Threat actors can bypass malware detection due to Microsoft Defender weakness

A weakness in the Microsoft Defender antivirus can allow attackers to retrieve information to use to avoid detection.

Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.

Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.

The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.

The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.

SentinelOne threat researcher Antonio Cocomazzi pointed out that the list of scanning exceptions can be accessed by any local user, regardless of its permissions.

Running the “reg query” command it is possible to access the list.

The security researcher Nathan McNulty highlighted that when Microsoft Defender is installed on a server, there are automatic exclusions that are set up when specific roles or features are installed.

According to BleepingComputer, the weakness was first reported by the researcher Paul Bolton in May:

Microsoft has yet to address the weakness, for this reason, administrators should use group policy to configure Microsoft Defender while installing their systems [1, 2].  exclusions on servers and local machines via group policies.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]