How a Malicious Word Document Disables Windows Defender

May 30, 2017

Early May 2017, members of Google’s Project Zero discovered critical flaws in Windows Defender – specifically in MsMpEng.exe, which is the Windows AntiMalware Service Executable. These flaws leave users exposed to severe risks from various attack vectors.

Tavis Ormandy, a Google Project-Zero [1] researcher explained:

On workstations, attackers can access MsMpEng by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of is possible because MsMpEng uses a filesystem to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on (e.g. , temporary internet files, downloads (even unconfirmed downloads), attachments, ) enough to access functionality in . MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it’s own content identification system.

Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.

As Tavis mentioned, upon arrival of a new email, Windows Defender scans the email (along with its attachments) and takes the relevant actions: either allowing the file or blocking it. Triggering MsMpEng (from an attacker’s point-of-view) is as easy as sending an email with attachments to a user.

Now let’s imagine the following scenario:

An attacker crafts a malicious attachment, with the power to actively kill Windows Defender, and sends it to his victims. When it arrives to the victim’s machine, the email is  scanned and, without the user even opening it, crashes Windows Defender. The victim’s machine is now rendered defenseless and exposed, unable to guard itself against an attack.

Our researchers at Votiro Labs were able to exploit this vulnerability with a malicious DOCM. The document, once arrived in your inbox (tested on Windows 10), will terminate the Antimalware Service Executable, leaving the system exposed and vulnerable to the second stage of the attack. When the user opens the attached document, it’s macros infect the machine with a , completing the 2-step infection process.

This same file, being used to disable Windows Defender and infect the machine, is completely cleaned by our Advanced CDR Technology, in such a way that it is unable to terminate Windows Defender nor will it have malicious macros within.

This short video demonstrates this scenario on Windows 10 machine (full screen is recommended):


Microsoft released an advisory for this issue, CVE-2017-0290 [2], and issued a security update for to resolve the case. As always, systems remain at risk and are advised to update their systems at once.

Using Advanced CDR solution, attachments are carefully examined and essentially “re-built” from scratch. This solution eliminates any nonstandard attributes or values without requiring any signatures or heuristics and without altering the original file and its benign attributes.


Even though this kind of attack has not been seen “in the wild” yet, we believe that this scenario can become a reality at any time. If attackers would begin incorporating these methods to their existing campaigns, it would significantly increase their infection rate – and that’s just the tip of the iceberg. This vulnerability, when exploited properly, allows for RCE (remote code execution) on the infected machine without any interaction from the user, making sophisticated social-engineering a thing of the past.

We invite you to submit a file to be cleaned by our solutions.