Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.
The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.
Lax permissions
Like any antivirus solution, Microsoft Defender lets users add locations (local or on the network) on their systems that should be excluded from malware scans.
People commonly make exclusions to prevent antivirus from affecting the functionality of legitimate applications that are erroneously detected as malware.
Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious fileswithout fear of being detected.
Security researchers discovered that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it.
Regardless of their permissions, local users can query the registry and learn the paths that Microsoft Defender is not allowed to check for malware or dangerous files.
Antonio Cocomazzi, a SentinelOne threat researcher who is credited for reporting theRemotePotato0vulnerability,points outthat there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals everything that Microsoft Defender is instructed not to scan, be it files, folders, extensions, or processes.
Another security expert,Nathan McNulty, confirmed that the issue is present on Windows 10 versions 21H1 and 21H2 but it does not affect Windows 11.
McNulty also confirmed that one can grab the list of exclusions from the registry tree with entries that store Group Policy settings. This information is more sensitive as it provides exclusions for multiple computers.
A security architect versed in protecting the Microsoft stack,McNulty warnsthat Microsoft Defender on a server has “automatic exclusions that get enabled when specific roles or features are installed” and these do not cover custom locations.
Although a threat actor needs local access to get the Microsoft Defender exclusions list, this is far from being a hurdle. Many attackers are already on compromised corporate networks looking for a way to move laterally as stealthily as possible.
By knowing the list of Microsoft Defender exclusions, a threat actor that already compromised a Windows machine can then store and execute malware from the excluded folders without fear of being spotted.
In tests done by BleepingComputer, a malware strain executed from an excluded folder ran unhindered on the Windows system and triggered no alert from Microsoft Defender.
We used a sample of Conti ransomware and when it executed from a normal location Microsoft Defender kicked in and blocked the malware.
After placing Conti malware in an excluded folder and running it from there, Microsoft Defender did not show any warning and did not take any action, allowing the ransomware to encrypt the machine.
This Microsoft Defender weakness is not new and has been highlighted publicly in the past by Paul Bolton:
A senior security consultant says that theynoticed the issue about eight years agoand recognized the advantage it provided to a malware developer.
"Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension" -Aura
Given that it's been this long and Microsoft has yet to address the problem, network administrators should consult the documentation for properly configuring Microsoft Defenderexclusions on servers and local machinesvia group policies.
Related Articles:
Windows 10 KB5026435 update released with 2 new features, 18 fixes
Windows 10 KB5026361 and KB5026362 updates released
Windows 10 KB5025297 preview update released with 10 fixes
Microsoft Defender update causes Windows Hardware Stack Protection mess
Windows 10 KB5025221 and KB5025229 updates released
FAQs
Is Windows Defender good against hackers? ›
Microsoft Defender Firewall comes with the security suite
As an additional layer of protection, you get a firewall that helps keep sneaky hackers from gaining access to your device.
Is Microsoft Defender antivirus safe? Microsoft Defender antivirus is pretty safe. It has almost 100% real-time protection rates, according to independent tests. It also has additional features for device protection against malware, such as scanning, app and browser control, and account protection options.
Will Microsoft Defender detect malware? ›Microsoft Defender has powerful built-in features that can help protect your device against malware. Note: Microsoft Defender currently offers anti-malware only on Windows, Mac, and Android. When you first set-up Microsoft Defender on your device we'll run an initial scan to make sure you're starting off clean.
Can Microsoft Defender remove malware? ›Windows Defender and Microsoft Security Essentials are powerful scanning tools that find and remove malware from your PC.
What are the disadvantages of Windows Defender? ›- Lacks integrated dashboard for all devices using Windows Defender.
- No accountability if the computer is infected by malware.
- Limited features for large scale use.
- Slows down installation of frequently-used applications.
Although Windows 10 has built-in antivirus protection in the form of Windows Defender, it still needs additional software, either Defender for Endpoint or a third-party antivirus. That is because Windows Defender lacks endpoint protection as well as full-service investigation and remediation of threats.
Can Windows Defender scan all viruses? ›Your device will be actively protected from the moment you start Windows. Windows Security continually scans for malware (malicious software), viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats.
Can Windows Defender detect Trojans? ›How to protect against trojans. Use the following free Microsoft software to detect and remove it: Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for previous versions of Windows. Microsoft Safety Scanner.
How do I remove all malware from my computer? ›- Step 1: Disconnect from the internet. ...
- Step 2: Enter safe mode. ...
- Step 3: Check your activity monitor for malicious applications. ...
- Step 4: Run a malware scanner. ...
