Microsoft Defender Weakness

Industry: N/A | Level: Strategic | Source: BleepingComputer

An issue/weakness has been identified by SentinelOne researchers enabling local attackers to query the registry for Windows Defender to identify what locations are excluded by Microsoft Defender. By scanning the threat actors can take advantage to plant malware. The issue extends to Group Policy settings that could also be queried from the registry tree that extends the attacker's visibility into the network. BleepingComputer conducted a test finding by a utilizing a Conti ransomware sample and executing it in an excluded folder Microsoft Defender took no action as opposed to verifying a block action when executing from a non-excluded location. The issue affects Windows 10 versions 21H1 and 21H2, however, is not an issue in Windows 11.