- Microsoft’s Defender antivirus software has a flaw that could allow hackers to execute malicious code on vulnerable Windows PCs.
- For at least eight years, this issue has plagued Windows 10 21H1 and Windows 10 21H2; however, it was only recently discovered and identified.
- The virus allows hackers to store malware in non-routine areas of the computer, allowing them to bypass virus scans.
An attacker can take advantage of a weakness in Microsoft Defender Antivirus functionality to plant malware in locations that Windows Defender excludes from scanning.
The issue has been around for at least eight years, although it was only recently identified and affects Windows 10 21H1 and Windows 10 21H2.
Microsoft Defender can exclude specific locations on your computer from scanning, to ensure that areas containing important information aren’t inadvertently damaged by an antivirus scan.
There are many legitimate software applications that, for various reasons, antivirus programs mistakenly identify as malware and thereby quarantine or block access to a computer.
If a user includes a username in their exception list, this can give an attacker useful information about the system. It allows them to store malicious files in areas of the computer that are not checked during a routine scan.
Security researchers have discovered that Microsoft’s Defender security software excludes a list of dangerous locations from scanning, but any local user can access them.
Although Windows Defender is allowed to check for malware and dangerous files in the registry, local users can query the registry to determine which paths Defender is not allowed to check.
Antonio Cocomazzi, the threat researcher credited with discovering the RemotePotato0 vulnerability, notes that there is no security for this information.
While Microsoft Defender doesn’t scan everything, its “reg query” command reveals what the program is instructed not to scan, including files, folders, extensions, and processes.
Another Windows security expert, Nathan McNulty, says the issue is only present on Windows 10 builds 21H1 and 21H2, but won’t affect Windows 11.
Group Policy Settings
Another way to get Group Policy settings is to retrieve the list of exclusions from the registry. This information provides details about what is excluded and is more sensitive than just listing the active settings on a particular computer.
Microsoft recommends disabling automatic exclusions in Microsoft Defender when the server platform is not dedicated to the Microsoft stack, McNulty explains. If a server is running non-Microsoft software, you must allow Defender to scan arbitrary locations.
Even though the list of Microsoft Defender exclusions can be obtained by an attacker with local access, this is a small challenge.
When a corporate network is already compromised, attackers are often looking for ways to get around using less visible tools.
Microsoft Defender allows the exclusion of certain folders to prevent the antivirus from scanning files in those locations. The malware writer can then store and execute infected files from these folders undetected.
A senior security consultant says he first noticed the problem about eight years ago and immediately understood its potential for misuse.
“I always figured if I was some kind of malware developer I would just look for WD exclusions and make sure to drop my payload into an excluded folder and/or name it something like an excluded filename or extension,” Aura explained.
If you are a network administrator for a Microsoft environment, consult your Microsoft documentation to learn how to exclude the Defender program from scanning and running on all your servers and local machines.
What are your main concerns about the loophole that gives hackers the ability to bypass Microsoft Defender? Share your thoughts with us in the comments section below.
Start a conversation