The flaw is quite simple in theory, and focuses on planting malware where Microsoft Defender is not permitted to peek. Some programs trigger a false positive alert, and as such, need to be excluded from the scan. One way Defender users do this is by adding certain locations, either locally, or on a network, that get excluded from the scan.
However, malicious actors can learn about these locations, with relative ease. According to Antonio Cocomazzi, a cybersecurity researcher from SentinelOne, who was allegedly the first to uncover and report on the flaw, by simply running a “reg query” command, one can reveal all the locations that are beyond Microsoft Defender’s reach, and place their malware there.
Local access required
Cybersecurity researcher Nathan McNulty, from OpsecEdu, chimed in to add that things are even worse than that, as Defender makes automatic exclusions when users install specific roles or features.
The flipside to this coin is that for the flaw to be abused, the malicious actor needs to have local access, in advance. According to BleepingComputer, that doesn’t matter too much, as many malicious actors who’ve already compromised certain endpoints and networks, can use the flaw to allow stealthy lateral movement.
The publication also put the idea to the test, saying it managed to successfully install the Conti ransomware (opens in new tab), without triggering an alert from the antivirus (opens in new tab) solution.
The vulnerability is roughly eight years old, researchers agree, saying that administrators should take extra care to properly configure Microsoft Defender exclusions on servers and local machines via group policies.
The vulnerability was found to affect Windows 10 21H1 and Windows 10 21H2 users, but Windows 11 is safe.
- You might also want to check out our list of the best endpoint protection services right now
Via: BleepingComputer (opens in new tab)