Now, I know that AV isn't a magic bullet. It's not going to make every computer in the world safe from the nefarious forces that seemingly lurk around every metaphorical, digital corner, however, it should be part of your 'defence in depth' strategy. Having AV capture all those known-about beasties is better than not detecting them at all…
Here's what happened recently when I tried to download the PowerSploit module on my test Windows 10 client's PS v5 console:
"Operation did not complete successfully because the file contains a virus or potentially unwanted software"
By default I can't make use of the module. Let's have a look at what Defender thinks of this:
Invoke-Mimikatz.ps1* and Invoke-CredentialInjenction.ps1 have been picked up as Hacktool:PowerShell.Mimsh and Hacktool:Win32/Mikatz!dha, respectively. In Windows 8.1 the files, once downloadedm are still picked up by Defender, however you don't get the helpful installation output from Install-Module.
So… whilst AV isn't a panacea, it's still am incredibly useful tool in your 'defence in depth' armory.
Before I go, a note on 'Assume Breach'. We've been advocating this approach to infrastructure security for some time now. The notion is that you should assume compromise and put process, configuration and systems in place to detect and contain it. For too long IT organisations have had a 'secure the perimeter' approach to infrastructure security.
When I was younger I used to like to build dens with a friend in the local wood. We'd spend ages camouflaging, securing and obfuscating the perimeter of these encampments. We'd set traps and dig pitfalls. My friend and I were convinced that these sanctuaries were secure. Only the rabbits could possibly know about our hideaways. We even stored valued possessions, such as pen knives, in our dens.
Then one day we made a fatal error; we invited our little brothers into our little world.
Chaos ensued: our seating area was destroyed; our treasures were exfiltrated; our perimeters ruined; our secrets shared.
Now, if we'd taken the time to hide our treasures within the actual den, high up, out of reach of shorter legs, they may not have been lost. If we'd created a separate 'little brothers zone' the damage may not have been done. Who knows, eh?
My elaborate point is this: you can't just rely on your perimeter defences… assume breach!
*Interestingly, Invoke-Mimikatz.ps1 uses .Net reflection to execute Mimikatz (credential dumping / reuse) in memory, i.e. nothing is written to disk. Prior to v5, the super-verbose 'Module Logging' setting was one of the only ways to give you a detailed view of what was executed in memory via PowerShell on a system. PS v5 has new functionality to capture script blocks executed by PowerShell – more on this in another post.