Fixing Windows Defender RCE vulnerability in mpengine.dll [EN]

In this post I will share my experience with fixing a vulnerability related to built-in Windows/Microsoft Defender antivirus (not to confuse with Microsoft Defender for Endpoint service). This is an integral part of Windows 10 and is still present on the system in some form even when you use a third-party AV solution. In that case it should be dormant and can be used for just a simple scan. But sometimes it can be not the case.

Our vulnerability scanning service started to report a strange at the first glance vulnerability on multiple endpoints one day. Actually it was 3 or 4 related vulnerabilities with Remote Code Execution (RCE) being one of the most critical among of them. Although in most cases where Defender was not active i don’t think it was that critical, but it was still reported and we had to do something. Vulnerability itself was linked to mpengine.dll file, which is probably one of the main Defender client engine libraries. This file is located in C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{random GUI}\ folder. In normal situation, when Defender is dormant, you can just delete this folder, or just mpengine.dll file inside, and this will eliminate this detection. And we did that on most of the endpoints. But some were failing. Because Windows Defender Antivirus Service (Windows 10 1909 or earlier) or Microsoft Defender Antivirus Service (newest versions) was actually in Automatic state and Running. It should be in Manual state and Stopped, when there is a third party AV used. As this service was running, it was locking that dll file, so we couldn’t delete it. And just in general it was weird that this service was running, when it shouldn’t. Seemed like a bug in either our AV solution or in Defender. I have searched for a way to stop this service. Read many articles and forums posts. But it seems this service is protected by the OS and cannot be easily stopped. I have even opened a case with Microsoft and after checking our logs they just said that our Defender is very old and we should update it. This was not very helpful, but still pointed me into right direction. The folder and files in that folder (mpengine.dll and the rest) were usually from 2017 September. I am guessing that in that version released that day was a bug that didn’t switch Defender off when a third party AV is present. So the service would be running, but Defender would be in a some kind of bugged state not able to update itself (there will be no menus for updating in Security menu in Settings, it would only show 3d party AV status as normally it should). I have tried to uninstall our AV and then go to Security settings and then i was able to run update and it would update definitions and mpengine.dll. Then i could install AV back and then Defender would switch to Manual and Stopped state. But we had a few thousands endpoints with this case. Couldn’t just reinstall AV on all of them. So my next idea was to approve Defender program and definitions updates in WSUS. We don’t have these categories enabled as we use a third party AV, no need to update Defender. But affected machines would show up as not applicable for such updates (i am guess because of that bugged state they were in). My next step was to actually download the latest Microsoft Defender platform update from Windows Update catalog and run it manually on affected endpoint. I have used August version, but latest version at this point is Update for Microsoft Defender Antivirus antimalware platform – KB4052623 (Version 4.18.2109.6). It has 3 updateplatform_randomnumbers.exe files in this package. I think i used first one in the list. When i ran this update file on one endpoint, it didn’t produce any messages or windows, but in a few seconds Defender service switched to Manual state and stopped. I guess it just updated to a version with bug fixed and switched to correct state. So, we have pushed this package to all machines that had Defender service in Running mode and another script was going through all machines and trying to delete the {GUID} folder. This way managed to bring down the number of affected machines to a dozen or so, which will also be fixed eventually. Also need to look into our MDT imaging process as i believe Defender gets active and starts pulling definitions once Windows can reach the internet and before our AV is installed in some further step. We probably need to push AV install to be as soon as possible during the imaging to make Defender inactive, so it doesn’t pull definitions and mpengine.dll. Unless it is actually part of the image itself.

Leave a Reply

Your email address will not be published. Required fields are marked *