Microsoft Windows Defender has a bug that lets malware slip through undetected

by Don Sharpe
Don Sharpe
Don Sharpe
Don has been writing professionally for over 10 years now, but his passion for the written word started back in his elementary school days. His work has been... read more
Affiliate Disclosure
  • Microsoft's Defender antivirus software has a flaw that could let hackers execute malicious code on vulnerable Windows PCs.
  • For at least eight years, this issue has affected Windows 10 21H1 and Windows 10 21H2; however, it wasn’t until recently that it was discovered and identified.
  • The virus allows hackers to store malicious programs in non-routine areas of the computer, allowing them to bypass antivirus scans.

An attacker can take advantage of a weakness in the Microsoft Defender antivirus feature to plant malware in locations that Windows Defender excludes from scanning.

The issue has existed for at least eight years though only recently was it identified and affects Windows 10 21H1 and Windows 10 21H2.

Add locations

Microsoft Defender can exclude specific locations on your computer from scanning, to make sure that areas containing important information are not inadvertently damaged by an antivirus scan.

There are many legitimate software applications that, for various reasons, antivirus programs mistakenly identify as malware and thus quarantine or block from accessing a computer.

If a user includes a username in their list of exceptions, it might give an attacker useful information on the system. It allows them to store malicious files in areas of the computer that are not searched during a routine scan. 

Security researchers found that Microsoft’s Defender security software excludes a list of dangerous locations from scanning, but that any local user can access it.

Compromised coverage

Even though Windows Defender is allowed to check for malware and dangerous files in the registry, local users can query the registry to determine which paths Defender is not allowed to check.

Antonio Cocomazzi, the threat researcher credited with the discovery of the RemotePotato0 vulnerability, notes there is no security for this information.

Although Microsoft Defender doesn’t scan everything, its “reg query” command reveals what the program is instructed not to scan, including files, folders, extensions, and processes.

Another Windows security expert, Nathan McNulty, says the issue is only present on Windows 10 versions 21H1 and 21H2 but it won’t affect Windows 11.

Group policy settings

Another way to get Group Policy settings is to grab the list of exclusions from the registry. This information provides details about what is being excluded and is more sensitive than simply listing which settings are active on a particular computer.

Microsoft recommends that you disable automatic exclusions in Microsoft Defender when the server platform is not dedicated to the Microsoft stack, McNulty says. If a server is running non-Microsoft software, you should allow Defender to scan arbitrary locations.

Even though the Microsoft Defender exclusions list can be obtained by an attacker with local access, this is a small challenge to overcome.

When a corporate network is already compromised, attackers are often on the lookout for ways to move around using less noticeable tools.

Full scan

Microsoft Defender allows the exclusion of certain folders to keep the antivirus from scanning files in those locations. The malware author can then store and execute infected files from those folders without being spotted.

A senior security consultant says that he first noticed the issue about eight years ago, and immediately understood its potential for malicious use.

“Always told myself that if I was some kind of malware dev I would just look up the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension,” explained Aura.

If you are a network administrator for a Microsoft environment, consult your Microsoft documentation for information on how to exclude the Defender program from scanning and running on all of your servers and local machines.

What are your major concerns about the loophole that presents hackers with the opportunity to bypass Microsoft Defender? Share your thoughts with us in the comment section below.