- Step 5: Fix your web browser. ...
- Step 6: Clear your cache.
A stealth virus is a computer virus that uses various mechanisms to avoid detection by antivirus software. It takes its name from the term stealth, which describes an approach to doing something while avoiding notice.
Does Microsoft Defender protect against ransomware? ›
Microsoft Defender for Endpoint helps prevent, detect, investigate, and respond to advanced threats, such as ransomware attacks.
What are the benefits of Microsoft Defender? ›Microsoft Defender Antivirus collects underlying system data used by threat analytics and Microsoft Secure Score for Devices. This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture.
Does Windows Defender slow down your computer? ›Defender activities like scheduled scans, frequent definition update checks, and file hash computations can tank system performance if your PC isn't well-equipped. So, disabling/adjusting these features can help minimize Defender's performance impact.
What are the disadvantages of Defender for endpoint? ›Microsoft Defender for Endpoint Cons. It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception...
Is McAfee better than Windows Defender? ›Overall, both antiviruses offer excellent protection against real-time malware attacks, phishing, and other online threats, but Microsoft Defender offers near-perfect protection, while McAfee protects you from 100% of threats online and offline.
Which AntiVirus is better than Windows Defender? ›| Malware Detection Test Results | Supported Platforms | |
|---|---|---|
| Norton | 100% | Windows, Mac, Android, iOS |
| McAfee | 100% | Windows, Mac, Android, iOS |
| TotalAV | 99% | Windows, Mac, Android, iOS |
| iolo | Tests underway | Windows |
You do need an antivirus for Windows 10, even though it comes with Microsoft Defender Antivirus. That's because this software lacks endpoint protection and response plus automated investigation and remediation.
Can Windows Defender remove virus from USB? ›Microsoft Defender makes it easy to scan your Windows computer for viruses and malware. Several scans are available, including a quick and offline scan. But did you know that you can also use Microsoft Defender to scan your removable and external drives? Here's how.
Can Windows Defender detect USB virus? ›If you are using a third-party antivirus, you will need to check if a similar feature is offered with that software. Microsoft Defender's Limited Periodic Scanning, which is available even if you use a third-party antivirus, doesn't include automatic scans of USB drives.
Can a Trojan virus go undetected? ›Malware can take many forms, including viruses, worms, trojan horses, ransomware, and spyware. Can malware be undetected? Yes, malware can hide itself and antivirus and other protection programs may not catch it.
How do I find hidden malware on my computer? ›
Open your Windows Security settings. Select Virus & threat protection > Scan options. Select Windows Defender Offline scan, and then select Scan now.
Does wiping your PC remove all malware? ›Running a factory reset, also referred to as a Windows Reset or reformat and reinstall, will destroy all data stored on the computer's hard drive and all but the most complex viruses with it. Viruses can't damage the computer itself and factory resets clear out where viruses hide.
Can you tell if your computer is infected with malware? ›Scan your device for malware.
Run a malware or security Delete anything it identifies as a problem. You may have to restart your device for the changes to take effect. Run your scan again to make sure everything is clear. If the scan shows there are no more issues, you've likely removed the malware.
Rootkits. The rootkit malware is dangerous and extremely hard to detect.
Which malware can spy on you? ›Spyware is a form of malware that hides on your device, monitors your activity, and steals sensitive information like bank details and passwords.
Is Windows Defender good enough for ransomware? ›Microsoft Defender for Endpoint helps prevent, detect, investigate, and respond to advanced threats, such as ransomware attacks.
Does Windows Defender work against phishing? ›In organizations with Microsoft Defender for Office 365, anti-phishing policies provide the following types of protection: The same anti-spoofing protection that's available in Exchange Online Protection (EOP). For more information, see Spoof settings. Anti-impersonation protection from other types of phishing attacks.
Can viruses evade Windows Defender? ›Signature evasion is a technique used to make malware more difficult to detect. Hackers will use this technique to make their malware look like something else. This makes it almost impossible for Windows Defender to detect the malware.
Is Malwarebytes better than Windows Defender? ›Comparison Results: Microsoft Defender has an edge in this comparison. According to reviews, it is more lightweight than Malwarebytes. To learn more, read our detailed Malwarebytes vs. Microsoft Defender for Endpoint Report (Updated: May 2023).
Is AVG free better than Windows Defender? ›Significant performance impact
AV-Comparatives' October 2021 Performance Test found Microsoft Defender to have a much stronger effect on performance than AVG AntiVirus FREE — hindering usability when copying files, archiving and unarchiving data, and installing apps.