Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Microsoft Defender Exclusions List Can Be Read by Attackers in Windows 10

Security researchers have discovered a flaw in Microsoft Defender Antivirus that could allow attackers to bypass the malware detection solution on Windows machines. According to a report from Bleeping Computer, this issue specifically impacts Windows 10 devices running version 21H1 and 21H2.

Microsoft Defender is the default anti-malware software, which scans files and processes to protect Windows PCs from viruses, malware, ransomware, and other security threats. It also provides an option to prevent a particular file, file type, folder, process, or location from malware scanning by adding them to the exclusions list. This feature comes in handy in scenarios where some legitimate apps are incorrectly classified as malicious.

As the exclusion lists differ from one user to another, threat actors can abuse this information to track these locations and store malicious files on Windows 10 devices. Antonio Cocomazzi, a Threat Intelligence Researcher at SentinelOne, explained that Microsoft Defender allows any local user to read the sensitive data stored in the exclusion lists via registry query, regardless of their permissions.

https://twitter.com/splinter_code/status/1481073265380581381

Microsoft Defender security flaw was first discovered 8 years ago

Additionally, cyber security architect Nathan McNulty warned that attackers could also exploit the registry tree to access exclusions lists for multiple systems. “For those configuring Defender AV on servers, be aware that there are automatic exclusions that get enabled when specific roles or features are installed,” McNulty explained on Twitter. However, keep in mind that these automatic exclusions don’t include custom install locations.

It is important to note that this Microsoft Defender security flaw was first discovered by some security researchers around 8 years ago who confirmed that it can be helpful to develop malware.

Unfortunately, Microsoft has yet to acknowledge this issue, and it’s not clear when a fix will be available for Windows users. It is recommended that IT Admins should use the group policies to set up the Microsoft Defender exclusions on both Windows 10 and Windows Server machines.

by Rabia Noureen
Jan 17, 2022

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

What is a Roaming User Profile on Windows?

Sep 1, 2023
Oct 24, 2023
Microsoft to Release Windows 11 LTSC in the Second Half of 2024

Apr 28, 2023
How to Configure Windows LAPS in an Azure Active Directory Scenario

May 3, 2023
Jul 17, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.