
close
close
Security researchers have discovered a flaw in Microsoft Defender Antivirus that could allow attackers to bypass the malware detection solution on Windows machines. According to a report from Bleeping Computer, this issue specifically impacts Windows 10 devices running version 21H1 and 21H2.
Microsoft Defender is the default anti-malware software, which scans files and processes to protect Windows PCs from viruses, malware, ransomware, and other security threats. It also provides an option to prevent a particular file, file type, folder, process, or location from malware scanning by adding them to the exclusions list. This feature comes in handy in scenarios where some legitimate apps are incorrectly classified as malicious.
advertisment
As the exclusion lists differ from one user to another, threat actors can abuse this information to track these locations and store malicious files on Windows 10 devices. Antonio Cocomazzi, a Threat Intelligence Researcher at SentinelOne, explained that Microsoft Defender allows any local user to read the sensitive data stored in the exclusion lists via registry query, regardless of their permissions.
Windows Defender AV allows Everyone to read the configured exclusions on the system 🤦
reg query "HKLMSOFTWAREMicrosoftWindows DefenderExclusions" /s pic.twitter.com/dpTFwMVRje
— Antonio Cocomazzi (@splinter_code) January 12, 2022
advertisment
Additionally, cyber security architect Nathan McNulty warned that attackers could also exploit the registry tree to access exclusions lists for multiple systems. “For those configuring Defender AV on servers, be aware that there are automatic exclusions that get enabled when specific roles or features are installed,” McNulty explained on Twitter. However, keep in mind that these automatic exclusions don’t include custom install locations.
It is important to note that this Microsoft Defender security flaw was first discovered by some security researchers around 8 years ago who confirmed that it can be helpful to develop malware.
Unfortunately, Microsoft has yet to acknowledge this issue, and it’s not clear when a fix will be available for Windows users. It is recommended that IT Admins should use the group policies to set up the Microsoft Defender exclusions on both Windows 10 and Windows Server machines.
advertisment
More from Rabia Noureen
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Windows 10
IT Admins Report Issues With Microsoft Store Version of Quick Assist App
May 16, 2022 | Rabia Noureen
This Week in IT - Windows 10 Gets Search Highlights and Is Microsoft in Hot Water Over Windows Cloud Pricing?
Apr 15, 2022 | Russell Smith
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group