{"id":28148,"date":"2019-07-31T16:30:35","date_gmt":"2019-07-31T16:30:35","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=89694"},"modified":"2019-07-31T16:30:35","modified_gmt":"2019-07-31T16:30:35","slug":"how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/","title":{"rendered":"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection"},"content":{"rendered":"<p>Detecting and stopping attacks that tamper with kernel-mode agents at the hypervisor level is a critical component of the unified endpoint protection platform in Microsoft Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/windows\/microsoft-defender-atp\">Microsoft Defender ATP<\/a>). It\u2019s not without challenges, but the deep integration of <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-antivirus\/windows-defender-antivirus-in-windows-10\">Windows Defender Antivirus<\/a> with <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-antivirus\/windows-defender-antivirus-in-windows-10\">hardware-based isolation<\/a> capabilities allows the detection of artifacts of such attacks.<\/p>\n<p>Recently, the Microsoft Defender ATP research team found a malicious system driver enabling a token swap attack that could lead to privilege escalation. In this blog, we\u2019ll share our analysis of the said attack and discuss how Windows Defender Antivirus uses its unique visibility into system behaviors to detect dangerous kernel threats.<\/p>\n<h2>Hardware-based root of trust<\/h2>\n<p><a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-system-guard\/system-guard-how-hardware-based-root-of-trust-helps-protect-windows\">Windows Defender System Guard<\/a>, a hardware-based system integrity capability in Microsoft Defender ATP, has a runtime measurement component called <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2018\/04\/19\/introducing-windows-defender-system-guard-runtime-attestation\/\">runtime attestation<\/a>. This runtime measurement component includes a sub-engine called assertion engine (see Figure 1), which continuously measures and asserts the integrity of the Windows kernel, providing supplementary signals about any abnormal system behavior.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-89695 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig1-Windows-Defender-System-Guard-runtime-attestation.png\" alt width=\"800\" height=\"460\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig1-Windows-Defender-System-Guard-runtime-attestation.png 800w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig1-Windows-Defender-System-Guard-runtime-attestation-300x173.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig1-Windows-Defender-System-Guard-runtime-attestation-768x442.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><\/p>\n<p><em>Figure 1. High-level Windows Defender System Guard runtime attestation architecture<\/em><\/p>\n<p>Architecturally, the solution is collectively referred to as the Windows Defender System Guard runtime monitor and consists of the following client-side components:<\/p>\n<ul>\n<li>The VTL-1 runtime assertion engine itself<\/li>\n<li>A VTL-0 kernel-mode agent<\/li>\n<li>A VTL-0 process we call the \u2018broker\u2019 to host the assertion engine<\/li>\n<\/ul>\n<p>The goal is to detect artifacts of data corruption attacks and other threats that tamper with kernel-mode agents at the hypervisor level. <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-antivirus\/windows-defender-antivirus-in-windows-10\">Windows Defender Antivirus<\/a>, the next-generation component of Microsoft Defender ATP, integrates with Windows Defender System Guard runtime attestation and consumes signals from the assertion engine.<\/p>\n<h2>Detecting token theft attacks<\/h2>\n<p>Every Windows process has a <a href=\"https:\/\/msdn.microsoft.com\/library\/windows\/desktop\/ms721603#-security-primary-token-gly\">primary token<\/a> that describes the <a href=\"https:\/\/msdn.microsoft.com\/library\/windows\/desktop\/ms721625#-security-security-context-gly\">security context<\/a> of the user account associated with the process. The information in the token includes the identity and privileges of the user account associated with the process or thread. Token theft attacks are rampant because they can allow adversaries to use access tokens to operate using different user accounts or under different system security contexts to perform malicious actions and evade detection.<\/p>\n<p>The Microsoft Defender ATP Research team recently uncovered and analyzed signals from Windows Defender System Guard assertion engine that indicated manipulation of a primary token, causing token swap \u2013 a distinctly suspicious activity, given that the aspects of a primary token are immutable once the process starts running.<\/p>\n<p>Further analysis of Windows Defender Antivirus telemetry identified the offending malicious system driver responsible for the invariant token swap attack. The sample containing the system driver was signed with a compromised certificate (thumbprint: 31e5380e1e0e1dd841f0c1741b38556b252e6231) that\u2019s commonly misused in the wild.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-89696\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig2-Revoked-certificate.png\" alt width=\"400\" height=\"483\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig2-Revoked-certificate.png 514w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig2-Revoked-certificate-248x300.png 248w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\"><\/p>\n<p><em>Figure 2. Revoked certificate used by malicious system driver<\/em><\/p>\n<p>The driver exhibited the following rootkit behavior:<\/p>\n<ul>\n<li>Token swap<\/li>\n<li>Tampering EPROCESS structure in kernel mode and PEB to disguise a process as svchost.exe<\/li>\n<\/ul>\n<p>In this scenario, Windows Defender System Guard raised an initial assertion failure signal for the token swap. Windows Defender Antivirus consumed the signal and applied intelligence to discover that the suspicious activity was being orchestrated by a system driver.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-89697 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig3-decompiled-malicious-driver-cdoe.png\" alt width=\"700\" height=\"567\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig3-decompiled-malicious-driver-cdoe.png 700w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig3-decompiled-malicious-driver-cdoe-300x243.png 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\"><\/p>\n<p><em>Figure 3. Decompiled malicious driver code for token theft<\/em><\/p>\n<p>Using a Microsoft cloud service that that keeps track of stolen or revoked PKI certificates worldwide, Windows Defender Antivirus found that the driver was indeed signed by a revoked or stolen certificate, which was communicating with the infected binary to perform the token swap.<\/p>\n<p>Windows Defender Antivirus works seamlessly with Microsoft cloud services, such as the one that flags binaries signed by stolen or revoked certificates. Signals like these enrich the protection delivered by multiple next-generation protection engines in Windows Defender Antivirus to provide near-instant, automated defense against new and emerging threats. With cloud-delivered protection, next-generation technologies provide rapid identification and blocking of attacks, typically even before a single machine is infected.