Forum Discussion

SteBeSec's avatar
SteBeSec
Iron Contributor
Jul 09, 2020

Feature request: Block readaccess to Windows Defender exclusions

Hello Defender ATP Team,

 

I have already submitted this request via the Feedbackhub, but I think it is important enough to request it here.

 

A user without administrative right can't add exclusions to Windows Defender, however, he can read the exclusions:

- via Powershellcmdlet "Get-MpPreference"

- via registry

 

An attacker which manages to get his code running on a machine with userrights could check for folderexclusions with writeaccess and place its payload there.


I created a (verry quick and verry dirty) sample powershellscript which will place a Base64 encoded EICAR string in each directory where the BUILDIN users have writeaccess.

 

I would appreciate an option to disable the readaccess to Windows Defender exclusions, at least for normal users without administrative rights.


Best regards

Stefan

6 Replies

  • lightupdifire's avatar
    lightupdifire
    Brass Contributor
    Oct 21, 2022
    Hello Stefan,
    There is an option now, called in the GPO "HideExclusionsFromLocalAdmins";

    But, I'm challenged now why we cannot Disable of use of the Exclusions for users also with Administrative rights, I think this will be better. And could be interesting to deploy an Intune profile, that simply locks any Exclusions to be added, viewed, accessed, only Intune service/tenant admins can.
  • SteBeSec's avatar
    SteBeSec
    Iron Contributor
    Aug 24, 2020

    A quick status from my side about this topic. Someone at Microsoft listened to this post or my Feedbackhub request:

     

    Starting with Windows Defender Platform Version 4.18.2008.4, only admins can view the exclusions when using the Powershell cmdlet "Get-MpPreference":

     

    Sadly, the access to the exclusions via registry (with userrights) is still possible:

     

    The access to the ASR exclusions is also still possible via powershell and registry.

     

    So if you are the one from Microsoft who read my post: it would be great to get this things fixed with the next platform version.

     

    Cheers,

    Stefan

    • Thiago_Mota's avatar
      Thiago_Mota
      Brass Contributor
      Sep 12, 2020
      This a very important topic. I am very bothered by this. I don't want that the users are able to see the exclusions that I have applied by the policy. It is a security breach.
      Just a question when you say that on 4.18.2008.4 only admins can see, do you know if it is also hidden from Defender UI (interface)? Thanks.
      • SteBeSec's avatar
        SteBeSec
        Iron Contributor
        Sep 13, 2020

        Thiago_Mota Unfortunately, no. The "normal" User without administrative rights can still see exclusion in the Securitycenter:

  • SteBeSec's avatar
    SteBeSec
    Iron Contributor
    Jul 15, 2020
    No comments from the Devs or an Microsoft official so far, so I encourage you to like the post if you think this is an issue which needs to be addressed 🙂

Resources