Skip to content

Commit

Permalink
Updated WindowsDefenderExclusions with exclusion key paths set by gro…
Browse files Browse the repository at this point in the history 
…up policy (#432)
  • Loading branch information
@Karneades
Karneades committed Jul 17, 2021
1 parent 354af7a commit cd9e057
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions data/antivirus.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,12 @@ labels: [Antivirus, Logs]
---
name: WindowsDefenderExclusions
doc: |
Directories, processes, and extensions configured not to be scanned by Windows Defender.
Directories, processes and extensions configured not to be scanned by Windows Defender.
The can be set locally or through group policy objects (GPO).
Certain malware families (for example, Tofsee) are known to add
directories to the Paths list in order to avoid being detected by
Windows Defender.
Certain malware families (for example, Tofsee) are known to add directories to the
Paths list in order to avoid being detected by Windows Defender. Other malware
(for example, REvil) use the existing exclusions to be ignored by Anti-Virus products.
sources:
- type: REGISTRY_KEY
attributes:
Expand All @@ -47,11 +48,16 @@ sources:
- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Processes\*'
- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Extensions\*'
- 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*'
- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Paths\*'
- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Processes\*'
- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\*'
- 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*'
supported_os: [Windows]
urls:
- 'https://blog.malwarebytes.com/detections/pum-optional-msexclusion/'
- 'https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-how-to-remove-exclusions/2a0cc465-97b2-46ea-ae77-b87075ed124e'
- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
- 'https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/'
---
name: SophosAVLogs
doc: Sophos Anti-Virus log files.
Expand Down

0 comments on commit cd9e057

Please sign in to comment.