Microsoft Defender can ironically be used to download malware

[danb]

Content source

https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/

WD is probably the most targeted AV. Keep in mind, WD uses a KMD too.

Microsoft Defender can ironically be used to download malware

A recent update to Windows 10's Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

www.bleepingcomputer.com

 

[MonSpyder9]

I know this is a serious issue, but I can't stop giggling at LOLBIN

 

[danb]

Hehehe, how funny, I have the same reaction . Every. Single. Time.

BTW, I am not dissing on WD, it is amazing. But it is a filter and your computer should be locked when you are at risk.

 

[WhiteMouse]

I just blocked MpCmdRun.exe, thanks Dan. /s

I believe this could happen to any antivirus vendors if they had more marketshare.

 

[silversurfer]

The good news is that Microsoft Defender will detect malicious files downloaded with MpCmdRun.exe, but it is unknown if other AV software will allow this program to bypass their detections.

Source: Microsoft Defender can ironically be used to download malware

 

[Andy Ful]

It is a fairly logical move. Microsoft introduced so many LOLBins in the past, why it should stop. But truly, this is the most stupid one.
Of course, this LOLBin is equally dangerous for any AV (for now).

Edit.
No problem for H_C, VS, and SWH due to anti-script (command-line) protection.

 

[Andy Ful]

Like any other LOLBin which tries to download something, this one can be mitigated in WD by activating WD Network Protection. This will activate SmartScreen URL check.

 

[plat]

this one can be mitigated in WD by activating WD Network Protection

Probably speculation: Is this why there were these multiple updates to the Antimalware Platform recently? I'm flashing on the recent conflict between Network Inspection Service and Memory Integrity. There had to have been some exceedingly good reasons.

Even though the update to version 4.18.4008.4 "fixed" this, maybe in light of this information, it's better to continue on to update to the very latest Client version: 4.18.2008.9.

 

[Andy Ful]

...
Even though the update to version 4.18.4008.4 "fixed" this, maybe in light of this information, it's better to continue on to update to the very latest Client version: 4.18.2008.9.

" In tests conducted by BleepingComputer.com, this feature was added to Microsoft Defender in version 4.18.2007.9 or 4.18.2009.9. "

 

[danb]

Source: Microsoft Defender can ironically be used to download malware

Absolutely. If it does detect the malware . Anyway, the point is that exploitation of third party KMD's seem like much less of an issue when something like this is a much larger concern. In fact, third party KMD's are not only a good thing, they are a great thing.

 

[danb]

Probably speculation: Is this why there were these multiple updates to the Antimalware Platform recently? I'm flashing on the recent conflict between Network Inspection Service and Memory Integrity. There had to have been some exceedingly good reasons.

Even though the update to version 4.18.4008.4 "fixed" this, maybe in light of this information, it's better to continue on to update to the very latest Client version: 4.18.2008.9.

Hmmmm... interesting observation, I think you are on to something .

I will say, MS has come a VERY long way with WD and it truly is amazing now. It does need A LOT of work on usability. I mean, just to create an exception for one folder or to restore files from quarantine takes like 50 clicks and 20 minutes .

I can FINALLY say this... really all you need is WD and VS and you are good to go. I kinda saw this coming a couple of years ago... I just had no idea that they would work together THIS well. In all fairness, I should not be surprised... it was all by design .

 

[danb]

It is a fairly logical move. Microsoft introduced so many LOLBins in the past, why it should stop. But truly, this is the most stupid one.
Of course, this LOLBin is equally dangerous for any AV (for now).

Edit.
No problem for H_C, VS, and SWH due to anti-script (command-line) protection.

And your new creation will block system calls as well, right? .

 

[danb]

I just blocked MpCmdRun.exe, thanks Dan. /s

I believe this could happen to any antivirus vendors if they had more marketshare.

Sure, thank you as well! Yeah, I believe this too... it is all about marketshare.

That is why having another layer of unknown protection (to the attacker) makes a lot of sense.

 

[Bryan320]

Thank you for this post i will be visiting family members homes to install another solution till this is fixed.

 

[Gandalf_The_Grey]

From the Bleeping Computer article:

The good news is that Microsoft Defender will detect malicious files downloaded with MpCmdRun.exe, but it is unknown if other AV software will allow this program to bypass their detections.

So there is no problem?

 

[Bryan320]

The good news is that Microsoft Defender will detect malicious files downloaded with MpCmdRun.exe, but it is unknown if other AV software will allow this program to bypass their detections.

Sure so in other words let spread the information to cyber criminals so they can exploit other software L0L. they dont call it "bleeping computer" for nothing.

 

[Andy Ful]

And your new creation will block system calls as well, right? .

Heaven forbid!
I do not create software to kill the system.

Edit.
In fact, thanks to SRP the MpCmdRun.exe can be blocked for malware (in the home environment) and still allowed for a few WD scheduled system tasks.

 

[Ink]

Thank you for this post i will be visiting family members homes to install another solution till this is fixed.

Are you able to do this remotely (PC to PC)?

 

[Andy Ful]

Thank you for this post i will be visiting family members homes to install another solution till this is fixed.

You will waste your time and bloat the system by installing & reinstalling security solutions.

1. There are already several LOLBins in the system that can do the same and are used by malc0ders for a long time. So this new one does not increase the danger for the home users. It can be less visible in incidents available in enterprise solutions.
2. This LOLBin will work with any AV as well (similarly to most LOLBins) - it does not require WD enabled.
3. WD will be probably the first to secure this by Machine Learning (locally or in the cloud). It is easy because it is known what kind of file should be downloaded (WD update).

You should rather think about how to prevent/mitigate other popular LOLBins.

 

[SearchLight]

In other words, should we be concerned about this "vulnerability" in WD if we are using ConfigDef at HIGH?

And just add VS to close all the "holes" in WD?