The flaw is quite simple in theory, and focuses on planting malware where Microsoft Defender is not permitted to peek. Some programs trigger a false positive alert, and as such, need to be excluded from the scan. One way Defender users do this is by adding certain locations, either locally, or on a network, that get excluded from the scan.
However, malicious actors can learn about these locations, with relative ease. According to Antonio Cocomazzi, a cybersecurity researcher from SentinelOne, who was allegedly the first to uncover and report on the flaw, by simply running a “reg query” command, one can reveal all the locations that are beyond Microsoft Defender’s reach, and place their malware there.
Local access required
Cybersecurity researcher Nathan McNulty, from OpsecEdu, chimed in to add that things are even worse than that, as Defender makes automatic exclusions when users install specific roles or features.
The flipside to this coin is that for the flaw to be abused, the malicious actor needs to have local access, in advance. According to BleepingComputer, that doesn’t matter too much, as many malicious actors who’ve already compromised certain endpoints and networks, can use the flaw to allow stealthy lateral movement.
The vulnerability is roughly eight years old, researchers agree, saying that administrators should take extra care to properly configure Microsoft Defender exclusions on servers and local machines via group policies.
The vulnerability was found to affect Windows 10 21H1 and Windows 10 21H2 users, but Windows 11 is safe.