Since the update ‘Creators Update’ of Windows 10, this operating system incorporates a Windows Defender Security Center, which facilitates the task of add exclusions in Microsoft antivirus protection policies.

Those exceptions are directories (or files, or processes, or drives) that we don’t want Defender to scan for malware: the main reason for adding one is knowing that it generates false positives (many programs that alter certain elements of the operating system, for example, make antivirus ‘jump’, however legitimate they may be).





But and If only cybercriminals had a way of knowing exactly which directories we’ve excluded from checking, and take advantage of this knowledge to install their malware there and infect our system from there? It would be a catastrophe, right?

Information available through any local user

Well, according to Bleeping Computer, that is exactly what has happened with the latest versions of Windows 10 (21H1 and 21H2), which present a vulnerability that allows attackers to read Defender’s exclusion list. According to cybersecurity expert Nathan McNulty, this vulnerability does not affect Windows 11.

This is possible because Windows allows this list is accessible by any local user by consulting the Windows Registry. On the other hand, if you want to check the list yourself, you will have to open the Windows terminal with administrator permissions and execute the following command:

reg query “HKLMSOFTWAREMicrosoftWindows DefenderExclusions” /s

That access to this information must be done through a local user it is far from being a problem for the cyber attacker if the system being accessed is part of an already compromised social network or if you have installed other malware not recognized by the antivirus.

System administrators can work around this issue by setting up Defender exclusions not from the Security Center, but by creating group policies from the ‘Local Group Policy Editor’ (Run > gpedit.msc) and then accessing ‘Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender > Exclusions‘.

Via | WindowsReport