Microsoft Defender weakness lets hackers bypass malware detection (2023)

Microsoft Defender weakness lets hackers bypass malware detection (1)

Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.

The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.

Lax permissions

Like any antivirus solution, Microsoft Defender lets users add locations (local or on the network) on their systems that should be excluded from malware scans.

People commonly make exclusions to prevent antivirus from affecting the functionality of legitimate applications that are erroneously detected as malware.

Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious fileswithout fear of being detected.

(Video) Windows Defender Bypassed

Security researchers discovered that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it.

Regardless of their permissions, local users can query the registry and learn the paths that Microsoft Defender is not allowed to check for malware or dangerous files.

Microsoft Defender weakness lets hackers bypass malware detection (2)

Antonio Cocomazzi, a SentinelOne threat researcher who is credited for reporting theRemotePotato0vulnerability,points outthat there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals everything that Microsoft Defender is instructed not to scan, be it files, folders, extensions, or processes.

Microsoft Defender weakness lets hackers bypass malware detection (3)

Another security expert,Nathan McNulty, confirmed that the issue is present on Windows 10 versions 21H1 and 21H2 but it does not affect Windows 11.

(Video) This Will Clean Your Computer Viruses (Malware)

McNulty also confirmed that one can grab the list of exclusions from the registry tree with entries that store Group Policy settings. This information is more sensitive as it provides exclusions for multiple computers.

A security architect versed in protecting the Microsoft stack,McNulty warnsthat Microsoft Defender on a server has “automatic exclusions that get enabled when specific roles or features are installed” and these do not cover custom locations.

Although a threat actor needs local access to get the Microsoft Defender exclusions list, this is far from being a hurdle. Many attackers are already on compromised corporate networks looking for a way to move laterally as stealthily as possible.

By knowing the list of Microsoft Defender exclusions, a threat actor that already compromised a Windows machine can then store and execute malware from the excluded folders without fear of being spotted.

In tests done by BleepingComputer, a malware strain executed from an excluded folder ran unhindered on the Windows system and triggered no alert from Microsoft Defender.

We used a sample of Conti ransomware and when it executed from a normal location Microsoft Defender kicked in and blocked the malware.

(Video) Can you DISABLE Windows Defender Antivirus?

After placing Conti malware in an excluded folder and running it from there, Microsoft Defender did not show any warning and did not take any action, allowing the ransomware to encrypt the machine.

This Microsoft Defender weakness is not new and has been highlighted publicly in the past by Paul Bolton:

Microsoft Defender weakness lets hackers bypass malware detection (4)

A senior security consultant says that theynoticed the issue about eight years agoand recognized the advantage it provided to a malware developer.

"Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension" -Aura

Given that it's been this long and Microsoft has yet to address the problem, network administrators should consult the documentation for properly configuring Microsoft Defenderexclusions on servers and local machinesvia group policies.

(Video) Don't buy an anti-virus - do THIS instead!


Is Windows Defender good against hackers? ›

Microsoft Defender Firewall comes with the security suite

As an additional layer of protection, you get a firewall that helps keep sneaky hackers from gaining access to your device.

How effective is Windows Defender against malware? ›

Is Microsoft Defender antivirus safe? Microsoft Defender antivirus is pretty safe. It has almost 100% real-time protection rates, according to independent tests. It also has additional features for device protection against malware, such as scanning, app and browser control, and account protection options.

Will Microsoft Defender detect malware? ›

Microsoft Defender has powerful built-in features that can help protect your device against malware. Note: Microsoft Defender currently offers anti-malware only on Windows, Mac, and Android. When you first set-up Microsoft Defender on your device we'll run an initial scan to make sure you're starting off clean.

Can Microsoft Defender remove malware? ›

Windows Defender and Microsoft Security Essentials are powerful scanning tools that find and remove malware from your PC.

What are the disadvantages of Windows Defender? ›

Cons of Windows Defender
  • Lacks integrated dashboard for all devices using Windows Defender.
  • No accountability if the computer is infected by malware.
  • Limited features for large scale use.
  • Slows down installation of frequently-used applications.
Sep 22, 2021

Do I need antivirus if I have Windows Defender? ›

Although Windows 10 has built-in antivirus protection in the form of Windows Defender, it still needs additional software, either Defender for Endpoint or a third-party antivirus. That is because Windows Defender lacks endpoint protection as well as full-service investigation and remediation of threats.

Can Windows Defender scan all viruses? ›

Your device will be actively protected from the moment you start Windows. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.

Can Windows Defender detect Trojans? ›

How to protect against trojans. Use the following free Microsoft software to detect and remove it: Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for previous versions of Windows. Microsoft Safety Scanner.

How do I remove all malware from my computer? ›

Follow these six steps to malware removal on a PC.
  1. Step 1: Disconnect from the internet. ...
  2. Step 2: Enter safe mode. ...
  3. Step 3: Check your activity monitor for malicious applications. ...
  4. Step 4: Run a malware scanner. ...
  5. Step 5: Fix your web browser. ...
  6. Step 6: Clear your cache.

What is a malware that Cannot be detected? ›

A stealth virus is a computer virus that uses various mechanisms to avoid detection by antivirus software. It takes its name from the term stealth, which describes an approach to doing something while avoiding notice.

