A flaw in Microsoft Defender antivirus on Windows can potentially allow threat actors to learn about the locations excluded from scanning and install malware there.
Some users report that the issue has been there for at least 8 years and affects Windows 10 21H1 and Windows 21H2.
Like any antivirus software, Microsoft Defender lets users choose locations on their systems that should be excluded from scanning for malware. This is normally done to prevent the antivirus from mistaking genuine software for malware and affecting their functionality.
Since the scanning exceptions are unique from user to user, it is useful information for an attacker since it gives them a chance to plant malicious files without fear of being caught.
Security researchers have found that exclusion list is unprotected and can be accessed by any local user regardless of their permissions.
Antonio Cocomazzi, a SentinelOne threat researcher, pointed out that although this information is sensitive yet it is not secure, and that executing the ‘reg query’ command discloses everything that Miscrosoft Defender is instructed not to scan.
Another security researcher, Nathan McNutty also confirmed the issue existed on Windows 21H1 and Windows 21H2, but not Windows 11.
To verify the findings of the various researchers, BleepingComputer did some tests, in which they confirmed that a malware strain executed on an excluded folder ran without any hurdles on the Windows system, and no alerts were triggered by Microsoft Defender.
Given that it’s been this long and Microsoft has yet to address the issue, network administrators are advised to consult the Microsoft documentation for correctly configuring Microsoft Defender exclusions.
Read original article here https://www.bleepingcomputer.com/news/security/microsoft-defender-weakness-lets-hackers-bypass-malware-detection