Cyber threat infographic: Whitelisted program icons (msiexec.exe) injecting DLLs into AV folder shields, malware persistence arrows; protective shields for auditing and monitoring, with "Audit Your Whitelisting" warning banner over a Windows system.

DefenderWrite, a new tool by cybersecurity expert Two Seven One Three, exploits whitelisted Windows programs like msiexec.exe to inject malicious DLLs into antivirus executable folders, bypassing protections without kernel access. This enables malware persistence and evasion by writing payloads to shielded locations.

Cyber threat infographic: Whitelisted program icons (msiexec.exe) injecting DLLs into AV folder shields, malware persistence arrows; protective shields for auditing and monitoring, with "Audit Your Whitelisting" warning banner over a Windows system.Cyber threat infographic: Whitelisted program icons (msiexec.exe) injecting DLLs into AV folder shields, malware persistence arrows; protective shields for auditing and monitoring, with "Audit Your Whitelisting" warning banner over a Windows system.

Tested on Windows 11 with Microsoft Defender, it also works on varous AV. The tool includes a PowerShell script to scan for exploitable executables, allowing red teams to simulate attacks and identify vulnerabilities.

Cyber threat infographic: Whitelisted program icons (msiexec.exe) injecting DLLs into AV folder shields, malware persistence arrows; protective shields for auditing and monitoring, with "Audit Your Whitelisting" warning banner over a Windows system.Cyber threat infographic: Whitelisted program icons (msiexec.exe) injecting DLLs into AV folder shields, malware persistence arrows; protective shields for auditing and monitoring, with "Audit Your Whitelisting" warning banner over a Windows system.

Defend against this:

Audit AV whitelisting policies, implement process isolation, and monitor update mechanisms. Use layered defenses to prevent unauthorized writes and strengthen AV resilience against these innovative threats.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security