Monday, June 16, 2025
HomeHacksWindows Defender Antivirus Bypass Allows Any Malware to Execute on a Windows...

Windows Defender Antivirus Bypass Allows Any Malware to Execute on a Windows Machine

Published on

SIEM as a Service

Follow Us on Google News

New Method that Involved With Defender Antivirus scanning process over SMB leads to  Windows Defender Antivirus Bypass and allows any Malware to Run into Windows OS.

This FlowTricks Windows Defender, to Scan other Files or scans no files Instead of Scanning Malicious File when we Execute the Malicious file and Windows Load the Execution Process.

By using Custom-built SMB server, This Flow Bypass the Defender Scanning Process and Evade to Capture the Malicious File and Pass to OS for Execution.

- Advertisement - Google News

According to Cyberark, This Attack calls it as an Illusion Gap and also This Attack Vector can Bypass the other Antivirus Products.

Also Read: Bypass an Anti-Virus Detection with Encrypted Payloads using VENOM Tool

Windows Defender Antivirus Bypass

Initially, CyberArk  Build a Custom SMB Server to Achieve this Goal by Serving Two Different files over SMB, one for Windows PE Loader and another for the Windows Defender Antivirus.

In This Case, Attack should Force Victim to execute an exploit hosted on the malicious SMB share.

Two File A and B which are Malicious and Benign that is used here to Process this Bypass  Action against the Windows Defender.

According to Cyberark, When a process creation is made by Windows PE Loader, a request will be made to the SMB server for the executable file, and we will serve file A, which is malicious .
When Windows Defender requests the executed file, we will serve file B, which is benign. This way, file B will be scanned while file A will be executed.
Antivirus Bypass

Malicious File is Replaced by SMB Sever when Windows Defender Request to Scan the file which is Loaded into SMB Server by Windows PE Loader.

But SMB Server Proceed either serve a benign file or blocks the handle creation request Instead of Providing Malicious File Details.

CyberArk cyber research team leader Doron Naim Said, Once an attacker puts the malicious file into the share, the attacker can control which file to notify the Windows Defender that it will run.

So if the Attacker can able to Play by sitting from SMB Server Side, They can Address the Process Request whether the Request has made by OS or Windows Defender.

Once the attacker on the SMB side actually identifies that Windows Defender wants to read his file, they can hand it another benign file instead of the malicious file.

In This way, Defender will Only Scan the Benign File Instead of Malicious One and Finally  Attacker can Bypass the Defender and Achieve the Goal.

Naim said this behavior is just the opposite and that even if Windows Defender is not able to scan a file, it would still allow the process to execute. CyberArk, meanwhile, said it has already privately disclosed similar issues to other security vendors.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Volkswagen Car Hack Exposes Owner’s Personal Data and Service Records

Tech-savvy Volkswagen owner has uncovered critical security flaws in the My Volkswagen app that...

North Korean Hacker Tries to Infiltrate Kraken Through Job Application

Leading cryptocurrency exchange Kraken has disclosed that it recently thwarted an infiltration attempt by...

Gain Legends International Suffers Security Breach – Customers Data Stolen

Gain Legends International, a prominent name in sports, entertainment, and venue management, has confirmed...