Having an antivirus to protect systems and prevent attacks is essential. In this sense, Windows Defender it has become a favorite among users of the Microsoft system. It works well, it is free and it also comes already integrated with the OS itself. However, in this article we echo a problem that affects this antivirus and can be exploited by a cybercriminal.
A crash puts Windows Defender at risk
Hackers now have a chance to exploit Windows Defender and skip protection. But this is not something new. In fact, according to computer security researchers, this flaw has been around for at least 8 years.
But how does this error work? Windows Defender, like other security solutions, allows users to add locations (either local or on the network) on their systems to exclude them from being scanned. This is very useful so that the antivirus does not detect false positives, for example when downloading a file or installing a program.
Each user can have a series of excluded folders or locations, so that the antivirus does not act on them. The problem is that this information is not stored in an encrypted form. Any local user can access it. What if an attacker knows which locations are encrypted?
Also, keep in mind that this works regardless of the permissions that local user has. You will be able to access the registry and learn the paths that Windows Defender does not take into account when scanning for malware. This should be confidential and not available to anyone.
Affects multiple versions
According to security researchers, this issue affects versions of Windows 10 21H1 and Windows 10 21H2. However, it appears that this problem does not affect Windows 11, the latest version of Microsoft’s operating system.
Although this problem can be exploited, the truth is that it is not easy for an attacker to get to that information. Keep in mind that it requires have local access. It is not possible to exploit it remotely, so that greatly limits the performance of hackers.
What can this problem mean? Let’s say a user has a folder where he saves downloaded files that you know are safe, but the antivirus detects it as a threat. For example, if you carry out ethical hacking tests, antivirus programs often warn of a supposed virus and automatically delete the file. An attacker who knows which folder they have excluded is, could sneak ransomware there and run it without problems.
Our advice is to always keep everything updated to the latest version. In this way we can correct problems like this vulnerability that we have seen. This way we will keep out hackers who can take advantage of these errors to launch their attacks. You can see the steps to avoid false positives in Windows Defender. In this way you will not have problems when downloading certain files.