On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.
Windows Defender Antivirus is not affected by this vulnerability.
This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.
This is a relatively old attack vector. By design, Windows Defender Antivirus has never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.
Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:
- Windows Defender Antivirus documentation
- Windows Defender Advanced Threat Protection documentation (you can also sign up for a free trial)
- Windows Defender Exploit Guard documentation
- Windows Threat Protection
Talk to us
Questions, concerns, or insights on this story? Join discussions at the Microsoft community.
Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center