Microsoft Defender Flaw that Enables Hackers to Evade Detection!

Though Microsoft is going the extra mile to bolster its security offerings, unprecedented vulnerabilities are sprouting up and are bogging down the giant’s cybersecurity aspirations.

Recently, Microsoft has ingrained its Defender tools with new capabilities to fend off the security risks spawned by the Apace Log4j flaw. Even before the new update got traction, cybersecurity researchers spotted a new vulnerability that affects Microsoft Defender on Windows.

According to the researchers, hackers can potentially exploit this vulnerability to learn the list of locations excluded from Microsoft Defender scanning and plant malware there. The more shocking revelation is that the flaw has persisted for at least eight years.

Let’s dig deep into the details:

What Went Wrong with Microsoft Defender?

What Went Wrong with Microsoft Defender?

Like any antivirus solution, Microsoft Defender allows users to exclude locations on their systems from malware scanning. Users often make exclusions so that antivirus wouldn’t impact the functionality of legitimate apps that are mistakenly scanned as malware.

This list of scanning exceptions is lucrative for malicious actors as they can stealthily store malicious files on the excepted locations without being detected.


Useful Link: Cyberattacks Increase 50% in 2021, Peaking All-time High of 925 Weekly Attacks per Organization!


The security researchers found that the list of locations exempted from Microsoft Defender scanning is unsecured, and any unprivileged user can access it. So, regardless of their access grants, local users can query the registry and know the locations that Microsoft Defender is not allowed to check for malware or malicious files.

“There is no protection for this information, which should be considered sensitive, and that running the ‘reg query’ command reveals everything that Microsoft Defender is instructed not to scan, be it files, folders, extensions, or processes,” said Antonio Cocomazzi, a SentinelOne threat researcher who is credited for reporting the RemotePotato0 vulnerability.

Another security expert Nathan McNulty said that the issue was “confirmed on Windows 10 21H1 and 21H2, but interestingly, Windows 11 is not affected”. He also stated that hackers could access the list of exclusions from the registry tree with entries that store Group Policy settings.

“Finally, for those configuring Defender AV on servers, be aware that there are automatic exclusions that get enabled when specific roles or features are installed. They do not cover non-default install locations,” warned McNulty.

A Cake Walk for Cybercriminals

A Cake Walk for Cybercriminals

Perpetuators need local access to pilfer the Microsoft Defender exclusions list. However, it is a cakewalk for them. Many unethical hackers are already on compromised networks foraging for ways to stay undetected for as long as possible.

With the list of Defender exclusions at their disposal, a dubious actor who had already compromised a Windows machine can store and execute malware from the excluded folders without being detected.


Useful Information: Flexbooker Suffers Massive Data Breach, Millions Of Users Compromised


This Microsoft Defender flaw is not new. It has been disclosed publicly in the past by some security researchers.

“Noticed that almost 8 years ago when I started in Tech Support. Always told myself that if I was some kind of malware dev, I would just look up the WD exclusions and make sure to drop my payload in an excluded folder and name it the same as an excluded filename or extension,” tweeted Aura, a senior security consultant. “Not surprised to see that it still not has been fixed yet.”

Given the grueling fact that cybercriminals are exploiting every vulnerability in the air, network administrators must consult the documentation to properly configure Microsoft Defender exclusions on servers and local machines via Group Policies. However, seeking the services of information security services providers like StealthLabs is imperative in this time of uncertainty.

As a leading cybersecurity services provider, StealthLabs has been catering to the security needs of clients across the US. Whether you’re a Fortune 500 company or a budding enterprise, we have a robust solution customized to your specific objectives.

Let’s join forces and fend off cybersecurity risks, together.

Contact Us


More Cybersecurity News: