Windows Defender

A recent update to the Microsoft Defender antivirus solution from Windows 10 inadvertently enables it to transfer viruses and other files to a Windows device.

Legitimate operating system files are known as living-off-the-land binaries or LOLBINs that can be exploited for malicious purposes.

In a recent update to Microsoft Defender, the command-line tool MpCmdRun.exe has been modified to include the ability to download files from a remote location, which attackers can misuse.

With this new feature, Microsoft Defender is now part of a long list of Windows programs which local attackers can abuse. Diriga Technologies has always advised to not use this as your main antivirus program.

Discovered by security researcher Mohammad Askar, a recent update to the command-line tool offered by Microsoft Defender now contains a new -Downloadfile command-line argument.

This command allows a local user to use the Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download a file from a remote location using the following command:

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

The good news is that Microsoft Defender will detect malicious files downloaded with MpCmdRun.exe, but it’s unclear if other AV applications will allow this program to circumvent its detections.

With this discovery, administrators now have another thing on their plate that they need to be monitoring to make sure this exploit is not used against them.