better maldev & more insights into MDE
# start the monitor, tracks MDE actions against yourmalware.exe
iEDR.exe -a C:\path\to\file\yourmalware.exe
# then copy/write/etc. your file to C:\path\to\file\yourmalware.exe
# and see what actions MDE takes against your file (static, emulation, memscan)iEDR uses ETW to track the relevant actions of MsMpEng (MDE) against your malware. Usually you need kernel-based access to modify MsMpEng to track all systemcalls. However, the relevant events for heuristics checks, emulation and memory scans can be found in the ETW traces Microsoft-Antimalware-Engine and Microsoft-Windows-Kernel-Audit-API-Calls respectively.
| Phase | ETW Antimalware Engine | Kernel Audit API Calls | ETW TI | Hooked EDR |
|---|---|---|---|---|
| Static Scan | Stream scan | Not visible | Not visible | NtReadFile |
| Emulation | Scan | Not visible | Alloc in EDR | Not visible |
| Memory Scan | Not visible | OpenProcess | RW->RX in EDR | NtOpenProcess |
| Tracking | Other events | Other events | Other events | Other events |