Microsoft finally makes bypassing defender scans harder…
A little known exploit within Microsoft Defender that allowed anyone, regardless of permissions, to view the system scan exclusions has now finally been fixed.
Any user could simply open an unelevated command prompt and run the following command in order to view the defender scan exclusions:
reg query "HKLM\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS" /s
Upong running this command the user would be greated with the following output listing the exclusions that are inplace. This would enable a malicious actor to position their payloads within these excluded folders to allow them to go undertected.
Upong running the command post patch, a user who is not adminsitrator will receive the message “ERROR: ACCESS IS DENIED”. This patch is believed to have been pushed out of the recent patch Tuesday, although Microsoft haven’t officially confirmed how this update was delivered.