A decades-old vulnerability in Microsoft Defender that could allow any virus or malware strain to operate on the Windows operating system has been uncovered.
The flaw is quite simple in theory, and focuses on placing malware where Microsoft Defender is not allowed to see. Some programs trigger a false positive alert, and as such, need to be excluded from the scan. One way Defender users do this is by adding certain locations, either locally, or over a network, that are left out of the scan.
However, malicious actors can learn about these locations relatively easily. According to Antonio Cocomazzi, a cybersecurity researcher at SentinelOne, who was reportedly the first to uncover and report the flaw by running a “reg query” command, anyone can reveal all the locations that are beyond the reach of Microsoft Defender. There are malware, and their location there.
local access required
OpsecEdu cybersecurity researcher Nathan McNulty said things are even worse than that, as Defender performs automatic exclusions when users install specific roles or features.
The flip side of this coin is that in order to abuse the flaw, the malicious actor needs to have local access beforehand. According to bleeding computerOf course, it doesn’t matter too much, as many malicious actors who have already compromised some endpoints and networks can use the flaw to allow playback speed by stealth.
The publication also put this idea to the test, saying that it managed to successfully install the Conti ransomware, without triggering an alert from the antivirus solution.
The vulnerability is about eight years old, the researchers agree, adding that administrators should take extra care to properly configure Microsoft Defender exclusions on servers and local machines via Group Policies.
The vulnerability was found to affect Windows 10 21H1 and Windows 10 21H2 users, but Windows 11 is protected.
- You might also want to check out our list of the best endpoint protection services right now
Via: Bleeping Computer