Microsoft has patched a vulnerability in its Windows Defender Antivirus that enabled attackers to plant and execute malicious payloads without alerting Defender’s malware detection engine. This security issue [1, 2] impacted the most recent versions of Windows 10, and threat actors have exploited it since at least 2014.
Lax security settings for the “HKLM\Software\Microsoft\Windows Defender\Exclusions” Registry entry resulted in the vulnerability. This key holds a list of locations (files, folders, extensions, or processes) not scanned by Microsoft Defender. Because the Registry key was accessible by the ‘Everyone’ group, exploiting the flaw was possible. This allowed local users (regardless of their permissions) to query the Windows Registry from the command line and access it.
According to security expert Nathan McNulty, users might also get the list of exclusions from registry trees containing entries holding Group Policy settings, which is considerably more sensitive information because it offers exclusions for numerous machines on a Windows domain.
After determining which directories were added to the antivirus exclusion list, attackers might transmit and execute malware from an excluded folder on a compromised Windows PC without danger of detection and neutralization. The exploitation of this flaw could run a sample of Conti ransomware from a prohibited folder and encrypt a Windows PC without eliciting any warnings or indicators of detection from Microsoft Defender.
This is no longer feasible since Microsoft has already patched the flaw with a quiet update, as Dutch security researcher SecGuru_OTX discovered on Thursday. SentinelOne threat researcher Antonio Cocomazzi determined that the weakness can no longer be exploited on Windows 10 20H2 systems after applying the February 2022 Patch Tuesday Windows updates. However, some users noticed a new permission change after installing the February 2022 Patch Tuesday Windows cumulative updates.
However, Will Dormann, a vulnerability analyst at CERT/CC, stated that he received the permissions change without applying any updates, implying that the change might have been introduced by Windows updates and Microsoft Defender security intelligence upgrades. It was also verified that the rights for Defender exclusions in Windows advanced security settings had been modified, with the ‘Everyone’ group deleted from the Registry key’s permissions.
Users with admin credentials are now needed to access the list of exclusions through the command line or when adding them using the Windows Security settings screen on Windows 10 systems, where this change has already been carried out. At present, only Microsoft knows how it was delivered to impacted Windows 10 systems (through Windows updates, Defender intelligence updates, or other means).