Microsoft fixes Defender vulnerability that allowed antivirus to bypass
Microsoft has addressed a vulnerability in its Defender antivirus tool without publicity. The change makes it no longer possible to place malware via a certain method without Defender sounding the alarm.
The change was made last week and now requires administrator rights by default to access exclusions via Windows Security and the registry key HKLMSoftwareMicrosoftWindows DefenderExclusions. Previously, that key could be retrieved from the registry for every Windows user. The adjustment was noticed by security expert SecGuru_OTX† Microsoft hasn’t published anything about it yet.
The key contains a list of files, folders, and other locations that Defender must exclude from scanning for malware. Malicious persons could abuse this ability to exclude locations and place malware there, which would then go undetected by Defender, Bleeping Computer writes. The fact that no administrator rights were required greatly increased the risk of abuse. The vulnerability would already since 2014 attended and also worked in conjunction with Group Policies.
Source: SecGuru_OTX