This working packages (WP) discusses the results of an analysis of the ETW messages processes by Microsoft Defender Antivirus. The objective is to analyze which ETW messages are processed by Microsoft Defender Antivirus. Furthermore, it is shown how these Messages can be used to detect malware related security incidents. This work builds on the methodology presented in working package AFUNKT.

The WP includes an introduction to ETW, an architectural overview of Microsoft Defender Antivirus, and an explanation how its ETW sessions are protected. It also shows how Microsoft Defender Antivirus’ ETW messages can be used to detect threats.

• Microsoft Defender Antivirus

Table of contents

1 Introduction
1.2 Executive Summary
2 Concepts and Terms
2.1 Event Tracing for Windows
2.2 Architecture Overview
2.3 ETW Access Controls
3 Exemplary Data Analysis
3.1 Static Signature Matching
3.2 Dynamic Detection of Process Injection