Does Microsoft Defender protect against ransomware? ›

Microsoft Defender for Endpoint helps prevent, detect, investigate, and respond to advanced threats, such as ransomware attacks.

What are the benefits of Microsoft Defender? ›

Microsoft Defender Antivirus collects underlying system data used by threat analytics and Microsoft Secure Score for Devices. This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture.

Does Windows Defender slow down your computer? ›

Defender activities like scheduled scans, frequent definition update checks, and file hash computations can tank system performance if your PC isn't well-equipped. So, disabling/adjusting these features can help minimize Defender's performance impact.

What are the disadvantages of Defender for endpoint? ›

Microsoft Defender for Endpoint Cons. It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception...

Is McAfee better than Windows Defender? ›

Overall, both antiviruses offer excellent protection against real-time malware attacks, phishing, and other online threats, but Microsoft Defender offers near-perfect protection, while McAfee protects you from 100% of threats online and offline.

Which AntiVirus is better than Windows Defender? ›

Comparison Table: Best Microsoft Defender Alternatives
Malware Detection Test ResultsSupported Platforms
Norton100%Windows, Mac, Android, iOS
McAfee100%Windows, Mac, Android, iOS
TotalAV99%Windows, Mac, Android, iOS
ioloTests underwayWindows
2 more rows
May 15, 2023

Do I need McAfee if I have Windows 10 Defender? ›

You do need an antivirus for Windows 10, even though it comes with Microsoft Defender Antivirus. That's because this software lacks endpoint protection and response plus automated investigation and remediation.

Can Windows Defender remove virus from USB? ›

Microsoft Defender makes it easy to scan your Windows computer for viruses and malware. Several scans are available, including a quick and offline scan. But did you know that you can also use Microsoft Defender to scan your removable and external drives? Here's how.

Can Windows Defender detect USB virus? ›

If you are using a third-party antivirus, you will need to check if a similar feature is offered with that software. Microsoft Defender's Limited Periodic Scanning, which is available even if you use a third-party antivirus, doesn't include automatic scans of USB drives.

Can a Trojan virus go undetected? ›

Malware can take many forms, including viruses, worms, trojan horses, ransomware, and spyware. Can malware be undetected? Yes, malware can hide itself and antivirus and other protection programs may not catch it.

How do I find hidden malware on my computer? ›

Open your Windows Security settings. Select Virus & threat protection > Scan options. Select Windows Defender Offline scan, and then select Scan now.

Does wiping your PC remove all malware? ›

Running a factory reset, also referred to as a Windows Reset or reformat and reinstall, will destroy all data stored on the computer's hard drive and all but the most complex viruses with it. Viruses can't damage the computer itself and factory resets clear out where viruses hide.

Can you tell if your computer is infected with malware? ›

Scan your device for malware.

Run a malware or security Delete anything it identifies as a problem. You may have to restart your device for the changes to take effect. Run your scan again to make sure everything is clear. If the scan shows there are no more issues, you've likely removed the malware.

What is the hardest to detect malware? ›

Rootkits. The rootkit malware is dangerous and extremely hard to detect.

Which malware can spy on you? ›

Spyware is a form of malware that hides on your device, monitors your activity, and steals sensitive information like bank details and passwords.

Is Windows Defender good enough for ransomware? ›

Microsoft Defender for Endpoint helps prevent, detect, investigate, and respond to advanced threats, such as ransomware attacks.

Does Windows Defender work against phishing? ›

In organizations with Microsoft Defender for Office 365, anti-phishing policies provide the following types of protection: The same anti-spoofing protection that's available in Exchange Online Protection (EOP). For more information, see Spoof settings. Anti-impersonation protection from other types of phishing attacks.

Can viruses evade Windows Defender? ›

Signature evasion is a technique used to make malware more difficult to detect. Hackers will use this technique to make their malware look like something else. This makes it almost impossible for Windows Defender to detect the malware.

Is Malwarebytes better than Windows Defender? ›

Comparison Results: Microsoft Defender has an edge in this comparison. According to reviews, it is more lightweight than Malwarebytes. To learn more, read our detailed Malwarebytes vs. Microsoft Defender for Endpoint Report (Updated: May 2023).

Is AVG free better than Windows Defender? ›

Significant performance impact

AV-Comparatives' October 2021 Performance Test found Microsoft Defender to have a much stronger effect on performance than AVG AntiVirus FREE — hindering usability when copying files, archiving and unarchiving data, and installing apps.


1. OffSec Live | PEN-200 (2023): Antivirus Evasion
(OffSec )
2. Windows Defense Evasion Techniques | Red Team Series 7-13
3. Evading Detection: A Beginner's Guide to Obfuscation - 2022
(BC Security)
4. Evading AV and Using Covenant C2
(Level Effect LLC.)
5. Reverse Shell UNDETECTED by Microsoft Defender (hoaxshell)
(John Hammond)
6. #173 Hacking Multifactor Authentication | Roger Grimes, Data Driven Defense Evangelist at KnowBe4
(CIO 10x Innovation & Leadership Mastermind)
Top Articles
Latest Posts
Article information

Author: Virgilio Hermann JD

Last Updated: 27/09/2023

Views: 6408

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.