UPDATE: According to Bleeping Computer, as of September 18, Microsoft has removed this feature
Well, here's the big deal: the latest version of Windows Defender antivirus for Windows 10 can be used to download malware [This is according to Bleeping Computer, a Twitter thread by security researcher Mohammad Askar in which Askar explains in detail how Windows Defender's command line tool MpCmdRunexe can be used to download arbitrary files from the Internet MpCmdRunexe, a Windows Defender command line tool
So, of course, Askar used it to download a (secure) piece of threat emulation software called Cobalt Strike, which is used to detect security holes in large local computer networksBleeping Computer went a step further and used the Windows Defender tool to download actual ransomware samples
We ourselves, after some tinkering with the command line, used this tool to download an image from Tom's Guide website
This is the only way to get the file
To see how far this would take me, I reverted to normal limited user mode Then, using the same tool, we downloaded the EICAR test file, a well-known simulated malware, to our own limited user download folder Administrative privileges were not required
Microsoft has responded to our request for comment with the following statement in full: [Despite these reports, Microsoft Defender antivirus and Microsoft Defender ATP protect you against malware These programs detect malicious files that are downloaded to your system through the antivirus file download feature
A Microsoft spokesperson clarified that this statement also applies to Windows Defender Antivirus, the antivirus software bundled with Windows 10 Home
This means that any decently functioning malware that infects even a limited number of user accounts can use Windows Defender itself to download any file from the Internet
There was some saving grace: it was not possible to download the EICAR test file to another user's downloads folder, or to download it to a directory that you do not have write access to or have not created yourself, even if you are logged in as an administrator!
This was a problem with Windows
This is in compliance with Windows user parameters, which indicate that this Windows Defender download tool cannot be used for privilege escalation In other words, malware cannot easily take control of the system using this tool
In addition, our Bitdefender anti-virus software quickly discovered and quarantined the EICAR test file every time We do not use Windows Defender as our default antivirus software, but Windows Defender would almost certainly have found and quarantined the EICAR test file as well
As such, the Windows Defender download tool cannot be used to do anything worse than what malware that successfully infects a system is normally allowed to do, such as download files through a web browser
However, there will always be things that AV software cannot detect Of course, Windows Defender is included on all Windows 10 PCs, whether or not they use third-party antivirus software This is usually a good thing
We have reached out to Microsoft for comment and will update this article as soon as we hear back
If you are wondering how to do this, here are the file paths and commands However, make sure you know what you are doing: [C:³DataMicrosoft³ Defender exe -DownloadFile -URL
"
"
Microsoft responded to our request for comment with this full statement: [Despite these reports, Microsoft Defender antivirus and Microsoft Defender ATP protect you against malware These programs detect malicious files that are downloaded to your system through the antivirus file download feature
A Microsoft spokesperson clarified that this statement also applies to Windows Defender Antivirus, the antivirus software bundled with Windows 10 Home
Comments