Search This Blog

Powered by Blogger.

Blog Archive

Labels

Because of a Flaw in Microsoft Defender, Threat Actors can Evade Detection

The issue appears to affect Windows 10 21H1 and Windows 10 21H2.

 

Threat actors were able to use a vulnerability in Microsoft Defender antivirus on Windows to learn about unscanned places and plant malware there. According to several users, the issue has existed for at least eight years and affects both Windows 10 21H1 and Windows 10 21H2. According to security researchers, the list of locations that are not scanned by Microsoft Defender are insecure and accessible to any local user. 

Windows Defender is an anti-malware component of Microsoft Windows. It was first made available as a free anti-spyware download for Windows XP, and it was then bundled with Windows Vista and Windows 7. It has evolved into a full antivirus solution, replacing Microsoft Security Essentials in Windows 8 and later editions. 

Local users, regardless of their permissions, can query the registry to see which paths Microsoft Defender is not permitted to check for malware or hazardous files. According to Antonio Cocomazzi, a SentinelOne threat researcher who reported the RemotePotato0 vulnerability, there is no protection for this sensitive information, and running the "reg query" command reveals everything that Microsoft Defender is not supposed to scan, whether it is files, folders, extensions, or processes. 

Like any other antivirus software, Microsoft Defender allows customers to specify which locations (local or network) on their PCs should be excluded from malware scanning. Exclusions are routinely used to keep antivirus software from interfering with the operation of legitimate apps that have been incorrectly labeled as malware. Because the list of scanning exceptions differs from user to user, this information is useful for an attacker on the system because it informs them where they can place harmful files without fear of being detected. 

However, Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 enrolls users in particular exclusions based on their server role. These exclusions are not included in the normal exclusion lists. Exclusions for operating system files and server roles are automated because Microsoft Defender Antivirus is incorporated into Windows Server 2016 and later. Custom exclusions, on the other hand, can be specified by users. 

Although a threat actor must have local access in order to obtain the Microsoft Defender exclusions list, this is far from a stumbling block. Many attackers are already accessing stolen business networks in quest of a technique that will allow them to go laterally as silently as possible. 

According to BleepingComputer, the flaw was discovered in May by researcher Paul Bolton. Because Microsoft has yet to patch the flaw, administrators should use group policy to set Microsoft Defender while installing their systems, according to security researchers.
Share it:

Cyber Security

Microsoft

Security Researchers

Threat actors

Windows Defender