A weakness in the Microsoft Defender antivirus can allow attackers to retrieve information to use to avoid detection.

Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.

Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.

The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.

The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.

SentinelOne threat researcher Antonio Cocomazzi pointed out that the list of scanning exceptions can be accessed by any local user, regardless of its permissions.

Running the “reg query” command it is possible to access the list.

Microsoft Defender exclusion list