Thursday 4 October 11:30 - 12:00, Red roomAlexei Bulazel (ForAllSecure)Windows Defender's MpEngine.dll implements the core of Defender's anti-virus functionality in an enormous ~11MB, 45,000+ function DLL.In 2017 and early 2018, I spent months reverse engineering Defender's JavaScript and Windows binary emulators as a personal project after Tavis Ormandy's release of 0-days in the engine piqued my interest. While my previous conference presentations have covered the deep technical inner workings of the engine, in this presentation I'd like to share a reverse engineer's perspective on Defender. How I, as an industry outsider, went about reverse engineering the engine, interacting with it, and fuzzing it.Attendees will take away insights as to how reverse engineers might approach their emulators, the sort of intuition about an attack surface that a vulnerability researcher might bring to this analysis, and ultimately how they might better protect against researchers like me in the future.