Microsoft Defender Can Be Used to Download Malware

Broken Shield image

In an ironic turn of events, a recent update has allowed Microsoft Defender on Windows 10 to download files from remote sources, including malware. This could lead to exploitation by attackers.

Operating system files can often be used by attackers for malicious purposes. System files that are misused this way are often referred to as living-of-the-land binaries, or LOLBINs. By adding a DownloadFile command-line argument to Microsoft Defender, Microsoft has enabled an attack vector that may increase security risks with countless Windows 10 machines.

A security researcher named Mohammad Askar discovered this new feature from a recent update to MpCmdRun.exe (Microsoft Antimalware Service Command Line Utility). Luckily, it appears Microsoft Defender detects malicious files downloaded by MpCmdRun.exe; however, it is not currently known whether any other antivirus software allow MpCmdRun.exe to bypass their own detections.

There isn't any recommended action at present, but this is a good opportunity to review your own antivirus and anti-malware setup on any machine you use and/or administer. Case Western Reserve University will be officially switching from Symantec to FortiClient for its provided antivirus and VPN client soon, so stay tuned for further updates on this.

Remember, keep yourself protected from both digital malware and human malware!

More information about the contents of this post can be found below:


Article written by:
Steven Hergert, Information Assurance Analyst