<\/p>\n<h2>Device integrity for broader security<\/h2>\n<p>The goal of Windows System Guard runtime attestation is to provide its consumers with a trustworthy assessment of the security posture and integrity of devices. Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. Runtime attestation can help in many scenarios, including:<\/p>\n<ul>\n<li>Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the <a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">Microsoft Defender ATP<\/a> stack)<\/li>\n<li>Detecting artifacts of kernel tampering, rootkits, and exploits<\/li>\n<li>Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)<\/li>\n<li>Securing sensitive transactions (banking apps, trading platforms)<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/10\/23\/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard\/\">Conditional access<\/a> (enabling and enhancing device security-based access policies)<\/li>\n<\/ul>\n<p>The assertion engine can detect attacks that can reasonably be performed under the most restrictive attack conditions, such as when system has been already hardened with hypervisor-protected code integrity (HVCI) and enforced kernel mode code integrity (KMCI).<\/p>\n<p>The case study has shown how <a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">Microsoft Defender ATP<\/a> \u2013 hence, the broader <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/technology\/threat-protection\">Microsoft Threat Protection<\/a> \u2013 reaps significant security benefits from Windows Defender System Guard runtime attestation. We invite the industry to do the same.<\/p>\n<p>To learn more, read our blog about <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2018\/04\/19\/introducing-windows-defender-system-guard-runtime-attestation\/\">Windows Defender System Guard runtime attestation<\/a>.<\/p>\n<p><em><strong>Abhijat Singh<\/strong>, Enterprise &amp; Security<\/em><br \/><em><strong>David Kaplan (<a href=\"https:\/\/twitter.com\/depletionmode\">@depletionmode<\/a>)<\/strong>, Microsoft Defender ATP Research<\/em><br \/><em><strong>Chun Feng<\/strong>, Microsoft Defender ATP Research<\/em><br \/><em><strong>Hermineh Sanossian<\/strong>, Enterprise &amp; Security<\/em><\/p>\n<hr>\n<h3>Talk to us<\/h3>\n<p>Questions, concerns, or insights on this story? Join discussions at the&nbsp;<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Microsoft-Defender-ATP\/bg-p\/MicrosoftDefenderATPBlog\">Microsoft Defender ATP community<\/a>.<\/p>\n<p>Read all <a href=\"https:\/\/www.microsoft.com\/security\/blog\/microsoft-security-intelligence\/\">Microsoft security intelligence blog posts<\/a>.<\/p>\n<p>Follow us on Twitter <a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>@MsftSecIntel<\/strong><\/a>.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/07\/31\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The deep integration of Windows Defender Antivirus with hardware-based isolation capabilities allows the detection of artifacts of attacks that tamper with kernel-mode agents at the hypervisor level.<br \/>\nThe post How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":28149,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[7294,347,6716,7295,7220,7221,7224,3342,1096,1064,6578,7296,7297,717,6715],"class_list":["post-28148","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-assertion-engine","tag-cybersecurity","tag-hardware-based-isolation","tag-kernel-mode-attacks","tag-microsoft-defender-advanced-threat-protection","tag-microsoft-security-intelligence","tag-next-generation-protection","tag-privilege-escalation","tag-runtime-attestation","tag-security-intelligence","tag-threat-protection","tag-token-swap","tag-token-theft","tag-windows-defender-antivirus","tag-windows-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-31T16:30:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/07\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"460\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection\",\"datePublished\":\"2019-07-31T16:30:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/\"},\"wordCount\":911,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png\",\"keywords\":[\"assertion engine\",\"Cybersecurity\",\"hardware-based isolation\",\"kernel-mode attacks\",\"Microsoft Defender Advanced Threat Protection\",\"Microsoft security intelligence\",\"next generation protection\",\"privilege escalation\",\"runtime attestation\",\"Security Intelligence\",\"Threat protection\",\"token swap\",\"token theft\",\"Windows Defender Antivirus\",\"Windows Security\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/\",\"name\":\"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png\",\"datePublished\":\"2019-07-31T16:30:35+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/07\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png\",\"width\":800,\"height\":460},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"assertion engine\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/assertion-engine\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/","og_locale":"en_US","og_type":"article","og_title":"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2019-07-31T16:30:35+00:00","og_image":[{"width":800,"height":460,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/07\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection","datePublished":"2019-07-31T16:30:35+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/"},"wordCount":911,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/07\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png","keywords":["assertion engine","Cybersecurity","hardware-based isolation","kernel-mode attacks","Microsoft Defender Advanced Threat Protection","Microsoft security intelligence","next generation protection","privilege escalation","runtime attestation","Security Intelligence","Threat protection","token swap","token theft","Windows Defender Antivirus","Windows Security"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/","url":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/","name":"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/07\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png","datePublished":"2019-07-31T16:30:35+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/07\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/07\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection.png","width":800,"height":460},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"assertion engine","item":"https:\/\/www.threatshub.org\/blog\/tag\/assertion-engine\/"},{"@type":"ListItem","position":3,"name":"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/28148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=28148"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/28148\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/28149"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=28148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=28148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=28148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}