# Deceiving Defender: Name Bypass

### Part Zero: Introduction

Once again we're taking a look at bypassing Windows defender. Last time we noticed that it was possible to execute the classic self-injection methodology by simply checking a couple of features about our environment and thereby bypassing Windows Defender on Windows 10.

However, there's a couple of issues with this methodology. The standard checks we used in the last post increase the size of binary and may lead to false positives on older systems (systems with less than 4 processors or smaller that expected amounts of ram).

Thankfully, most emulation environments, including Windows Defender, execute suspect PE files under a different name inside of the emulation environment. So if we check our executable's name before executing our payload, we'll find that we can bypass Windows Defender without any other checks.

### Part One: Demonstration

If we use the same code to develop implant.exe, and put it on an updated Windows 11 system we observe the following.

<figure><img src="/files/0Xowpbd9rebjIeJQWCiL" alt=""><figcaption></figcaption></figure>

### Part Two: Name Bypass

Let's remove some of the checks and see what happens. Instead of checking for an entire emulation environment, let's check if our name is "implant.exe"

<figure><img src="/files/k0tZSJSHUMGzoQx7aqI8" alt=""><figcaption></figcaption></figure>

### Part Three: ????

`[Intentionally Left Blank]`

### Part Four: Profit

We survive on Windows 10!

<figure><img src="/files/2EM3cetSXLvIvebDXIIs" alt=""><figcaption></figcaption></figure>

And we survive on Windows 11!

<figure><img src="/files/dqho7cpgm6qtDTWSrDlX" alt=""><figcaption></figcaption></figure>

### Part Five: Conclusion

Using the name bypass technique makes bypassing Windows Defender trivial for any Threat Actor targeting typical Windows end users. Given that estimates suggest that Windows Defender currently occupies 50% of the AV market share, it's important that users are aware of the risks associated with running binaries of unknown origin.

<figure><img src="/files/OfTvh68QOwa12bUmUMOF" alt=""><figcaption></figcaption></figure>

### References

{% embed url="<https://github.com/0xTriboulet/Red_Team_Code_Snippets/tree/main/Cpp/deceiving_defender/name_bypass>" %}

{% embed url="<https://www.sektor7.net/>" %}

[Black Hat USA 2018 - Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator](https://www.youtube.com/watch?v=LvW68czaEGs)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-name-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.