Microsoft makes Defender exclusions more difficult

by Don Sharpe
Don Sharpe
Don Sharpe
Author
Don has been writing professionally for over 10 years now, but his passion for the written word started back in his elementary school days. His work has been... read more
Affiliate Disclosure
  • Microsoft Defender has shown tremendous improvements recently receiving high scores lately.
  • There has been a very important change to the Windows Defender exclusions making it in such a way that only those with administrator rights can view the excluded files.
  • This update is a big deal since it will prevent any malicious payload from being placed inside the excluded files to bypass Windows Defender scanning.
defender

Microsoft is finally addressing one of the major concerns with Defender, which is that it’s relatively easy to bypass when setting up exclusions. The issue has been that even a standard user can add an exclusion, and that can allow malware to evade scans.

Microsoft is changing the way it handles file exclusions in its Windows Defender antivirus software. The default setting will now require users to provide administrator privileges to add an exclusion, a move that Microsoft says will improve security.

Users of Windows 11 Home and Pro are currently able to exclude files from Defender scans without any extra permissions. In a post on its Tech Community site, Microsoft said that the change would help prevent malware from bypassing detection by adding exclusions.

The change seems relatively simple but could improve security for those who are not paying attention or are unaware of the risks of running Defender without real-time protection enabled. 

Microsoft Defender’s score

This latest change to Microsoft Defender is designed to make bypassing Windows Defender scans harder by changing Exclusions permission.

Microsoft Defender’s latest feature is designed to address this very issue. The company has now changed how you can add exclusions to Windows Defender effectively making it harder for attackers to bypass scans from Windows Defender and other antivirus solutions on Windows 11.

In Microsoft Defender’s most recent assessments, the software received higher marks in its second year.

Microsoft’s improving score implied that the company had made great strides in the field and probably would continue to improve as time goes by.

Windows Defender exclusions

Bypassing antivirus scanners is nothing new. Ever since they were invented, hackers and malware authors have been looking for ways to evade them, and one of the easiest ways has been through exclusions.

Many antivirus programs allow you to exclude certain files or directories from scans to improve performance and prevent false positives. 

These exclusions are usually meant for large enterprise systems or big program installs that slow down the scanner. But they can also be used by hackers and malware authors to easily bypass scans.

According to Microsoft, the permissions for Windows Defender Exclusions have recently changed and users no longer have access to them if they are not an administrator.

The change is a result of a report from Microsoft that highlighted how a security hole could be used by attackers to hide malicious code on Windows 11 machines by adding files and folders to the exclusion list.

Microsoft has now changed the permissions required to view the Exclusions. Before this update, anyone with access to a machine could see the exclusions set on that machine.

However, after this update, it has been modified such that only someone with Administrator rights can view the Excluded files and folders.

The change essentially blocks access to the Registry key that contains the list of applications and files that are excluded from Defender scans. In previous versions of Windows 11, any user could access and edit the Exclusions list.

A user trying to query the Registry address gets an error when accessing it with Command Line. The person previously could see the excluded files and folders.

Importance of updates

Microsoft’s decision to make this change is a wise one, as leaving these permissions open could allow malicious actors to unload their payloads inside one of those folders and run it without triggering any kind of alert from Windows Defender.

The Exclusion feature in Windows Defender is meant to exclude specific folders from the application’s scanning. 

It seems like Microsoft will continue to remove this feature in upcoming builds until they find a way for users to make changes to those exclusions without risking having malware bypass Defender scans.

Microsoft has still not announced exactly how it plans to roll out the update, but many believe that the recent patch was when the update was introduced.

What are your thoughts about the new updates on Microsoft defender scans? Share in the comments section below.