Is your machine running the latest Malware Protection Engine?

Topic

New Reply

If you’re running Windows Defender, Microsoft Security Essentials, or one of the Microsoft’s corporate malware protection products, there’s a new vers
[See the full post at: Is your machine running the latest Malware Protection Engine?]

8 users thanked author for this post.

geekdom, WildBill, Cascadian, Laptop Boy, Geo, jburk07, AJNorth, Elly

Reply | Quote

Replies

From https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0986: “A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

9 users thanked author for this post.

Cascadian, jburk07, AJNorth, walker, HiFlyer, woody, Microfix, Bob99, Elly

Reply | Quote

Immediately upon seeing this, I fired up my Windows Defender installation for an update to get the engine updated, and I wound up with the LAST engine version that’s vulnerable to the bug, darn it! Oh well, will try checking again tomorrow in the hope that WD pulls down the latest engine version. Tonight’s update took the engine from version 1.1.144 something to the last one that’s vulnerable 🙁

I don’t use WD at all, but DO pay attention to notices such as these to keep from potentially being vulnerable, in case some form of malware gets onto my system and actually launches WD to try to make me vulnerable to a bug. I normally have a couple of settings that keep it disabled safely, but you never know if there’s a script out there that would seek out and change those settings in order to launch WD without my intervention. 😉

2 users thanked author for this post.

JDeC, MrBrian

Reply | Quote

Same here, you would think WD would be set up in such a way that when a certain engine version has an issue that checking for updates would report that there weren’t any until the safe version was universally available.

Reply | Quote

Just for your information. There ist a Critical flaw in MS Malware Protection Engine (CVE-2018-0986) that allows a remote code execution. Updates will be delivered within the next 24 hours to all affected products (Defender, MSE, Forefront, Exchange Server).

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

8 users thanked author for this post.

Laptop Boy, jburk07, AJNorth, HiFlyer, woody, MrBrian, Microfix, amraybt

Reply | Quote

CVE-2017-11937, a previous Microsoft Malware Protection Engine vulnerability, is listed in the “Top 10 Vulnerabilities” at https://www.mcafee.com/threat-center/threat-landscape-dashboard/vulnerabilities.html (reference). This would seem to indicate that CVE-2017-11937 is/was being exploited, but I haven’t found any corroborating evidence on the web.

Reply | Quote

A topic for a previous vulnerability in Microsoft Malware Protection Engine: Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it.

1 user thanked author for this post.

walker

Reply | Quote

@Mr.Brian:  Has anyone thought of hiding the Windows Defender, and hoping that hiding it could possibly solve the problems it appears to be causing with impunity?    Just a thought, because everything seems to be so messed up.    Thank you for all of the information you so freely share with us all.    🙂

Reply | Quote

Just to check: if you have another AV, Defender is not running, right? (when on W7).

1 user thanked author for this post.

WildBill

Reply | Quote

Only if you fully disable Windows Defender by unchecking the boxes for Automatically scan my computer, unchecking Use real-time protection, and unchecking Use this program under the Administrator settings. If you have properly disabled Windows Defender, then trying to launch Windows Defender in Control Panel will produce a popup which says that This program is turned off.

3 users thanked author for this post.

WildBill, JDeC, SueW

Reply | Quote

My AV Vipre has shut off defender Good thing

Reply | Quote

Definition Update 1.265.3.0 for Microsoft Security Essentials  was automatically installed on my computer at 2:00 am EDT this morning.

The Event Viewer  shows the following information for this event:

Microsoft Antimalware signature version has been updated.
Current Signature Version: 1.265.3.0
Previous Signature Version: 1.263.1955.0
Signature Type: AntiVirus
Update Type: Full
User: NT AUTHORITY\SYSTEM
Current Engine Version: 1.1.14700.5
Previous Engine Version: 1.1.14600.4

2 users thanked author for this post.

