A range of users are reporting that Windows Defender is indicating that it is skipping files, even when no exclusions are set.
The potential bug could leave business and home users exposed if infected files are being skipped during a scan, and creates a concerning “Windows Defender skipped an item due to exclusions or network protection settings”, popup notification.
According to IT blogger Günter Born, who first reported it on his blog, BornCity, the issue appears to be that newer versions of Windows Defender do not scan network files anymore, instead presenting the ‘skipped’ message.
Martin Jartelius, CSO at Outpost24 told SC Media UK that: "The issue stems from issues with a Microsoft update. There are workarounds available for the issue such as manually enabling network scanning, either via PowerShell or via making changes to the registry. Note that this leads down another potential rabbit hole as we are working with double negations, we want to make a setting for the feature set to false, as the setting is for disabling, not enabling.”
The workarounds detailed by Born in a blogpost include using Group Policy to allow Defender to scan files on the network, tweaking the registry files to allow scanning of the network files, or by running the command ‘Set-MpPreference –DisableScanningNetworkFiles’ in PowerShell. However, Microsoft’s official advice is that the company does ‘not recommend that you scan network files’, casting doubt on the workaround.
Jartelius continued: “The protection still looks to be testing executables on runtime and primary defense is on the egress, so the bug is far from as bad as other issues we have seen recently, but do note that the proposed workarounds at the moment of writing are not Microsoft's recommendations but third party recommendations."
Mark Kedgley, CTO at New Net Technologies emphasised the wider importance of business and consumer trust in Microsoft Defender: “Anti-malware defences are a key security control and its estimated that Windows Defender takes 50 percent of the AV market, so to suddenly have this rendered potentially unreliable is a major problem. Even though we all know AV has serious blindspots with regards to zero day malware, it’s still a fundamental and ubiquitous element for every organisation's cyber-security armoury. Standard practice should always be to layer defences, so use of application whitelisting and file integrity monitoring should always be run in conjunction with any AV to ensure there are no gaps, and that you get second or third opinions on file reputations.”
This is of course not the first Windows 10 update issue, unsurprisingly given the 1 billion active install base, and security updates have a particularly chequered history. Back in mid-March there were reports that the Windows 10 KB4551762 security update was failing and throwing errors, while in February users who applied the KB4524244 patch experienced problems and Microsoft rolled back the patch entirely due to ‘an issue affecting a sub-set of devices’.