Microsoft finally makes bypassing Defender scans harder by changing Exclusions permission

Microsoft"s Defender has been receiving high praise recently as it scored exceptionally well in AV-TEST"s latest rankings for December 2021 and October 2021. However, AV-Comparatives was much less impressed by Defender at least when compared to some of its alternatives like McAfee.

Though, one thing was certainly common in both assessments. Microsoft Defender"s score was definitely better in the second half of 2021 kind of implying that the Redmond giant is making good progress in the field. And it looks like it"s still improving as we get into 2022.

A security researcher with the Twitter username CISOwithHoodie noticed that Microsoft has recently made a very important change to the permissions for Windows Defender Exclusions. Previously, the excluded folders and directories were visible to "Everyone", which could be easily obtained by Registry address: "HKLM\Software\Microsoft\Windows Defender\Exclusions".

However, after this update, it has been modified such that only someone with Administrator rights can view the Excluded files and folders as can be seen in the image below:

When one tries to query the Registry address now to find the Exclusions using Command Line, an error message saying Access is denied pops up (image below), whereas earlier, it would reveal the excluded files and folders.

Will Dorman, a Vulnerability Analyst at CERT, also confirmed that Registry-based Policy changes were also now protected.

Assuming you meant HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
, that is also protected. pic.twitter.com/2yUZPIgHY6

— Will Dormann (@wdormann) February 10, 2022

If you are wondering why this is such a big deal, when the Exclusions is visible to everyone, a threat actor could easily place a malicious payload inside one of those excluded folders and completely bypass Windows Defender scanning.

So far, it"s not clear how exactly Microsoft is delivering the update though, it is thought that the recent February Patch Tuesday is when the update was introduced.

Source and images: CISOwithHoodie (Twitter)(1, 2)

Report a problem with article
Next Article

Save 98% off the 2022 All-In-One Google Ads & Productivity Training Bundle

Previous Article

PSA: Microsoft reminds all that Windows 10 20H2 servicing ends soon in May 2022