Cascadian, Microfix

Reply | Quote

I am using Microsoft Security Essentials, and this morning I confirmed that I had the old, vulnerable engine. I then did an update of definitions from within MSE, and as part of that update the new, fixed engine was installed.

Reply | Quote

If you can’t trust your virus checker, what can you trust?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

Cybertooth

Reply | Quote

Microsoft manual definition updates:

https://www.microsoft.com/en-us/wdsi/definitions

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

You don’t have to wait for it to happen.  I just read Woody’s comments and looked to see when Windows Defender last updated.  It’s 3:20AM here in Hawaii and it last updated around 3PM on April 3 with the old engine still there.  I saw no reason to wait for another 12 or so hours for it to automatically update.  So, I clicked it to update now and it fetched the new engine and new definitions.

Slightly off topic, but I don’t like how Windows Defender does not have a regular update time on Windows 10.  On Windows 8.0 Pro, I set up a task (since on that OS it would not update automatically with Windows Updates disabled) so it updated at the same time every evening. I am going to do that on Windows 10 also as that way I can set it to update twice daily at specified times.

1 user thanked author for this post.

Cascadian

Reply | Quote

Similarly, I normally run MSE definitions update manually at least once per day.  On seeing MrBrian’s post (I thank him) I immediately ran a manual update this morning, which did indeed update the engine to 1.1.14700.5 and the definitions to 1.265.x.0.

Thanks to all concerned, HMcF.

1 user thanked author for this post.

Cascadian

Reply | Quote

PS from HMcF again:  Is it ABSOLUTELY true that the engine and definitions are ALWAYS IDENTICAL in (1) Windows 7 Microsoft Security Essentials, and (2) Windows 10 Defender?  From time to time, I download the mpam-fe.exe file for both of these, and I always find them identical (command prompt fc /b).  But I’m not confident.

Production machine Win7 Pro SP1 x64;  Win10 (target machine) Win10 Pro.

Reply | Quote

Got it already.

Win8.1 HP

Antimalware Client Version: 4.10.209.0
Engine Version: 1.1.14700.5
Antivirus definition: 1.265.27.0
Antispyware definition: 1.265.27.0
Network Inspection System Engine Version: 2.1.14600.4
Network Inspection System Definition Version: 119.0.0.0

HF

1 user thanked author for this post.

Cascadian

Reply | Quote

Before today, my previous Windows Defender Update was run on my Win 10 Pro Version 1703 on March 31.  I just now – April 4 about 6pm CT – ran the Windows Defender Update again and another update was installed, this time with the latest version of the Malware Protection Engine.  Thank you Microsoft

Still waiting for DEFCON 3 to update Windows 10 Pro to the current Cumulative Update on my machine, which shows as KB4074592 from February 13.  The most recent Cumulative Update Windows 10 Pro Version 1703 still shows as KB4088891,which is from March 22.  I have my delay for quality updates set to 30 days so this makes sense.  The 30 day update for quality updates probably means that the most recent Windows 10 Pro Version 1703 that I should be offered is KB4077528, which is from February 22.  Any experience out there with KB4077528?,

If I could upgrade to Windows 10 Pro Version 1709, the most recent version that I should be offered is KB4090913, which is from March 5.  Any experience out there with KB4090913?

I really would like to have placeholders for OneDrive for Business.

Jonathan

Reply | Quote

I just upgraded one VM from 1703 to 1709. It came in as Build 16299.125 which is Dec 13th CU. THat makes a lot of sense because that was before the Meltdown/Spectre mitigation started causing all the problems. If yo upgrade, you might want to keep it there for a month or two.

1 user thanked author for this post.

Jonathan Handler

Reply | Quote

PK, from which version of the Windows 10 Version 1703 Cumulative Update did you upgrade to Version 1709?  Was it newer than the one that Windows Update is waiting to install for me?

Jonathan

Reply | Quote

t was 15063.909 -> 16299.125 – I’ve seen other reports that the upgrade drops to the Dec 13th CU as well. Smart of MS not to drop people int0 the current mess, yes?

