Jul 09 2020 01:10 PM - edited Jul 09 2020 01:16 PM
Hello Defender ATP Team,
I have already submitted this request via the Feedbackhub, but I think it is important enough to request it here.
A user without administrative right can't add exclusions to Windows Defender, however, he can read the exclusions:
- via Powershellcmdlet "Get-MpPreference"
- via registry
An attacker which manages to get his code running on a machine with userrights could check for folderexclusions with writeaccess and place its payload there.
I created a (verry quick and verry dirty) sample powershellscript which will place a Base64 encoded EICAR string in each directory where the BUILDIN users have writeaccess.
I would appreciate an option to disable the readaccess to Windows Defender exclusions, at least for normal users without administrative rights.
Best regards
Stefan
Jul 15 2020 08:25 AM
Aug 24 2020 12:08 PM
A quick status from my side about this topic. Someone at Microsoft listened to this post or my Feedbackhub request:
Starting with Windows Defender Platform Version 4.18.2008.4, only admins can view the exclusions when using the Powershell cmdlet "Get-MpPreference":
Sadly, the access to the exclusions via registry (with userrights) is still possible:
The access to the ASR exclusions is also still possible via powershell and registry.
So if you are the one from Microsoft who read my post: it would be great to get this things fixed with the next platform version.
Cheers,
Stefan
Sep 11 2020 06:27 PM
Sep 13 2020 04:25 AM
@Thiago_Mota Unfortunately, no. The "normal" User without administrative rights can still see exclusion in the Securitycenter:
Sep 14 2020 03:00 AM
Oct 21 2022 03:01 AM