Oct 13, 2024, 09:41 PM
TL;DR
Let's get into it.
Firstly, the old:
Event logs—specifically Event 5007—can reveal exclusion paths.
This has been known for a while, I'm not up to date on it but I think it's essentially not really going to work out if you try to do this method (But hey, never hurts to try and test it) - additionally I believe this may have? required admin privileges.
And now, the new:
A new method discovered that allows users to determine exclusion paths without relying on Windows Event Logs and without requiring administrative privileges.
By using MpCmdRun.exe, you can test whether a folder is excluded from scanning.
Run this command:
Explanation of the Command:
If the folder is excluded, the output will read “Scanning C:\folder_to_check\|* was skipped.”.
If the folder is not excluded, the system will return an error message stating “CmdTool: Failed with hr = 0x80508023. Check C:\Users\ADMINI~1\AppData\Local\Temp\MpCmdRun.log for more information” because of the invalid path created by the use of the “|*” syntax.
SharpExclusionFinder
https://github.com/Friends-Security/Shar...sionFinder
(Alternatively posted here incase the repo is ever taken down)
Tool usage:
Basic Command:
Options:
Example:
Prerequisites
Source(s):
https://blog.fndsec.net/2024/10/04/uncov...h-insight/
- Low-privileged users can access Microsoft Defender exclusion paths via Event Logs (Event 5007), exposing potential ‘safe’ zones for malware.
- Found a way to identify exclusion paths using MpCmdRun.exe, even if event logs are unavailable / cleared, using a low-privileged user.
- SharpExclusionFinder - A C# tool that automates scanning for exclusion paths across the file system using this method.
Let's get into it.
Firstly, the old:
Event logs—specifically Event 5007—can reveal exclusion paths.
This has been known for a while, I'm not up to date on it but I think it's essentially not really going to work out if you try to do this method (But hey, never hurts to try and test it) - additionally I believe this may have? required admin privileges.
And now, the new:
A new method discovered that allows users to determine exclusion paths without relying on Windows Event Logs and without requiring administrative privileges.
By using MpCmdRun.exe, you can test whether a folder is excluded from scanning.
Run this command:
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\folder_to_check\|*"Explanation of the Command:
- scan: Initiates a scan using MpCmdRun.exe.
- scantype 3: This parameter specifies a custom scan.
- -path "C:\folder_to_check|*": The pipe (|) is an invalid character in Windows folder names, ensuring that the path specified is not a valid folder or file. The asterisk (*) acts as a wildcard, essentially telling Defender to look for any potential subfolders or files within the specified path.
If the folder is excluded, the output will read “Scanning C:\folder_to_check\|* was skipped.”.
If the folder is not excluded, the system will return an error message stating “CmdTool: Failed with hr = 0x80508023. Check C:\Users\ADMINI~1\AppData\Local\Temp\MpCmdRun.log for more information” because of the invalid path created by the use of the “|*” syntax.
SharpExclusionFinder
Quote:To streamline the process of identifying exclusion paths, we developed a tool written in C# that automates the entire process. This tool takes a base directory as input and recursively checks all subdirectories (or a given depth) using the MpCmdRun.exe method discussed earlier.
https://github.com/Friends-Security/Shar...sionFinder
(Alternatively posted here incase the repo is ever taken down)
Tool usage:
Basic Command:
program.exe <BasePath> [options]Options:
--max-threads N: Set the maximum number of threads to use for scanning. Default is 3.
--depth N: Specify the maximum directory depth to scan. Depth 1 means only immediate subdirectories.
--output <filePath>: Specify a file path to log exclusions and errors.
-h, --help: Display help and usage information.Example:
program.exe "C:\MyDirectory" --max-threads 5 --depth 3 --output scan_log.txtPrerequisites
.NET Framework 4.5.2 or later.
Windows Defender must be installed and enabled on the system.
MpCmdRun.exe must be located at C:\Program Files\Windows Defender\MpCmdRun.exe.Source(s):
https://blog.fndsec.net/2024/10/04/uncov...h-insight/