A significant vulnerability in Windows Defender, Microsoft’s built-in antivirus software, allows a threat actor to completely disable the service and manipulate its core files. This exploit, discovered and detailed by researcher Zero Salarium, highlights a critical oversight in how the security program manages its updates. Rather than simply evading detection, this method lets attackers neutralize the defense system entirely, leaving the machine defenseless against threats. The technique is particularly alarming because it doesn’t require sophisticated new malware; it leverages features already available on the Windows operating system.
At the heart of the exploit is a fundamental flaw in the WinDefend service’s update process. Windows Defender stores its executable files in a version-numbered folder, like ProgramData\Microsoft\Windows Defender\Platform\4.18.23070.1000-0. When the service starts or updates, it scans the Platform directory and launches the files from the folder with the highest version number. While Microsoft protects these legitimate folders from being tampered with, the researcher found that an attacker with administrator privileges can still create a new, unofficial folder within that directory.
This seemingly minor detail opens the door for a major security breach. By creating a symbolic link (a special type of shortcut) and giving it a version number higher than the current one, an attacker can trick Windows Defender into running from a different, attacker-controlled location. The process is surprisingly straightforward. First, the attacker copies the legitimate Defender files to a new, unsecured folder, such as C:\TMP\AV. Then, they use the mklink command to create the symbolic link inside the protected Platform folder, naming it with a higher version number (e.g., 4.18.99999.1000-0). This malicious link points back to the unsecured folder.
When the system is restarted, the WinDefend service scans the Platform directory, sees the symbolic link with the highest version number, and launches its processes from the new, attacker-controlled directory. Once this has happened, the attacker has complete control over the files Defender is running from. They can then perform a range of malicious actions. For example, they can use DLL side-loading by placing a malicious file in the folder, causing the trusted Defender process to execute malicious code.
A simpler but equally effective method is to simply destroy the executable files. The researcher demonstrated that by deleting the symbolic link after the takeover, the Defender service fails to find its executable files on the next restart. This causes the service to fail, disabling all real-time virus and threat protection and leaving the machine completely vulnerable to further attacks. The exploit serves as a stark reminder of the ongoing struggle between security software and those who seek to undermine it.
Reference:
