According to a Tweet by Antonio Cocomazzi, “Windows Defender AV allows Everyone to read the configured exclusions on the system”.
NathanMcNulty added that you can also grab exclusions configured through policies :reg query “HLKM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions” /s
According to the report, this vulnerability does not affect Windows 11 users. However, the large majority of users around the world still use Windows 10.
This vulnerability allows the reg command to effectively pull secure antivirus exclusion information from the registry. This information is very sensitive and a lucrative asset to be able to access. The importance of this vulnerability is that all user types have access permissions to this, as it is not limited only to admin, meaning that using Windows Defender, ANY user (not only admins) can query what AV exceptions are configured and exploit them for malicious purposes, which will then be ignored by the Antivirus.
Easily fixed through using Minerva’s Virtual Patching capabilities.
Using Minerva’s Virtual Patching capabilities, we can easily define a rule that will protect the Exclusions registry from non-admin queries, effectively disabling this vulnerability without the need to wait for an official patch.
As we can see, after implementing the virtual patch, the exploit protection module blocks the query. Now, when a user tries to query the exclusions list, they get an “access denied” error.
Summary
Despite Windows Defender leaving a huge security gap open, using Minerva’s virtual patching, users can easily secure this vulnerability on all the end points in their organization within minutes.