Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft Windows Defender has a bug that lets malware slip through undetected

3 min. read

Published onJanuary 14, 2022

published onJanuary 14, 2022

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Key notes

An attacker can take advantage of a weakness in the Microsoft Defender antivirus feature to plant malware in locations that Windows Defender excludes from scanning.

The issue has existed for at least eight years though only recently was it identified and affects Windows 10 21H1 and Windows 10 21H2.

Add locations

Microsoft Defender can exclude specific locations on your computer from scanning, to make sure that areas containing important information are not inadvertently damaged by an antivirus scan.

There are many legitimate software applications that, for various reasons, antivirus programs mistakenly identify as malware and thus quarantine or block from accessing a computer.

If a user includes a username in their list of exceptions, it might give an attackeruseful information on the system. It allows them to store malicious files in areas of the computer that are not searched during a routine scan.

Security researchers found that Microsoft’s Defender security software excludes a list of dangerous locations from scanning, but that any local user can access it.

Compromised coverage

Even though Windows Defender is allowed to check for malware and dangerous files in the registry, local users can query the registry to determine which paths Defender is not allowed to check.

Antonio Cocomazzi, the threat researcher credited with the discovery of the RemotePotato0 vulnerability, notes there is no security for this information.

Although Microsoft Defender doesn’t scan everything, its “reg query” command reveals what the program is instructed not to scan, including files, folders, extensions, and processes.

Another Windows security expert, Nathan McNulty, says the issue is only present on Windows 10 versions 21H1 and 21H2 but it won’t affect Windows 11.

Group policy settings

Another way to get Group Policy settings is to grab the list of exclusions from the registry. This information provides details about what is being excluded and is more sensitive than simply listing which settings are active on a particular computer.

Microsoft recommends that you disable automatic exclusions inMicrosoft Defenderwhen the server platform is not dedicated to the Microsoft stack, McNulty says. If a server is running non-Microsoft software, you should allow Defender to scan arbitrary locations.

Even though the Microsoft Defender exclusions list can be obtained by an attacker with local access, this is a small challenge to overcome.

When a corporate network is already compromised, attackers are often on the lookout for ways to move around using less noticeable tools.

Full scan

Microsoft Defender allows the exclusion of certain folders to keep the antivirus from scanning files in those locations. The malware author can then store and execute infected files from those folders without being spotted.

A senior security consultant says that he first noticed the issue about eight years ago, and immediately understood its potential for malicious use.

“Always told myself that if I was some kind of malware dev I would just look up the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension,” explained Aura.

If you are a network administrator for a Microsoft environment, consult your Microsoft documentation for information on how to exclude the Defender program from scanning and running on all of your servers and local machines.

What are your major concerns about the loophole that presents hackers with the opportunity to bypass Microsoft Defender? Share your thoughts with us in the comment section below.

Don Sharpe

Tech Journalist

Don has been writing professionally for over 10 years now, but his passion for the written word started back in his elementary school days. His work has been published on Livebitcoinnews.com, Learnbonds.com, eHow, AskMen.com, Forexminute.com, The Writers Network and a host of other companies.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Don Sharpe

Tech Journalist

Don has been writing professionally for over 10 years now, simplifying the tech universe for the mases.