Misc

BSI Publishes Windows 10 SiSyPHuS Reports: Application Compatibility Infrastructure, Microsoft Defender Antivirus ETW Usage and Device Setup Manager Service

The German Federal Office for Information Security (BSI – Bundesamt für Sicherheit in der Informationstechnik) has published several papers ERNW created as part of the long-term SiSyPHuS Win10-Project. This project focuses on system analysis of selected parts of the Windows 10 operating system performed by ERNW.

Analysis of the Application Compatibility Infrastructure (ACI): In this work we present an overview of the ACI technology along with a technical analysis of the compatibility protocol which is used first to determine if a compatibility solution needs to be applied, and second, to apply said compatibility solution. Furthermore, threats and mitigation in the context of the technology are presented a long with a monitoring approach. Finally, configuration and logging capabilities are discussed.

Analysis of ETW usage by Microsoft Defender Antivirus: The objective of this work was to analyze which ETW messages are processed by Microsoft Defender Antivirus. Furthermore, we showed how these Messages can be used to detect malware related security incidents. This work is based on previous work packages of the SiSyPHuS project. Furthermore, we used the same techniques and tooling for a different analysis. We will publish a white paper discussing the results soon.

Analysis of the Device Setup Manager service (DsmSvc): In this work package we give an overview of the Plug and Play Infrastructure. The main part of the work package is an analysis of the Device Setup Manager service. The focus is on starting and initialization of the service as well as the procedure that DsmSvc uses internally to support a device instance. In practice this means e.g., searching, downloading, and staging of a missing device driver. Finally, configuration and logging capabilities are discussed. We plan to release a white paper that discusses how to use time travel debugging when analyzing trigger started service in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *