Windows Defender oversight allows malware to run undetected.

[rcmaehl]

Summary

An oversight in protecting the list of excluded directories in Windows Defender allows Malware to hide itself in those folders.

 

Media

 

Quotes

Quote

A weakness that affects Microsoft Defender antivirus on Windows. The issue has persisted for at least eight years... and affects Windows 10 21H1 and Windows 10 21H2. Defender lets users add locations... on their systems that should be excluded from malware scans. Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious files without fear of being detected. Researchers discovered that the list of locations excluded... is unprotected. Users can query the registry and learn the paths that Microsoft Defender is not allowed to check. Also confirmed... one can grab the list of exclusions from the registry...that store Group Policy settings. This information is more sensitive as it provides exclusions for multiple computers. In tests done by BleepingComputer, a malware strain executed from an excluded folder ran unhindered on the Windows system and triggered no alert from Microsoft Defender. Given that it's been this long and Microsoft has yet to address the problem, network administrators should consult the documentation for properly configuring Microsoft Defender exclusions on servers and local machines via group policies.

 

My thoughts

Neat. While this isn't too useful by itself as a machine will need to be already running malicious code, it is, at the very least, a nice piece of knowledge for continuous movement and infection. I'm sure there is at least some restriction that can be done to this registry key especially since there's reports that this isn't an issue in Windows 11.

 

Sources

WindowsReport

BleepingComputer

 

[WhitetailAni]

Log4j and SysJoker just threw the one-two punch at Windows, and now this is kicking at Windows while they’re down.

 

Malware 3, Windows 0.

[rcmaehl]

Criminal: Hey 50, what streets do you all not patrol

Cop: x, y, and z

Criminal: commits crimes on those streets
Cop:

[leadeater]

Should really only be excluding folders that are themselves already protected and requires higher level of permissions to write in to. Though it is a little dumb regular user can see system exclusions and not only their own, if they are allowed to add them.

 

P.S. Only fools do global exceptions, anything excluded on a system should be relevant to that system which is trivially easy to achieve.

[8tg]

i dont have this problem because i just used the group policy editor to turn off everything related to windows update, windows defender, the firewall, or anything else remotely annoying 

 

i havent seen a pop up in the corner of the screen ever, its great

[leadeater]

17 minutes ago, 8tg said:

i dont have this problem because i just used the group policy editor to turn off everything related to windows update, windows defender, the firewall, or anything else remotely annoying 

[8tg]

6 minutes ago, leadeater said:

snip

[mr moose]

2 minutes ago, 8tg said:

Are you suggesting malicious programs only get to your PC through banner ads? 

[leadeater]

4 minutes ago, mr moose said:

Are you suggesting malicious programs only get to your PC through banner ads? 

Doesn't matter, wouldn't know, everything that could say or help is disabled so...  

 

Probably also not a smart idea that they posted an image showing a strong likelihood of the usage of a pirated version of Windows too 

[8tg]

Just now, mr moose said:

Are you suggesting malicious programs only get to your PC through banner ads? 

im suggesting average windows users share 1 brain cell per 2-3 windows keys, and the reason why antivirus of any variety exists at all is because people are on average very stupid and manage to do many dumb things which end with them installing something malicious on their pc

and secondarily the fear hyping over viruses and malware or whatever is boosted primarily by the companies providing the software or services against these things because they too can make a profit off of stupid people

 

i havent used any kind of antivirus, firewall or any of that stuff pretty much my whole life because i have a vague idea of how to remain generally secure on the internet, and those things are more hassle than theyre worth, half of the 3rd party options are just malware of their own type, windows defender refuses to leave my system alone, and it likes to delete things that it doesnt personally agree with without asking me, firewall and the UAC stuff is just aggravating and wastes my time when i get booted out of a program because the firewall wants to ask me real quick if its ok for this program to access my microphone

its one of the first things i do with any windows install, disable all of that, on any version of windows

 

hell, ive posted here from windows xp, i actually regularly use that xp machine to browse the internet as its a good host for music and old games

 

Spoiler

heres the true worst part about that entire sphere of computer stuff, internet security and viruses and all that jazz, its the people who get super irritated and subsequently super irritating to others over all of it, because of some self righteous crusade against the lesser informed technological peasants than they, please, talk down to me, im positive your installation of Norton was a smart idea for you personally and definitely wasnt a waste of 60$

 

5 minutes ago, leadeater said:

Probably also not a smart idea that they posted an image showing a strong likelihood of the usage of a pirated version of Windows too 

i paid for my LTSC activation via my workplaces activation servers we use for our computers there, because this machine is also regularly used for things like bluezone/SPIN and redprarie dock management software when i need to work from home

i wouldnt pirate windows because 

1) the above entire context of not doing something dumb that can get malicious software onto your system

2) its only like 300$ to be added to the KMS and my company reimbursed me anyway

[leadeater]

4 minutes ago, 8tg said:

secondarily the fear hyping over viruses and malware or whatever is boosted primarily by the companies providing the software or services against these things because they too can make a profit off of stupid people

You know I actually agree with this, but you disabled Windows Defender which costs nothing and instead of using many of the options to improve the user experience you just outright disabled it. Each to their own I guess.

[8tg]

12 minutes ago, leadeater said:

improve the user experience

these are not the accurate words to describe the following results of having it enabled:

-it sometimes downloads something in the background and eats up all my bandwidth for no reason

-it sometimes uses my entire cpu across all cores for some reason

-it sometimes uses all of my SSD's at 100% (presumably scanning them)

-generally having settings and controls that are not flexible enough and dont respect my requirements as a user (such as frequency and times of scans)

-quarantining things without asking me (librewolf browser, an old installation of steam so i could get a working steam install on XP, secondlife in general, basically anything old that hasnt been updated in forever like mp3tag or basically any .msi executable file)

-deleting those same things without asking me, seemingly at random as if it didnt see it at first but somehow did 3 days later

-not having any regular options to simply disable it if you dont want it

 

thats a huge one for me and its why i really dont like modern windows, its a necessity based on what i need to run on windows, but starting with windows 10 the lack of user control is just obscene, youre not allowed to do anything in any reasonable way, with windows 7 if you want defender off, you just find defender in the settings and turn it off, or just turn off the service in the services settings panel

with 10 you cant do either of those things, you need the group policy editor, which not all version of windows 10 even have, or you need some 3rd party workaround

my issue is not that these things are inherently bad, for the regular user windows defender is a really good antivirus, in that its not trying to sell you anything, and its good enough for the everyday user, since they also probably wont notice any of the bullshit it does

 

i do notice that, and i disagree with the lack of control users have over it (and windows in general)

though most users shouldnt, they should have the capability to straight turn off a service they dont want to use without any second questions beyond a confirmation box at most, and making something like that near impossible to do is why i disable it, because beyond what it wastes on my system, its just as malicious on its own as the 3rd party options in refusing to leave your hardware alone

[leadeater]

1 minute ago, James Evens said:

Imagine Windows would have actually a working rights system ... nobody would care if you know excluded paths as you can't reach them ...

Sadly I have come across many badly configured systems with data drives or directories with essentially wide open NTFS permissions and also excluded from AV, which both are evidentially discoverable. And if they are also mostly doing global exceptions and you know of one badly configured NTFS path on a system you can safely assume others are likely the same too and now you know the paths just not the systems they are applicable to.

 

Even sys admins fall victim to convenience focused workaround and implementations and figure the likelihood of risk is too low to worry about. This mindset is actually why cryptolocker viruses are able to have so much impact on many businesses because people have write access to things they just do not need to. read access too.

 

But we can't fix the world of all problems.

[leadeater]

5 minutes ago, 8tg said:

it sometimes downloads something in the background and eats up all my bandwidth for no reason

Change the AV definition update settings. Turn off Cloud-Delivered Protection, Turn off Automatic Sample Submissions 

 

5 minutes ago, 8tg said:

it sometimes uses my entire cpu across all cores for some reason

Limit Defender to a maximum CPU % you deem necessary, turn off Real Time Protection if you think that is the cause, change your schedule scan settings

[Salv8 (sam)]

39 minutes ago, 8tg said:

-snip-

*whistles in linux*

[wanderingfool2]

57 minutes ago, 8tg said:

i havent used any kind of antivirus, firewall or any of that stuff pretty much my whole life because i have a vague idea of how to remain generally secure on the internet, and those things are more hassle than theyre worth, half of the 3rd party options are just malware of their own type, windows defender refuses to leave my system alone, and it likes to delete things that it doesnt personally agree with without asking me, firewall and the UAC stuff is just aggravating and wastes my time when i get booted out of a program because the firewall wants to ask me real quick if its ok for this program to access my microphone

its one of the first things i do with any windows install, disable all of that, on any version of windows

See, what makes you curious is you say it's deleted things...and for that reason you are using no antivirus (you still have a firewall on your router)...also by the sounds of it UAC...and still have Windows XP systems.

