Windows Defender exclusions reek of malware

The vast majority of exclusions made to Windows Defender antivirus have been made by malware, according to research from the Avira Protection Services.

“We currently receive more than 10k unique windows defender exclusions entries per day and 95% of them are clearly designed for malware,” said Mikel Echevarria Lizarraga, senior virus analyst with Avira Protection Services.

Exclusions to an antivirus app – virtually all security apps, not just Window’s Defender – are designed to make life easier for the end user by exempting specified areas or files from repeated control. Once the exclusions have been made, those files and paths will be always ignored by the antivirus. This speeds up some operations and cuts the potential risk from a false positive alert. It also opens the door to some types of malware.

“I don’t believe any antivirus vendors are free from these types of attacks, but it may take a more complicated approach by the hacker to be successful,” said Lizarraga. “The primary problem with Windows Defender is that it and Windows OS are such big targets, hackers are specifically targeting them.”

Malware/adware families such as Wajam and Zdengo have specifically focused on their ability to introduce exclusions into Windows Defender. By adding an exclusion, they are able to more successfully distribute a stream of infected and suspicious ads to the infected devices without being detected.

“In general, Windows Defender is really transparent to the user, but only a few people will ever open the Windows Defender interface and discover those malicious exclusions,” he explained.

The Avira Approach

The Avira team analyzed data extracted from Window’s-driven machines which had been cleaned by Avira Antivirus. These were devices where Avira Antivirus had automatically sensed some abnormality and/or malware infection, reported it, and subsequently cleaned up the suspect issues. In particular, the team monitored the registry keys and subkeys from “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions”, the registry path where all the Windows Defender exclusions can be found.

Germany just edged out by Brazil

Suspect exclusions were found globally, not just in less developed or less wealthy countries with a higher frequency of unlicensed software use. Germany fell just behind Brazil in the global rankings to take the 2nd slot. Italy topped Thailand, the Philippines, and France to take the 8th position.

Top 12 countries with malware-linked Windows Defender exclusions:

    1. Brazil
    2. Germany
    3. Indonesia
    4. Russia
    5. Egypt
    6. Ukraine
    7. India
    8. Italy
    9. Thailand
    10. Philippines
    11. France
    12. Mexico

This post is also available in: German

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.