems still had to be supported and refactoring code is hard. That’s why the Definition Update from WU is a two-parter: it has both new virus and malware definitions. Along with the new version of detection engie, of course (mighty and heavy mpengine.dll).

I’m not fluent in reading binary files and cracking the non-plain data formats. In fact I have no idea how to do that. So the AMDelta component files remain a mystery to me as they bear seemingly no resemblance to each other between the next versions. Fortunately – and this is some great news – every piece of malware that is detectable by Windows Defender is exposed as a WMI Object, a member of the MSFT_MpThreat class. This class is not only documented¬†(although incorrectly) but also available via the PowerShell “Get-MpThreatCatalog” cmdlet.

Quick glance at the command results show that the documentation is not exactly right about some things. Let’s take a look at the

(Get-MpThreatCatalog | where CategoryID -Match '46' | select -First 1)

command. The result is:

CategoryID : 46
SeverityID : 5
ThreatID : 2147639756
ThreatName : Behavior:Win32/ModifiedAutoRunInf
TypeID : 0

Incidating a “behavior” type of threat (by name). But the category ID 46 is not “behavior” but “vulnerability”. However all the behavior typed threats have ID 46 so that means that the documentation is just either broken or out of date.

But the point is that the malware definition set is explorable. It is possible to get the actual threat category names from the definition name itself. That’s why I did in my PowerShell script that I was using for monitoring the size of the Windows Defender Malware Protection Threat Catalog for a couple of months. The effect is this cute little graph.


What can we learn from it?
  • Every one or two weeks, a consolidation is performed and some amount of the known threats gets obsoleted or generalized for the new version of the malware detection engine.
  • The speed of adding the new threat definitions is steady and oscillates around a 100 weekly, give or take.
  • The most intriguing observation however comes from a single data point, read on 2017-06-24, when the Threat Catalog has grown with 339 new definitions. No such spike has been observed ever since and no longer than two days later, the WannaCry/Petya outbreak, leading to the ransomware rampage and infrastructure paralysis on Tue, 06-27.

I know that the vulnerabilities used by WannaCry were known earlier – but the actual malware samples? It’s truly interesting. Or maybe it’s just a giant coincidence?