Feature request: Block readaccess to Windows Defender exclusions

%3CLINGO-SUB%20id%3D%22lingo-sub-1512876%22%20slang%3D%22en-US%22%3EFeature%20request%3A%20Block%20readaccess%20to%20Windows%20Defender%20exclusions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1512876%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Defender%20ATP%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20already%20submitted%20this%20request%20via%20the%20Feedbackhub%2C%20but%20I%20think%20it%20is%20important%20enough%20to%20request%20it%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20user%20without%20administrative%20right%20can't%20add%20exclusions%20to%20Windows%20Defender%2C%20however%2C%20he%20can%20read%20the%20exclusions%3A%3C%2FP%3E%3CP%3E-%20via%20Powershellcmdlet%20%22Get-MpPreference%22%3C%2FP%3E%3CP%3E-%20via%20registry%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20attacker%20which%20manages%20to%20get%20his%20code%20running%20on%20a%20machine%20with%20userrights%20could%20check%20for%20folderexclusions%20with%20writeaccess%20and%20place%20its%20payload%20there.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20created%20a%20(verry%20quick%20and%20verry%20dirty)%20sample%20powershellscript%20which%20will%20place%20a%20Base64%20encoded%20EICAR%20string%20in%20each%20directory%20where%20the%20BUILDIN%20users%20have%20writeaccess.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20appreciate%20an%20option%20to%20disable%20the%20readaccess%20to%20Windows%20Defender%20exclusions%2C%20at%20least%20for%20normal%20users%20without%20administrative%20rights.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBest%20regards%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1523783%22%20slang%3D%22en-US%22%3ERe%3A%20Feature%20request%3A%20Block%20readaccess%20to%20Windows%20Defender%20exclusions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1523783%22%20slang%3D%22en-US%22%3ENo%20comments%20from%20the%20Devs%20or%20an%20Microsoft%20official%20so%20far%2C%20so%20I%20encourage%20you%20to%20like%20the%20post%20if%20you%20think%20this%20is%20an%20issue%20which%20needs%20to%20be%20addressed%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1608878%22%20slang%3D%22en-US%22%3ERe%3A%20Feature%20request%3A%20Block%20readaccess%20to%20Windows%20Defender%20exclusions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608878%22%20slang%3D%22en-US%22%3E%3CP%3EA%20quick%20status%20from%20my%20side%20about%20this%20topic.%20Someone%20at%20Microsoft%20listened%20to%20this%20post%20or%20my%20Feedbackhub%20request%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStarting%20with%20Windows%20Defender%20Platform%20Version%204.18.2008.4%2C%20only%20admins%20can%20view%20the%20exclusions%20when%20using%20the%20Powershell%20cmdlet%20%22Get-MpPreference%22%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SteBeSec_0-1598295707598.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214486iE59ACAA129E9E0A1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22SteBeSec_0-1598295707598.png%22%20alt%3D%22SteBeSec_0-1598295707598.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESadly%2C%20the%20access%20to%20the%20exclusions%20via%20registry%20(with%20userrights)%20is%20still%20possible%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SteBeSec_1-1598295885682.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214488iF62A06E4F0662DAA%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22SteBeSec_1-1598295885682.png%22%20alt%3D%22SteBeSec_1-1598295885682.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20access%20to%20the%20ASR%20exclusions%20is%20also%20still%20possible%20via%20powershell%20and%20registry.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20you%20are%20the%20one%20from%20Microsoft%20who%20read%20my%20post%3A%20it%20would%20be%20great%20to%20get%20this%20things%20fixed%20with%20the%20next%20platform%20version.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1659961%22%20slang%3D%22en-US%22%3ERe%3A%20Feature%20request%3A%20Block%20readaccess%20to%20Windows%20Defender%20exclusions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1659961%22%20slang%3D%22en-US%22%3EThis%20a%20very%20important%20topic.%20I%20am%20very%20bothered%20by%20this.%20I%20don't%20want%20that%20the%20users%20are%20able%20to%20see%20the%20exclusions%20that%20I%20have%20applied%20by%20the%20policy.%20It%20is%20a%20security%20breach.%3CBR%20%2F%3EJust%20a%20question%20when%20you%20say%20that%20on%204.18.2008.4%20only%20admins%20can%20see%2C%20do%20you%20know%20if%20it%20is%20also%20hidden%20from%20Defender%20UI%20(interface)%3F%20Thanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1661506%22%20slang%3D%22en-US%22%3ERe%3A%20Feature%20request%3A%20Block%20readaccess%20to%20Windows%20Defender%20exclusions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1661506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F322972%22%20target%3D%22_blank%22%3E%40Thiago_Mota%3C%2FA%3E%26nbsp%3BUnfortunately%2C%20no.%20The%20%22normal%22%20User%20without%20administrative%20rights%20can%20still%20see%20exclusion%20in%20the%20Securitycenter%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22SteBeSec_0-1599996274680.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218020i6AE2D86571E5FAE6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22SteBeSec_0-1599996274680.png%22%20alt%3D%22SteBeSec_0-1599996274680.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1663586%22%20slang%3D%22en-US%22%3ERe%3A%20Feature%20request%3A%20Block%20readaccess%20to%20Windows%20Defender%20exclusions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1663586%22%20slang%3D%22en-US%22%3EThis%20should%20be%20adressed%20for%20sure!%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello Defender ATP Team,

 

I have already submitted this request via the Feedbackhub, but I think it is important enough to request it here.

 

A user without administrative right can't add exclusions to Windows Defender, however, he can read the exclusions:

- via Powershellcmdlet "Get-MpPreference"

- via registry

 

An attacker which manages to get his code running on a machine with userrights could check for folderexclusions with writeaccess and place its payload there.


I created a (verry quick and verry dirty) sample powershellscript which will place a Base64 encoded EICAR string in each directory where the BUILDIN users have writeaccess.

 

I would appreciate an option to disable the readaccess to Windows Defender exclusions, at least for normal users without administrative rights.


Best regards

Stefan

5 Replies
Highlighted
No comments from the Devs or an Microsoft official so far, so I encourage you to like the post if you think this is an issue which needs to be addressed :)
Highlighted

A quick status from my side about this topic. Someone at Microsoft listened to this post or my Feedbackhub request:

 

Starting with Windows Defender Platform Version 4.18.2008.4, only admins can view the exclusions when using the Powershell cmdlet "Get-MpPreference":

SteBeSec_0-1598295707598.png

 

Sadly, the access to the exclusions via registry (with userrights) is still possible:

SteBeSec_1-1598295885682.png

 

The access to the ASR exclusions is also still possible via powershell and registry.

 

So if you are the one from Microsoft who read my post: it would be great to get this things fixed with the next platform version.

 

Cheers,

Stefan

Highlighted
This a very important topic. I am very bothered by this. I don't want that the users are able to see the exclusions that I have applied by the policy. It is a security breach.
Just a question when you say that on 4.18.2008.4 only admins can see, do you know if it is also hidden from Defender UI (interface)? Thanks.
Highlighted

@Thiago_Mota Unfortunately, no. The "normal" User without administrative rights can still see exclusion in the Securitycenter:

SteBeSec_0-1599996274680.png

Highlighted
This should be adressed for sure!