A Weakness Found in Microsoft Defender Allows Hackers to Avoid Malware Detection
The Issue Affected Windows 10 21H1 and Windows 10 21H2 and Lasted for About 8 Hours.
Windows Defender is a Microsoft Windows anti-malware component. It was initially made available as a free anti-spyware download for Windows XP, and it was later included with Windows Vista and Windows 7. It has matured into a comprehensive antivirus tool, replacing Microsoft Security Essentials in Windows 8 and subsequent editions.
Threat actors were able to exploit a vulnerability in Microsoft Defender antivirus on Windows to learn about locations that were not scanned and plant malware there.
According to some customers, the problem has been there for at least eight years and impacts Windows 10 21H1 and Windows 10 21H2.
Security researchers revealed that the list of locations not scanned by Microsoft Defender is unsecured and accessible to any local user.
Local users, regardless of their rights, can query the registry and learn which pathways Microsoft Defender is not permitted to examine for malware or harmful files.
Antonio Cocomazzi, a SentinelOne threat researcher who reported the RemotePotato0 vulnerability, points out that there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals everything that Microsoft Defender is not supposed to scan, whether it is files, folders, extensions, or processes.
How Does the Vulnerability Work?
Microsoft Defender, like any other antivirus solution, allows users to choose which places (local or network) on their PCs should be excluded from malware scanning.
Exclusions are frequently used to prevent the antivirus from interfering with the performance of genuine apps that have been mistakenly identified as malware.
Because the list of scanning exceptions varies from user to user this serves as important information for an attacker on the system because it shows them where they may place dangerous files without worry of being caught.
Although a threat actor must have local access to get the Microsoft Defender exclusions list, this is far from a barrier. Many attackers are already infiltrating hacked business networks in search of a technique to go laterally as quietly as possible.
As thoroughly explained by BleepingComputer, a threat actor who has previously infected a Windows PC can then store and execute malware from the excluded directories without fear of being detected if they are aware of the list of Microsoft Defender exclusions.
How Can Heimdal™ Help?
Threat prevention is essential to your company’s cybersecurity, as it is an effective way to add multiple layers of proactive protection. As cyber attackers become more cunning, so should the solutions we use to stop them. This is where Heimdal™ comes in.
Heimdal™ is always updated and keeps pace with the latest cybersecurity trends, a quality that perfectly illustrates its products too. Our awarded Threat Prevention Endpoint solution uses Machine Learning, cybercrime intelligence, and artificial intelligence capabilities to help you prevent future threats with 96 % accuracy on your endpoints, a very efficient threat hunting solution that makes malicious URLs, processes, and attacker’s origins no longer anonymous.