Microsoft Windows Defender has a bug that allows malware to slip through undetected

An attacker can take advantage of a weakness in Microsoft Defender Antivirus functionality to plant malware in locations that Windows Defender excludes from scanning.

The issue has been around for at least eight years, although it was only recently identified and affects Windows 10 21H1 and Windows 10 21H2.

Add locations

Microsoft Defender can exclude specific locations on your computer from scanning, to ensure that areas containing important information aren’t inadvertently damaged by an antivirus scan.

There are many legitimate software applications that, for various reasons, antivirus programs mistakenly identify as malware and thereby quarantine or block access to a computer.

If a user includes a username in their exception list, this could give an attacker useful information about the system. It allows them to store malicious files in areas of the computer that are not checked during a routine scan.

Security researchers have discovered that Microsoft’s Defender security software excludes a list of dangerous locations from scanning, but any local user can access them.

Cover compromised

Although Windows Defender is allowed to check the registry for malware and dangerous files, local users can query the registry to determine which paths Defender is not allowed to check.

Antonio Cocomazzi, the threat researcher credited with discovering the RemotePotato0 vulnerability, notes that there is no security for this information.

While Microsoft Defender doesn’t scan everything, its “reg query” command reveals what the program is instructed not to scan, including files, folders, extensions, and processes.

Another Windows security expert, Nathan McNulty, claims that the problem is only present on Windows 10 versions 21H1 and 21H2, but will not affect Windows 11.

Group Policy Settings

Another way to get Group Policy settings is to retrieve the list of exclusions from the registry. This information provides details about what is excluded and is more sensitive than just listing the active settings on a particular computer.

Microsoft recommends disabling automatic exclusions in Microsoft Defender when the server platform is not dedicated to the Microsoft stack, McNulty explains. If a server is running non-Microsoft software, you must allow Defender to scan arbitrary locations.

Even though the list of Microsoft Defender exclusions can be obtained by an attacker with local access, this is a small challenge.

When a corporate network is already compromised, attackers are often looking for ways to get around using less visible tools.

Full Scan

Microsoft Defender allows the exclusion of certain folders to prevent antivirus from scanning files in those locations. The malware writer can then store and execute infected files from these folders undetected.

A senior security consultant says he first noticed the problem about eight years ago and immediately understood its potential for misuse.

“I always figured if I was some sort of malware developer I would just look for WD exclusions and make sure to drop my payload into an excluded folder and/or name it something like an excluded filename or extension,” Aura explained.

If you are a network administrator for a Microsoft environment, consult your Microsoft documentation to learn how to exclude the Defender program from scanning and running on all your servers and local machines.

What are your main concerns about the loophole that gives hackers the ability to bypass Microsoft Defender? Share your thoughts with us in the comments section below.