Windows Defender: Why Check Your Exclusions

Windows Defender Antivirus Now Has Sandbox Support

Windows Defender is integrated with Windows 10, so it’s no wonder it’s up there for the most popular Anti-virus solution. Once you login to your new Windows 10 machine, it’s pretty much ready to go. The plus side is that Defender is a pretty solid AV and if you look at Gartner, they even rate them as the best.

As not to play favourites, I will say this is slightly deceptive though as for this level of quality, you really need the full package of ATP. Defender is good on it’s own, don’t get me wrong but to compete at enterprise level, and have the customisation of some of the other leaders, you need the advance threat protection package. By no means is your child going to have ATP on a laptop they use for Netflix.

Gartner: https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/

As with every security product, it’s only as good as it’s configured to be. Security doesn’t come out of the box and if it does, it normally has “holes”. What I’m about to cover, isn’t so much a “hole”, it’s more the sledgehammer creating it.

To show you what I mean, I’m going to be using Ecar: https://www.eicar.org/
Ecar is a simple line of code that helps test if your security solution is doing it’s job.

As you can see below, Defender notices that the “malicious” code has been written to a file. Good job!

Because Defender is integrated into Windows, it has it’s own PowerShell modules/cmdlets. This allows you to automate tasks, which can be really handy; for both sides.

Below, I’ve used the “Add-MPPreference” cmdlet to exclude the path before I create the Ecar file. Notice that there is no warning and I’ve managed to create the file.

This is because Defender can no longer see that location and cannot prevent the threat. This single line of code, could potentially allow malware to be ran on your machine without you noticing. It won’t be this obvious though and will normally be masked in a fake or malicious executable/installer. Reason being is that these are often ran as admin and changing Defenders exclusions require privilege.

Below is an example taken from a real threat:

https://app.any.run/tasks/675dbf95-ff70-41c3-bdf5-d995a6c77882/

Notice that the path is “C:\Users” which excludes all files saved under all user profiles.
This path is excluded before the payload does its thing. If ran successfully, it could be game over. Click the link below the picture to see how the example works, it’s pretty interesting.

Hopefully this makes you aware of potential threats and why it’s worth checking.
Especially after you clicked or downloaded that file your not too sure off.

To check, open Security Center and click Manage Settings:

Scroll down to Exclusions and click Add or remove exclusions

Here you will see your Exclusions. If you have any you wish to remove, click the down arrow and click remove:

One thought on “Windows Defender: Why Check Your Exclusions

  1. Nice one Ash, I also recently added the reg query to check Windows Defender for excluded files in my live response script.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s