Friday, July 3, 2026
HomeCyber SecurityMicrosoft fixes Defender flaw letting hackers bypass antivirus scans

Microsoft fixes Defender flaw letting hackers bypass antivirus scans

[ad_1]

Microsoft fixes Defender flaw letting hackers bypass antivirus scans

Microsoft has lately addressed a weak point within the Microsoft Defender Antivirus on Home windows that allowed attackers to plant and execute malicious payloads with out triggering Defender’s malware detection engine.

This safety flaw [1, 2] affected the newest Home windows 10 variations, and menace attackers might abuse it since a minimum of 2014.

As BleepingComputer beforehand reported, the flaw resulted from lax safety settings for the “HKLMSoftwareMicrosoftWindows DefenderExclusions” Registry key. This key accommodates the record of areas (information, folders, extensions, or processes) excluded from Microsoft Defender scanning.

Exploiting the weak point was potential as a result of the Registry key was accessible by the ‘Everybody’ group, as proven within the picture under.

Exclusions Registry key accessible by the Everyone group
Exclusions Registry key accessible by the Everybody group
Supply: BleepingComputer

This made it potential for native customers (no matter their permissions) to entry it through the command line by querying the Home windows Registry.

Accessing Defender exclusions
Accessing Defender exclusions (BleepingComputer)

Safety professional Nathan McNulty additionally warned that customers might additionally seize the record of exclusions from registry bushes with entries storing Group Coverage settings, which is far more delicate information because it supplies exclusions for a number of computer systems on a Home windows area.

After discovering out what folders have been added to the antivirus exclusion record, attackers might ship and execute malware from an excluded folder on a compromised Home windows system with out having to concern that its malicious payload can be detected and neutralized.

By exploiting this weak point, BleepingComputer might execute a pattern of Conti ransomware from an excluded folder and encrypt a Home windows system with none warnings or indicators of detection from Microsoft Defender.

Safety weak point addressed silently by Microsoft

That is now not be potential given Microsoft has now addressed the weak point through a silent replace, as noticed by Dutch safety professional SecGuru_OTX on Thursday.

SentinelOne menace researcher Antonio Cocomazzi confirmed that the flaw can now not be used on Home windows 10 20H2 methods after putting in the February 2022 Patch Tuesday Home windows updates.

Some customers are seeing the brand new permission change after putting in the February 2022 Patch Tuesday Home windows cumulative updates.

Alternatively, Will Dormann, a vulnerability analyst for CERT/CC, famous that he obtained the permissions change with out putting in any updates, indicating that the change may very well be added by each Home windows updates and Microsoft Defender safety intelligence updates.

As BleepingComputer was additionally capable of verify at present, the permissions on Home windows superior safety settings for Defender exclusions have certainly been up to date, with the ‘Everybody’ group faraway from the Registry key’s permissions.

New permissions for the Exclusions Registry key
New permissions for the Exclusions Registry key
Supply: BleepingComputer

On Home windows 10 methods the place this variation has already rolled out, customers at the moment are required to have admin privileges to have the ability to entry the record of exclusions through the command line or when including them utilizing the Home windows Safety settings display screen.

Access to Defender exclusions now blocked
Entry to Defender exclusions now blocked (BleepingComputer)

The change rolled out since our earlier report, however, in the intervening time, solely Microsoft is aware of the way it was pushed to affected Home windows 10 methods (through Home windows updates, Defender intelligence updates, or different means).

A Microsoft spokesperson was not out there for remark when contacted by BleepingComputer earlier at present.



[ad_2]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments