When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft finally makes bypassing Defender scans harder by changing Exclusions permission

Microsoft Defender Antivirus logo blue on blue background

Microsoft's Defender has been receiving high praise recently as it scored exceptionally well in AV-TEST's latest rankings for December 2021 and October 2021. However, AV-Comparatives was much less impressed by Defender at least when compared to some of its alternatives like McAfee.

Though, one thing was certainly common in both assessments. Microsoft Defender's score was definitely better in the second half of 2021 kind of implying that the Redmond giant is making good progress in the field. And it looks like it's still improving as we get into 2022.

A security researcher with the Twitter username CISOwithHoodie noticed that Microsoft has recently made a very important change to the permissions for Windows Defender Exclusions. Previously, the excluded folders and directories were visible to "Everyone", which could be easily obtained by Registry address: "HKLM\Software\Microsoft\Windows Defender\Exclusions".

However, after this update, it has been modified such that only someone with Administrator rights can view the Excluded files and folders as can be seen in the image below:

Microsoft Defender updated Exclusions permission

When one tries to query the Registry address now to find the Exclusions using Command Line, an error message saying Access is denied pops up (image below), whereas earlier, it would reveal the excluded files and folders.

Microsoft Defender updated Exclusions permission

Will Dorman, a Vulnerability Analyst at CERT, also confirmed that Registry-based Policy changes were also now protected.

If you are wondering why this is such a big deal, when the Exclusions is visible to everyone, a threat actor could easily place a malicious payload inside one of those excluded folders and completely bypass Windows Defender scanning.

So far, it's not clear how exactly Microsoft is delivering the update though, it is thought that the recent February Patch Tuesday is when the update was introduced.

Source and images: CISOwithHoodie (Twitter)(1, 2)

Report a problem with article
A hand holding a phone showing the Google Ads logo on the screen
Next Article

Save 98% off the 2022 All-In-One Google Ads & Productivity Training Bundle

A Windows 10 October 2020 graphic
Previous Article

PSA: Microsoft reminds all that Windows 10 20H2 servicing ends soon in May 2022

Join the conversation!

Login or Sign Up to read and post a comment.

10 Comments - Add comment