Threat actors can bypass malware detection due to Microsoft Defender weakness

4 months ago 18

A weakness in the Microsoft Defender antivirus can allow attackers to retrieve information to use to avoid detection.

Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.

Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.

The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.

The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.

Noticed that almost 8 years ago when I started in Tech Support. Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension…

— Aura (@SecurityAura) January 12, 2022

SentinelOne threat researcher Antonio Cocomazzi pointed out that the list of scanning exceptions can be accessed by any local user, regardless of its permissions.

Running the “reg query” command it is possible to access the list.

Windows Defender AV allows Everyone to read the configured exclusions on the system 🤦

reg query "HKLMSOFTWAREMicrosoftWindows DefenderExclusions" /s

— Antonio Cocomazzi (@splinter_code) January 12, 2022
Microsoft Defender exclusion list

The security researcher Nathan McNulty highlighted that when Microsoft Defender is installed on a server, there are automatic exclusions that are set up when specific roles or features are installed.

Finally, for those configuring Defender AV on servers, be aware that there are automatic exclusions that get enabled when specific roles or features are installed

They do not cover non-default install locations, and you should review the list here:

— Nathan McNulty (@NathanMcNulty) January 12, 2022

According to BleepingComputer, the weakness was first reported by the researcher Paul Bolton in May:

This also works for the "Policies" path when using GPOs, such as HKLM:SOFTWAREPoliciesMicrosoftWindows DefenderExclusionsProcesses
MSRC view this more of a product suggestion for Defender 2/2

— Paul Bolton (m0noc) (@overtsecrecy) May 5, 2021

Microsoft has yet to address the weakness, for this reason, administrators should use group policy to configure Microsoft Defender while installing their systems [1, 2].  exclusions on servers and local machines via group policies.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Read Entire Article