September 27, 2023

Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.

Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.


The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.

The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.

Running the “reg query” command it is possible to access the list, regardless of its permissions.

reg query “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions”

Microsoft has yet to address the weakness, for this reason, administrators should use group policy to configure Microsoft Defender while installing their systems. Exclusions on servers and local machines via group policies.

Leave a Reply

%d bloggers like this: