This is an unusual discovery made by a computer security researcher: it is possible to deceive the vigilance of the Windows Defender protection tool by inserting a simple comma in a command line!
Let’s be honest, computer security in general and that of Windows in particular has improved considerably since the democratization of digital tools. Gone are the days when browsing the Internet without using dedicated antivirus software was an unsavory practice. For many years, the Windows Defender protection tool, integrated by default into the Microsoft operating system, has constituted a completely solid and sufficient shield against most of the threats that can threaten our computers. Microsoft’s antivirus program runs constantly in the background to detect any suspicious and potentially malicious programs and prevent them from running before the computer is compromised.
When it comes to security, however, some vulnerabilities are hidden in the most trivial details. A computer security researcher named John Page, alias @hyp3rlinx on X (ex-Twitter), revealed in 2022 that it was possible to fool the monitoring of the Windows Defender protection tool by inserting periods and commas in command lines aimed at executing malicious programs. Since then, Microsoft has made fixes to its antivirus software in order to prevent the exploitation of this flaw, but has obviously not pushed the thinking far enough. In a tweet published on February 8, 2024, the same Hyp3rlinx in fact showed that it was still possible to execute a command launching a Javascript program, which should normally be detected as dangerous and therefore blocked by Windows Defender, by simply adding… a second comma in the command!
Windows Defender Trojan.Win32/Powessere.G / Mitigation Bypass Part 2
C:sec>rundll32.exe javascript:”….mshtml,RunHTMLApplication “;alert(666)
Access is denied.C:sec>rundll32.exe javascript:”….mshtml,,RunHTMLApplication “;alert(666)
Multi-commas, for the Win! pic.twitter.com/MO8FlmL1Yg
— Hyp3rlinx (@hyp3rlinx) February 8, 2024
Let us be reassured, however, that the real danger of this flaw is more limited than it seems. In order to exploit this vulnerability, a potential attacker must have fairly broad access to the targeted machine, which requires having already crossed many other security barriers. The conditions to be met to implement this Windows Defender bypass are therefore numerous and it is unlikely to see this technique used on a large scale to compromise the home computers of everyone. But this discovery is interesting on a fun level, because it shows to what extent even the most sophisticated protection mechanisms can prove vulnerable to seemingly trivial attacks. It also reminds us that in terms of computer security, decentralized research by multiple ingenious and clever actors remains the most effective method for identifying security vulnerabilities, and that hiding the source code of software in no way prevents discovery. and exploitation of vulnerabilities. Further proof of the virtues of open source, both for developers and users.