UPDATE: According to Bleeping Computer, as of September 18, Microsoft has removed this feature.
Well, here's the big deal: the latest version of Windows Defender antivirus for Windows 10 can be used to download malware. [This is according to Bleeping Computer, a Twitter thread by security researcher Mohammad Askar in which Askar explains in detail how Windows Defender's command line tool MpCmdRun.exe can be used to download arbitrary files from the Internet MpCmdRun.exe, a Windows Defender command line tool.
So, of course, Askar used it to download a (secure) piece of threat emulation software called Cobalt Strike, which is used to detect security holes in large local computer networks.Bleeping Computer went a step further and used the Windows Defender tool to download actual ransomware samples.
We ourselves, after some tinkering with the command line, used this tool to download an image from Tom's Guide website.
This is the only way to get the file.
To see how far this would take me, I reverted to normal limited user mode. Then, using the same tool, we downloaded the EICAR test file, a well-known simulated malware, to our own limited user download folder. Administrative privileges were not required.
Microsoft has responded to our request for comment with the following statement in full: [Despite these reports, Microsoft Defender antivirus and Microsoft Defender ATP protect you against malware. These programs detect malicious files that are downloaded to your system through the antivirus file download feature.
A Microsoft spokesperson clarified that this statement also applies to Windows Defender Antivirus, the antivirus software bundled with Windows 10 Home.
This means that any decently functioning malware that infects even a limited number of user accounts can use Windows Defender itself to download any file from the Internet.
There was some saving grace: it was not possible to download the EICAR test file to another user's downloads folder, or to download it to a directory that you do not have write access to or have not created yourself, even if you are logged in as an administrator!
This was a problem with Windows.
This is in compliance with Windows user parameters, which indicate that this Windows Defender download tool cannot be used for privilege escalation. In other words, malware cannot easily take control of the system using this tool.
In addition, our Bitdefender anti-virus software quickly discovered and quarantined the EICAR test file every time. We do not use Windows Defender as our default antivirus software, but Windows Defender would almost certainly have found and quarantined the EICAR test file as well.
As such, the Windows Defender download tool cannot be used to do anything worse than what malware that successfully infects a system is normally allowed to do, such as download files through a web browser.
However, there will always be things that AV software cannot detect. Of course, Windows Defender is included on all Windows 10 PCs, whether or not they use third-party antivirus software. This is usually a good thing.
We have reached out to Microsoft for comment and will update this article as soon as we hear back.
If you are wondering how to do this, here are the file paths and commands. However, make sure you know what you are doing: [C:³DataMicrosoft³ Defender exe -DownloadFile -URL
"
"
Microsoft responded to our request for comment with this full statement: [Despite these reports, Microsoft Defender antivirus and Microsoft Defender ATP protect you against malware. These programs detect malicious files that are downloaded to your system through the antivirus file download feature.
A Microsoft spokesperson clarified that this statement also applies to Windows Defender Antivirus, the antivirus software bundled with Windows 10 Home.
.
Comments