Microsoft Defender allows hackers to bypass malware detection through a design weakness.
Security researchers discovered that the list of locations excluded from Microsoft Defender scan is unprotected and accessible to any local user.
Regardless of their permissions, local users can query the registry to learn the paths that Microsoft Defender doesn’t scan for malware or dangerous files. This puts a list of barn-door-like open gateways into the hands of potential attackers.
Threat actors can exploit this vulnerability to learn places excluded from scanning and inject malware in those locations!
Problem With Defender’s Exclusions
Typically, exclusions are set to prevent antivirus programs from interfering with the functionality of legitimate applications that are mistakenly identified as malware.
Microsoft Defender on a server has automatic exclusions that are activated when certain roles or features are installed. Since these are not custom locations, they are even easier for hackers to exploit. Although an attacker needs local access to get to the Microsoft Defender exclusion list, this is not a major obstacle. Many attackers are already on compromised corporate networks and are looking for a way to evolve as silently as possible.
The Vulnerability Exists for Years!
The problem has existed for at least eight years and now also affects the current versions Windows 10 21H1 and Windows 10 21H2. However, Windows 11 is not affected. Microsoft has not yet recognized the problem as such and made a change – at least not for Windows 10.