Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Feature request: Block readaccess to Windows Defender exclusions

Iron Contributor

Hello Defender ATP Team,

 

I have already submitted this request via the Feedbackhub, but I think it is important enough to request it here.

 

A user without administrative right can't add exclusions to Windows Defender, however, he can read the exclusions:

- via Powershellcmdlet "Get-MpPreference"

- via registry

 

An attacker which manages to get his code running on a machine with userrights could check for folderexclusions with writeaccess and place its payload there.


I created a (verry quick and verry dirty) sample powershellscript which will place a Base64 encoded EICAR string in each directory where the BUILDIN users have writeaccess.

 

I would appreciate an option to disable the readaccess to Windows Defender exclusions, at least for normal users without administrative rights.


Best regards

Stefan

6 Replies
No comments from the Devs or an Microsoft official so far, so I encourage you to like the post if you think this is an issue which needs to be addressed :)

A quick status from my side about this topic. Someone at Microsoft listened to this post or my Feedbackhub request:

 

Starting with Windows Defender Platform Version 4.18.2008.4, only admins can view the exclusions when using the Powershell cmdlet "Get-MpPreference":

SteBeSec_0-1598295707598.png

 

Sadly, the access to the exclusions via registry (with userrights) is still possible:

SteBeSec_1-1598295885682.png

 

The access to the ASR exclusions is also still possible via powershell and registry.

 

So if you are the one from Microsoft who read my post: it would be great to get this things fixed with the next platform version.

 

Cheers,

Stefan

This a very important topic. I am very bothered by this. I don't want that the users are able to see the exclusions that I have applied by the policy. It is a security breach.
Just a question when you say that on 4.18.2008.4 only admins can see, do you know if it is also hidden from Defender UI (interface)? Thanks.

@Thiago_Mota Unfortunately, no. The "normal" User without administrative rights can still see exclusion in the Securitycenter:

SteBeSec_0-1599996274680.png

This should be adressed for sure!
Hello Stefan,
There is an option now, called in the GPO "HideExclusionsFromLocalAdmins";

But, I'm challenged now why we cannot Disable of use of the Exclusions for users also with Administrative rights, I think this will be better. And could be interesting to deploy an Intune profile, that simply locks any Exclusions to be added, viewed, accessed, only Intune service/tenant admins can.