Windows 10: Microsoft Defender's exclusion list is readable by attackers

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

  • Microsoft added a new feature to Windows Defender’s default settings that allows attackers to read the exclusion list on a target system.
  • Microsoft announced the release of a security update that eliminates a vulnerability exploited by malware that was first reported publicly eight years ago.
  • Windows Defender AV tool provides the capability to view and edit file system, driver, and registry exclusions on the system.

Security researchers have discovered a vulnerability in Microsoft’s antivirus software that could allow attackers to bypass the anti-malware protections on Windows machines.

A report from Bleeping Computer about a problem with the latest versions of Microsoft’s Windows 10 operating system states that the issue specifically impacts devices running versions 21H1 and 21H2.

Microsoft Defender

Microsoft Defender is a free anti-malware program that scans files and processes for threats and can protect Windows PCs from viruses, malware, ransomware, and other security threats.

The Windows Defender Security Center add-in also lets you prevent specific files, file types, folders, processes, locations, or executable files from being scanned by using the exclusions feature.

This feature can be useful in certain situations in which malicious software is incorrectly classified as a legitimate application.

The exclusion lists that protect various Windows 10 components vary among users and allow threat actors to track locations and store malicious files on devices.

Antonio Cocomazzi, a Threat Intelligence Researcher at SentinelOne, said Microsoft Defender allows any local user to read the sensitive data stored in exclusion lists via registry queries; this is factually accurate and makes no use of informal speech.

The Windows Defender AV tool allows users to read the file system and registry exclusions on the system.

Microsoft Defender’s security flaw 

Additionally, cyber security architect Nathan McNulty pointed out that attackers might exploit the registry tree to gain access to exclusion lists for multiple systems.

“For those configuring Defender AV on servers, be aware that there are automatic exclusions that get enabled when specific roles or features are installed,” McNulty indicated on Twitter. 

However, you can create a custom installation location for an application that isn’t on the list.

Security updates

Microsoft announced today the release of a security update that eliminates the vulnerability that can be exploited by malware. The vulnerability was first reported by security researchers eight years ago.

Microsoft has not yet addressed this issue, and there is no information about when a solution might be available for users of its Windows operating system.

Administrators are advised to set up Microsoft Defender exclusions using the group policies on both Windows 10 and Windows Server machines.

Have you been affected by Microsoft Defender’s security flaw before? Share your thoughts with us in the comment section below.

User forum

0 messages