 

Got to tell you, I would not trust plugging my laptop onto your LAN.  All it takes is visiting a single site (or an ad redirecting you to a site) that is utilizing a zero day.  Without any antivirus, you will never know at all (or even be afforded the protection of it).

 

Having had to deal with a virus that spread using a zero-day (one user opened an infected doc file), that didn't get picked up until about 12 hours later (because it was a brand new virus) it is not a fun experience and it's really trivial to get a virus even when trying to be safe.  Lapses will happen, websites will be hacked, ads will be poisoned, docs will be infected.  All of which antivirus can help mitigate the damages, or give you warning something is wrong.

[mr moose]

1 hour ago, leadeater said:

Change the AV definition update settings. Turn off Cloud-Delivered Protection, Turn off Automatic Sample Submissions 

 

Limit Defender to a maximum CPU % you deem necessary, turn off Real Time Protection if you think that is the cause, change your schedule scan settings

You know, I have a fairly modest system, r5 3600 16G of yum cha speed ram,  before that I had 8G and a i5 3550, never really notice defender doing anything thing in the background,  mind you I also didn't go and get an enterprise level OS and start playing with shit until it broke.

[jagdtigger]

2 hours ago, wanderingfool2 said:

See, what makes you curious is you say it's deleted things...

To be fair it does delete things that it shouldnt, like produkey in my case.....

[leadeater]

1 hour ago, jagdtigger said:

To be fair it does delete things that it shouldnt, like produkey in my case.....

I have a feeling Microsoft doesn't think that is a mistake lol

[bcredeur97]

These are HKLM keys meaning the malware would need admin privileges to be able to write to them. 

 

If you avoid using an admin user account regularly  your chances of this being exploited go down dramatically as the malware would have to use another exploit to elevate itself.

[StDragon]

2 minutes ago, bcredeur97 said:

If you avoid using an admin user account regularly...

Good luck with this regarding laptop users working remote from the office. While there are services to enable remote elevation, that's predicated on having an active help-desk at the other end.

 

The only other doable method is to create unique local Administrator accounts with their own **passwords and provided to the end-user to use for utilitarian purposes all while their AD account is only a member of the local Users group.

 

Spoiler

**Passwords that are often written on Post-It notes affixed to the laptop palm rest. That's some high IQ thinking right there.

 

[RejZoR]

After seeing how dumb and useless Folder Access Control is and how Microsoft still cannot make it function properly after all these years I have very little faith in it. Especially after they have such hidden exclusions of folders. I'm just gonna stick with Avast or Kaspersky...

[jagdtigger]

1 hour ago, leadeater said:

I have a feeling Microsoft doesn't think that is a mistake lol

Couldnt care less about their shady opinion. Cant keep track of everything, including which machine has which key....

[bcredeur97]

4 hours ago, StDragon said:

Good luck with this regarding laptop users working remote from the office. While there are services to enable remote elevation, that's predicated on having an active help-desk at the other end.

 

The only other doable method is to create unique local Administrator accounts with their own **passwords and provided to the end-user to use for utilitarian purposes all while their AD account is only a member of the local Users group.

 

  Hide contents

**Passwords that are often written on Post-It notes affixed to the laptop palm rest. That's some high IQ thinking right there.

 

something like MS LAPS is probably best. so you can give the user a one time password they can use to elevate and it resets itself after a short period. But again, like you said this is only good for when you actually have a helpdesk. And it also requires having a domain. Which means the user will need a always on VPN in the case of remote work so that the computer can reach said domain. (Unless you do a public RODC, but does LAPS even work with those?) 

MS needs to design windows around the user not having admin privileges' by default, or like requiring UAC prompts to enter a password so there's more thought put into them instead of just blindly clicking "yes". 

Although people would complain about this, since unfortunately a lot of people do need admin privileges pretty often. 

No good solution really? 

[mr moose]

12 hours ago, bcredeur97 said:

MS needs to design windows around the user not having admin privileges' by default, or like requiring UAC prompts to enter a password so there's more thought put into them instead of just blindly clicking "yes". 
 

And they would be shot down for it in seconds, it was the first thing that happened when they introduced click through UAC in vista (can't actually remember when it started but I think it was vista).  MS problem is not making a usable UI, it's not in designing folder access that is both secure and works for each user, it's in trying to please all 90% of the market simultaneously.  They'd have a much better chance of solving for world peace.