There have been negative headlines about Microsoft Defender in recent months. A vulnerability has now been discovered that could make it easy for hackers to circumvent the security solution’s protective function. Microsoft has not yet responded to this. Microsoft Defender allows hackers to bypass malware detection through a design weakness – this basically makes Defender useless as a security solution. This is about the Microsoft Defender exclusion list.
This list allows users to choose whether there should be locations (local and network) that are excluded from the security scan. The problem: The list is insufficiently secured, it is even almost unprotected. That reports that Online magazine Bleeping Computer. This vulnerability in Microsoft Defender is not new and was made public by Paul Bolton around eight years ago. Threat actors can exploit this vulnerability in Microsoft Defender antivirus protection on Windows to learn places excluded from scanning and inject malware right there.
According to the information, the problem has existed for at least eight years and now also affects the current versions Windows 10 21H1 and Windows 10 21H2. However, Windows 11 is not affected.
problem in permissions
As with any antivirus solution, Microsoft Defender allows users to add locations (local or network) on their systems that should be excluded from malware scans. Typically, exceptions are set to prevent antivirus programs from interfering with the functionality of legitimate applications that are mistakenly identified as malware. – this happens more often, especially when there is a lot of network traffic.
Conversely, this also means that these reject lists are extremely attractive to attackers and therefore actually deserve the highest level of protection. Security researchers discovered that the list of locations excluded from Microsoft Defender scan is unprotected and accessible to any local user. Regardless of their permissions, local users can query the registry to learn the paths that Microsoft Defender doesn’t scan for malware or dangerous files. This puts a list of barn-door-like open gateways into the hands of potential attackers.
Another problem with this is that Microsoft Defender on a server has automatic exclusions that are activated when certain roles or features are installed. Since these are not custom locations, they are even easier for hackers to exploit. Although an attacker needs local access to get to the Microsoft Defender exclusion list, this is not a major obstacle. Many attackers are already on compromised corporate networks and are looking for a way to evolve as silently as possible. Microsoft has not yet recognized the problem as such and made a change – at least not for Windows 10.
I’m a communication enthusiast and junior editor-reporter at Research Snipers, I have completed a degree in Mass Communication but am very enthusiastic about new technology, games, and mobile devices. I have the main interest in Technology and games.