Threat actors can use a flaw in Microsoft Defender antivirus for Windows to learn about locations that aren’t scanned and install malware there. As per some users, the problem has been there for at least eight years and impacts Windows 10 21H1 and Windows 10 21H2.
Like any other antivirus program, Microsoft Defender allows users to specify locations (local or network) on their devices that should be excluded from malware scanning. Exclusions are widely used to prevent the antivirus from interfering with the performance of genuine apps that have been mistakenly identified as malware.
The list of scanning exceptions varying from one user to the next is essential information for a system attacker. It shows them where they might place malicious files without being noticed. According to security experts, the list of locations prohibited from Microsoft Defender scanning is unsecured, and any local user may access it.
Irrespective of their permissions, local users can search the registry to learn the paths that Microsoft Defender cannot check for malware or harmful files. Antonio Cocomazzi, a SentinelOne threat researcher, points out that this information (should be considered sensitive) is unprotected. Also, running the “reg query” command uncovers everything that Microsoft Defender is instructed not to scan, including files, folders, extensions, and processes.
Nathan McNulty, another security expert, verified that the problem exists in Windows 10 versions 21H1 and 21H2 but not in Windows 11. He also validated that the list of exclusions may be retrieved from the registry tree’s entries containing Group Policy settings. This information is susceptible since it allows for various computer exclusions.
A security architect who knows how to keep the Microsoft stack safe, McNulty alerts that Microsoft Defender on a server has “automatic exclusions that get enabled when specific roles or features are installed,” and they don’t cover unique locations.
Although a threat actor requires local access to obtain the Microsoft Defender exclusions list, this is by no means a significant barrier. Many attackers are already infiltrating corporate networks, searching for a technique to go laterally as quietly as possible. A threat actor who has previously infected a Windows PC can use the list of Microsoft Defender exclusions to store and execute malware from the excluded directories without being detected.
This Microsoft Defender flaw isn’t new, and Paul Bolton has already discussed it publicly. According to a senior security consultant, they first identified the problem roughly eight years ago and realized its benefit to malware developers.
“Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension” – Aura
Given that Microsoft has yet to fix the issue, network administrators should check the direction for correctly implementing Microsoft Defender exclusions on servers and local machines via group policies.
