Defender bypass allows threats to be removed from protection database

A lot of people rely on Windows Defender to protect their systems, it's free and installed by default so why not?

Defender uses a blacklisting approach to stop threats. Before allowing a file to execute, it will compare it against its database of known threats and stop it from executing if it's on there. However, researchers at SafeBreach have uncovered an exploit that can allow threats to be removed from the database.

An attacker can delete a threat from the Windows Defender signature database by hijacking the Windows Defender update process to push a fake update.

Windows Defender versions prior to 4.18.2303.8 are vulnerable to the attack. You can check your version by running Windows Security, selecting Settings from the bottom of the left-hand pane, then clicking About.

Alternatively if you're feeling geeky you can check by running PowerShell and entering the following command:

Get-MpComputerStatus | Select-Object EngineVersion, AMRunning, AMServiceVersion

Microsoft has issued a fix for the vulnerability (CVE-2023-24934). If you have a vulnerable version you should update it as soon as possible. To do this run Windows Security, select Virus and threat protection, and under Virus and threat protection updates in the main window, select Check for updates.

You can read more and see a demonstration of how the bypass works on the SafeBreach blog.

Image credit: monticello / depositphotos