Skip to main content

Microsoft Defender antivirus now able to detect ZeroLogon attacks

Cyberattack
(Image credit: Cyberattack)
Audio player loading…

Microsoft has announced that its in-house antivirus (opens in new tab) tools are now able to detect ZeroLogon exploits. Microsoft Defender for Identity can now detect the vulnerability early on, allowing security teams to quickly identify where the attacks are coming from and whether or not they have been successful.

Vulnerability CVE-2020-1472, also known as ZeroLogon, affects Microsoft’s Netlogon Remote Protocol and has been given a 10 out of 10 rating for severity by the Common Vulnerability Scoring System. Although Microsoft released the first patch for the bug back in August, another is not due for release until February and, in any case, it can take organizations months to make sure all their devices are patched up.

The new Microsoft antivirus updates could provide some much-needed protection, therefore. By combining the new Microsoft 365 Defender solutions, businesses can detect threat actors when they are in the process of trying to exploit the ZeroLogon vulnerability against their domain controllers.

Detect and defend

With the Microsoft Defender for Identity alerts in place, organizations will be able to detect which device is attempting a ZeroLogon impersonation, the relevant domain controller, the targeted asset, and whether any impersonation attempts were successful.

“Customers using Microsoft 365 Defender can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint,” Microsoft program manager Daniel Naim explained (opens in new tab). “This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.”

In late October (opens in new tab), Microsoft warned that the ZeroLogon vulnerability was still being exploited in the wild, with attackers targeting unpatched devices. The firm’s new security solutions should provide greater protection even for those companies that have yet to install the necessary patches.

  • Also, check out our roundup of the best firewall (opens in new tab) for protecting your device

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.