Microsoft Defender Exclusions List Can Be Read by Attackers in Windows 10

Security researchers have discovered a flaw in Microsoft Defender Antivirus that could allow attackers to bypass the malware detection solution on Windows machines. According to a report from Bleeping Computer, this issue specifically impacts Windows 10 devices running version 21H1 and 21H2.

Microsoft Defender is the default anti-malware software, which scans files and processes to protect Windows PCs from viruses, malware, ransomware, and other security threats. It also provides an option to prevent a particular file, file type, folder, process, or location from malware scanning by adding them to the exclusions list. This feature comes in handy in scenarios where some legitimate apps are incorrectly classified as malicious.

As the exclusion lists differ from one user to another, threat actors can abuse this information to track these locations and store malicious files on Windows 10 devices. Antonio Cocomazzi, a Threat Intelligence Researcher at SentinelOne, explained that Microsoft Defender allows any local user to read the sensitive data stored in the exclusion lists via registry query, regardless of their permissions.

Windows Defender AV allows Everyone to read the configured exclusions on the system 🤦

reg query "HKLMSOFTWAREMicrosoftWindows DefenderExclusions" /s pic.twitter.com/dpTFwMVRje

— Antonio Cocomazzi (@splinter_code) January 12, 2022

advertisment

Microsoft Defender security flaw was first discovered 8 years ago

Additionally, cyber security architect Nathan McNulty warned that attackers could also exploit the registry tree to access exclusions lists for multiple systems. “For those configuring Defender AV on servers, be aware that there are automatic exclusions that get enabled when specific roles or features are installed,” McNulty explained on Twitter. However, keep in mind that these automatic exclusions don’t include custom install locations.

It is important to note that this Microsoft Defender security flaw was first discovered by some security researchers around 8 years ago who confirmed that it can be helpful to develop malware.

Unfortunately, Microsoft has yet to acknowledge this issue, and it’s not clear when a fix will be available for Windows users. It is recommended that IT Admins should use the group policies to set up the Microsoft Defender exclusions on both Windows 10 and Windows Server machines.