Windows Defender is a Microsoft Windows anti-malware component. It was initially made available as a free anti-spyware download for Windows XP, and it was later included with Windows Vista and Windows 7. It has matured into a comprehensive antivirus tool, replacing Microsoft Security Essentials in Windows 8 and subsequent editions.
Threat actors were able to exploit a vulnerability in Microsoft Defender antivirus on Windows to learn about locations that were not scanned and plant malware there.
According to some customers, the problem has been there for at least eight years and impacts Windows 10 21H1 and Windows 10 21H2.
Security researchers revealed that the list of locations not scanned by Microsoft Defender is unsecured and accessible to any local user.
Local users, regardless of their rights, can query the registry and learn which pathways Microsoft Defender is not permitted to examine for malware or harmful files.
Antonio Cocomazzi, a SentinelOne threat researcher who reported the RemotePotato0 vulnerability, points out that there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals everything that Microsoft Defender is not supposed to scan, whether it is files, folders, extensions, or processes.