A decade-old weakness in Microsoft Defender has been discovered, which might enable any virus or malware strain to function undetected on the Windows operating system.
In principle, the issue is relatively straightforward, and it focuses on installing malware in areas where Microsoft Defender is not authorized to look. Some applications generate false positive alerts and, as a result, must be eliminated from the scan. One method Defender users use to do this is to exclude certain sites from the scan, either locally or over a network.
Malicious actors, on the other hand, may easily learn about these sites. According to Antonio Cocomazzi, a cybersecurity researcher at SentinelOne who was purportedly the first to discover and disclose the weakness, by just issuing a “reg query” command, one may identify all the spots that are outside Microsoft Defender’s reach and plant their virus there.
Local access is needed
Nathan McNulty of OpsecEdu, a cybersecurity researcher, came in to say that things are much worse than that, since Defender generates automatic exclusions when users install certain roles or features.
The other side of the coin is that in order to exploit the issue, the hostile actor must first get local access. According to BleepingComputer, this isn’t a big deal since many hostile actors who have previously penetrated certain endpoints and networks may use the issue to allow for covert lateral movement.
The magazine also put the theory to the test, claiming that it was able to successfully install the Conti ransomware without receiving an alarm from the antivirus solution.
Researchers believe that the vulnerability is around eight years old, and that administrators should take additional care to correctly implement Microsoft Defender exclusions on servers and local computers through group policies.
The vulnerability was discovered to impact users of Windows 10 21H1 and Windows 10 21H2, however Windows 11 is protected.