1 user thanked author for this post.

Jonathan Handler

Reply | Quote

PK, the update that is is waiting to be installed is 15063.909 aka KB4074592.

I will run the update to 15063.909; and then follow exactly what you did: “t was 15063.909 -> 16299.125 – I’ve seen other reports that the upgrade drops to the Dec 13th CU as well. Smart of MS not to drop people int0 the current mess, yes?”

I hope that I am not jumping too far to a conclusion, but Microsoft seems to be taking care of Win10 Pro users who are on “Current Branch for Business” as it still calls it in Windows Update.

Are you or any other MVPs or Woody aware directly of any Windows 10 Pro users who have used the Quality Update and Feature Update delays with DEFCON2 type delay for Quality Update — 30 days or slightly less — and Feature Update delays of 120 to 365 days that were prematurely updated from Version 1703 to Version 1709?

Thank you as always,

Jonathan

Reply | Quote

I use Feature updates = 365 and quality updates = 0. In Group Policy I have Windows Update = Enabled = 2 (notify download/install). This means the quality updates show up in the queue so I can see what they are (know what I have to hide) but they don’t download until I hit the “download” button. I think if you use the delay quality updates = 30, you might not see them in the queue for 30 days.

I also set Delivery Optimization\Download Mode = Enabled = 99 (no peering)

In s709n the CBB is gone – equivalent is Semi Annual Channel (SAC)

1 user thanked author for this post.

Jonathan Handler

Reply | Quote

PK, I understand some of what you just wrote.

Are you running some separate system management software to set Group Policy or do I have access to it directly through Windows 10 Pro?

When Microsoft downloads a second Cumulative Update while I am waiting for DEFCON3 in a given monthly cycle, I can tell it from the new KB article number on it and the later date on it.  I am able to do this because I only restart my system one time per month.  Otherwise, I put it to Sleep every time I move it.  I also check my Update History every time that I see that the KB article number and the date on it change.

Using Sleep mode seems to be giving me the same results without the same detail that you get from your process.  I should probably understand your process, starting with which additional tools you are using, so that I can improve my ability to manage my system today and any additional systems in the future.

Finally, you wrote: “In s709n the CBB is gone – equivalent is Semi Annual Channel (SAC).”  I am aware of the Semi Annual Channel (SAC) as the new terminology.  “s709n” looks like a typo to me.

Very truly yours,

Jonathan

—- Copied from PK Cano message —-

I use Feature updates = 365 and quality updates = 0. In Group Policy I have Windows Update = Enabled = 2 (notify download/install). This means the quality updates show up in the queue so I can see what they are (know what I have to hide) but they don’t download until I hit the “download” button. I think if you use the delay quality updates = 30, you might not see them in the queue for 30 days.

I also set Delivery Optimization\Download Mode = Enabled = 99 (no peering)

In s709n the CBB is gone – equivalent is Semi Annual Channel (SAC)

Reply | Quote

That should be 1709 – typos are my thing.

GPEdit is the Group Policy Editor in Win Pro versions. There is information on this site about Group Policy – search and read up on it.
If you type it in the search bar, makes it easy to find. It is structured like RegEdit. The paths I mentioned:

Windows Components\Windows Update\Configure Auto Update = Enabled, 2

Windows Components\Delivery Optimization\DownloadMode = Enabled, 99

Youn will also need wushowhide.diagcab (download from MS) to be able to hide updates.

 

1 user thanked author for this post.

Jonathan Handler

Reply | Quote

PK, I thought that you meant Version 1709, and I needed to make certain of it.

I remember someone referring to GPEdit some time ago and I thought “oh good, an opportunity to understand Group Policy.”

And, believe it or not, I believe that I only used RegEdit once in the past ten years that I have had my own Windows Computer to use.  I started with Windows 7.

I already have some experience with WUSHOWHIDE and it is installed on my system.

