Cyber attackers can use a flaw in Microsoft Defender virus protection for Windows to learn about locations that aren’t scanned and place viruses there. According to some customers, the problem has been there for at least eight years and impacts Windows 10 21H1 and Windows 10 21H2.
Microsoft Defender, like any other antivirus program, allows users to specify places (local or network) on their computers that should be avoided from malware scans. Exclusions are widely used to prevent the antivirus from interfering with the performance of genuine applications that have been mistakenly identified as malware.
Because the list of scanning exceptions varies from one user to another, it is valuable information for a computer hacker because it shows them where they might place infected files without being noticed. The list of locations prohibited from Microsoft Defender scanning is not secure, according to security researchers, and any local user can access it.
Local users can access the registry irrespective of their permissions to learn the locations that Microsoft Defender is not permitted to examine for malware or malicious files. Antonio Cocomazzi, a SentinelOne threat analyst who is credited with discovering the RemotePotato0 flaw, warns that there is no protection for this information, which should be deemed sensitive, and that performing the “reg query” command discloses almost everything Microsoft Defender is not supposed to examine, including files, folders, extensions, and processes.
Nathan McNulty, another security analyst, verified that the problem exists in Windows 10 versions 21H1 and 21H2, but not in Windows 11. McNulty also validated that the list of exclusions may be retrieved from the registry tree’s entries containing Group Policy settings. This information is particularly sensitive because it allows for various computer exclusions.
McNulty, a security architect who specializes in defending the Microsoft stack, warns that Microsoft Defender on a server has “automatic exclusions that become triggered when specific roles or features are deployed,” which do not cover bespoke locations.
Even though a cybercriminal needs local access to obtain the Microsoft Defender exclusions list, this is by no means a significant barrier. Many hackers are already infiltrating corporate networks in search of a technique to go horizontally as quietly as possible. A malicious attacker who has previously infected a Windows PC can use the list of Microsoft Defender exclusions to store and execute malware from the excluded folders without being detected.
This Microsoft Defender flaw isn’t new, and Paul Bolton has previously discussed it publicly. According to a senior security consultant, they first identified the problem eight years ago and realized the benefit it offered to malware developers. Given that Microsoft has yet to fix the issue, network administrators should check the guidelines for properly implementing Microsoft Defender exclusions via group policies on servers and local computers.