Microsoft Defender Exclusions List Can Be Read by Attackers in Windows 10
Security researchers have discovered a flaw in Microsoft Defender Antivirus that could allow attackers to bypass the malware detection solution on Windows machines. According to a report from Bleeping Computer, this issue specifically impacts Windows 10 devices running version 21H1 and 21H2.
Microsoft Defender is the default anti-malware software, which scans files and processes to protect Windows PCs from viruses, malware, ransomware, and other security threats. It also provides an option to prevent a particular file, file type, folder, process, or location from malware scanning by adding them to the exclusions list. This feature comes in handy in scenarios where some legitimate apps are incorrectly classified as malicious.
As the exclusion lists differ from one user to another, threat actors can abuse this information to track these locations and store malicious files on Windows 10 devices. Antonio Cocomazzi, a Threat Intelligence Researcher at SentinelOne, explained that Microsoft Defender allows any local user to read the sensitive data stored in the exclusion lists via registry query, regardless of their permissions.
Windows Defender AV allows Everyone to read the configured exclusions on the system 🤦
reg query "HKLMSOFTWAREMicrosoftWindows DefenderExclusions" /s pic.twitter.com/dpTFwMVRje
— Antonio Cocomazzi (@splinter_code) January 12, 2022
Microsoft Defender security flaw was first discovered 8 years ago
Additionally, cyber security architect Nathan McNulty warned that attackers could also exploit the registry tree to access exclusions lists for multiple systems. “For those configuring Defender AV on servers, be aware that there are automatic exclusions that get enabled when specific roles or features are installed,” McNulty explained on Twitter. However, keep in mind that these automatic exclusions don’t include custom install locations.
It is important to note that this Microsoft Defender security flaw was first discovered by some security researchers around 8 years ago who confirmed that it can be helpful to develop malware.
Unfortunately, Microsoft has yet to acknowledge this issue, and it’s not clear when a fix will be available for Windows users. It is recommended that IT Admins should use the group policies to set up the Microsoft Defender exclusions on both Windows 10 and Windows Server machines.
More in Windows 10
IT Admins Report Issues With Microsoft Store Version of Quick Assist App
May 16, 2022 | Rabia Noureen
Microsoft Releases May 2022 Patch Tuesday Updates
May 11, 2022 | Laurent Giret
What’s New with Windows – April 2022
May 2, 2022 | Russell Smith
This Week in IT - Is Microsoft Killing Off Patch Tuesday?
Apr 22, 2022 | Russell Smith
Windows 10 November 2021 Update is Now Ready for Broad Deployment
Apr 18, 2022 | Rabia Noureen
This Week in IT - Windows 10 Gets Search Highlights and Is Microsoft in Hot Water Over Windows Cloud Pricing?
Apr 15, 2022 | Russell Smith
Most popular on petri