22.12.2024

A hole in Microsoft Defender allows attackers to easily bypass Windows protection

Hackers can install their programs in folders that the antivirus does not scan. -obhodit-zashhitu-windows-5c22f80.jpg” alt=”A hole in Microsoft Defender allows attackers to easily bypass Windows protection” />

Microsoft Defender or Windows Defender, like many other antiviruses, allows you to exclude certain paths from the scan list – local folders and network locations. This is useful, for example, when developing software or installing programs that are erroneously considered malware.

Antonio Cocomazzi, a cybersecurity expert at SentinelOne, found out that the list of such paths is stored in an unprotected format. Access to it is open to all local users: they can find out which files, folders, extensions and processes are ignored by Microsoft Defender. To do this, just open the Windows console and enter the reg query command, and specify the name of the corresponding branch in the operating system registry as a parameter.

Hole in Microsoft Defender makes it easy for attackers to bypass Windows protection

Getting access to the account of a specific user in corporate networks is a solvable task, experts say. Many networks have already been compromised, and cybercriminals are just waiting for the right moment to get as much valuable information as possible. Then it's a matter of technique: it is enough to place malware in unprotected directories and start an attack.

It is already known that the vulnerability in Microsoft Defender antivirus has existed for about eight years. It affects recent versions of the system, for example, Windows 10 21H1 and Windows 10 21H2 – after two regular major updates that developers release every six months.

Cybersecurity specialist Nathan McNulty noted that there is no such problem in Windows 11. But in Windows 10, the exclusion list can also be obtained from the system registry entry tree, which stores group policy settings. This information is more sensitive than user-specific settings – it is distributed to groups of computers on the network.

To be safe, you need to make sure that your system has not been hacked and does not have malware installed. After that, it is worth tightening your security settings and reviewing the list of paths excluded from Microsoft Defender scanning.