<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Windows Defender Vulnerability allows anyone to read AV exclusions

According to a Tweet by Antonio Cocomazzi, “Windows Defender AV allows Everyone to read the configured exclusions on the system”.

antonio cocomazzi tweet

reg query output


NathanMcNulty added that you can also grab exclusions configured through policies :reg query “HLKM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions” /s

According to the report, this vulnerability does not affect Windows 11 users. However, the large majority of users around the world still use Windows 10.

This vulnerability allows the reg command to effectively pull secure antivirus exclusion information from the registry. This information is very sensitive and a lucrative asset to be able to access. The importance of this vulnerability is that all user types have access permissions to this, as it is not limited only to admin, meaning that using Windows Defender, ANY user (not only admins) can query what AV exceptions are configured and exploit them for malicious purposes, which will then be ignored by the Antivirus.

Easily fixed through using Minerva’s Virtual Patching capabilities.

Using Minerva’s Virtual Patching capabilities, we can easily define a rule that will protect the Exclusions registry from non-admin queries, effectively disabling this vulnerability without the need to wait for an official patch.

minerva virtual patch

As we can see, after implementing the virtual patch,  the exploit protection module blocks the query

reg query denied

Now, when a user tries to query the exclusions list, they get an “access denied” error.


Despite Windows Defender leaving a huge security open through Windows Defender, using Minerva's virtual patching, users can easily secure this vulnerability on all the end points in their organization within minutes.


Interested in Minerva? Request a Demo Below

Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.


see all