Home  >  Article  >  Microsoft finally makes it harder to bypass Defender scans by changing exclusion permissions

Microsoft finally makes it harder to bypass Defender scans by changing exclusion permissions

WBOY
WBOYforward
2023-04-29 16:43:061638browse
  • Click to enter:ChatGPT tool plug-in navigation directory
微软终于通过更改排除权限使绕过 Defender 扫描变得更加困难

Microsoft Defender was recently released in AV-TEST in December 2021 It scored exceptionally well in the latest rankings in October and October 2021, earning high praise. However, AV-Comparatives was much less impressed with Defender, at least compared to some alternatives like McAfee.

One thing is certainly common in both assessments, though. The scoring from Microsoft's backs is definitely better in the second half of 2021, which means the Redmond Giants are making good progress in that area. As we move into 2022, it still looks to be improving.

A security researcher with the Twitter handle CISOwithHoodie noticed that Microsoft recently made very important changes to the permissions of Windows Defender exclusions. Previously, excluded folders and directories were visible to "Everyone" and were easily accessible via the registry address: "HKLM\Software\Microsoft\Windows Defender\Exclusions".

However, after this update, it has been modified so that only people with administrator rights can view excluded files and folders, as shown in the image below:

微软终于通过更改排除权限使绕过 Defender 扫描变得更加困难

When people now try to use the command line to query the registry address for exclusions, an error message pops up saying access is denied (image below), whereas before, it would show excluded files and folders.

微软终于通过更改排除权限使绕过 Defender 扫描变得更加困难

#Will Dorman, a vulnerability analyst at CERT, also confirmed that registry-based policy changes are now protected as well.

If you're wondering why this matters, when exclusions are visible to everyone, threat actors can easily drop a malicious payload into one of these excluded folders and bypass Windows entirely Defender scan.

As of now, it's unclear exactly how Microsoft is delivering the update though, with the recent February Patch Tuesday being thought to be the time to introduce the update.

The above is the detailed content of Microsoft finally makes it harder to bypass Defender scans by changing exclusion permissions. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yundongfang.com. If there is any infringement, please contact admin@php.cn delete