Threat actors can take advantage of a weakness in Microsoft Defender Antivirus on Windows to learn which locations are excluded from scanning and plant malware there.
The problem has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.
Like any antivirus solution, Microsoft Defender allows users to add locations (local or on the network) on their systems that should be excluded from malware scans.
People usually make exclusions to prevent antivirus from affecting the functionality of legitimate apps that are mistakenly detected as malware.
Since the list of scan exceptions differs from user to user, this is useful information for an attacker on the system as it gives him the locations where he can store malicious files without fear of being detected.
Security researchers have discovered that Microsoft Defender’s list of locations excluded from scanning is unprotected and can be accessed by any local user.
Regardless of their permissions, local users can query the registry and discover paths that Microsoft Defender is not allowed to check for malware or dangerous files.
Antonio Cocomazzi, a SentinelOne threat researcher who is credited with reporting the RemotePotato0 vulnerability, points out that there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals anything that Microsoft Defender is instructed not to scan, that it is whether files, folders, extensions or processes.
Another security expert, Nathan McNulty, confirmed that the problem is present on Windows 10 versions 21H1 and 21H2, but does not affect Windows 11.
McNulty also confirmed that one can retrieve the list of exclusions from the registry tree with entries that store Group Policy settings. This information is more sensitive because it provides exclusions for multiple computers.
A security architect versed in Microsoft stack protection, McNulty warns that Microsoft Defender on a server has “automatic exclusions that are enabled when specific roles or features are installed” and these do not cover custom locations.
Although a malicious actor needs local access to obtain Microsoft Defender’s exclusion list, this is far from a barrier. Many attackers are already on compromised corporate networks looking for a way to move laterally as stealthily as possible.
By knowing Microsoft Defender’s list of exclusions, a malicious actor who has already compromised a Windows machine can then store and run malware from the excluded folders without fear of detection.
In testing by BleepingComputer, a malware strain running from an excluded folder ran unhindered on the Windows system and did not trigger any alerts from Microsoft Defender.
We used a Conti ransomware sample and when it ran from a normal location, Microsoft Defender launched and blocked the malware.
After placing the Conti malware in an excluded folder and running it from there, Microsoft Defender displayed no warnings and took no action, allowing the ransomware to encrypt the machine.
This Microsoft Defender weakness is not new and has been publicly pointed out in the past by Paul Bolton:
A senior security consultant says they noticed the problem about eight years ago and recognized the advantage it offered a malware developer.
“I always figured if I was some sort of malware developer I would just look for WD exclusions and make sure to drop my payload into an excluded folder and/or name it something like an excluded filename or extension” – Will have
Since it’s been so long and Microsoft hasn’t fixed the issue yet, network administrators should consult the documentation to properly configure Microsoft Defender. exclusions on servers and local machines through group policies.