I am optimistic that this will really take care of my needs for the next few months.

Very truly yours,

Jonathan

 

Reply | Quote

PK, the world may have changed a little since you upgraded that VM to Version 1709.

I started working on my updates after 7pm CT at the local public library.

I usually do my updates in my local public library and I usually have it set as a Metered Connection.

I released turned off the Metered Connection setting on the library’s network and ran the update on Version 1703 from 15063.877 to 15063.909.  It was successful.

I did another check for updates and was offered the update from 15063.909 to 15063.936.  I ran it also and now am at 15063.936, which is dated February 22.

But now, I can’t get it to run another update even though the network still has Metered Connection off.  If it were to upgrade me again to the next version of 1703, that would also be 15063.936 but that is dated March 8. Oh-Oh.

I am stopping for now, putting Metered Connection back on and waiting until tomorrow morning.

Is there a support.microsoft.com webpage that I can use to get to Version 1709 without creating an ISO image or loading up a USB drive?

Very truly yours,

Jonathan Handler

 

 

Reply | Quote

“Is there a support.microsoft.com webpage that I can use to get to Version 1709 without creating an ISO image or loading up a USB drive?”

See https://www.askwoody.com/forums/topic/what-version-of-1709-will-i-get-through-update-assistant/#post-177838.

Reply | Quote

Look at your settings first.
Windows Update\Advanced – if you have Feature updates delayed set it to 0. If you have qualith updates delayed set it to 0. Turn off pause.
Wushowhide – have you hidden the 1709 upgrade?
If you have changed any of these, reboot and check for updates again.

If you don’t find any settings blocking the upgrade, then follow @MrBrian ‘s instructions

Reply | Quote

PK,

Yesterday, I followed your advice and Woody’s advice and set Feature Updates Delay to 0 days, restarted the system and then clicked on the Feature Update to install it

The update ran slowly, stopped, called up KB4023057 (I think that is the correct number for the Servicing Stack Update).  This was at 11:45am and I had to go to a church mission.  The library where I was let me leave the computer plugged in and set up to run behind the circulation desk.

When I returned at 4pm, I discovered that the Servicing Stack Update had installed but the Feature Update had failed.  I only had 4.5GB left on the SSD, so I concluded that I needed to copy off some files to a USB 3.0 flash drive.  I bought a 16GB SanDisk drive for $8 (on sale) at MicroCenter and called an end to my upgrades/updates for the day.

Today, I continued at the local Microsoft Store.  Copied about 6.5GB off of the SSD and ended up with 11GB free.  Unplugged the USB 3.0 flash drive.  Then forced the Feature Update and it ran to completion with some extra steps at the end.

I was at Version 16299.125, which made me happy.

Windows Update posted a message in red text that I needed to download security and quality updates.  I accepted the advice.  At first the updates failed and then they worked.

Windows Update had installed KB4041994 (quality update for videos), KB4058043 (quality update for Microsoft Store) and KB4056887 (security update for Adobe Flash Player).  KB4074588 (Cumulative Update to Version 16299.248 dated 2018-02-13) is still waiting and “requires a restart to finish installing.”

I generally go for a month at a time holding off updates by putting the system to sleep when I am not using it, which is what I will do after sending this message.

Do you know whether or not 16299.248 is the next “stable” update issued after 16299.125?

Very truly yours,

Jonathan

Reply | Quote

The Build I have now is 16299.309 – the one before was .248 – so you may have one more update to go.

Reply | Quote

PK, thanks again.  I saw your message.  I tried to download the Quality Update to get to 16299.309 but it failed at first when I set Quality Update Delay = 0 days, left Metered Connection = On and restarted.

When I switched my Metered Connection = On to Metered Connection = Off, the Download checkbox appeared and I started to download the Quality Update to 16299.309, the March 2018 MSRT and the March 2018 Adobe Flash Security Update.

Once everything was downloaded, MSRT and the Adobe Flash Security Update were installed, and the Quality Update was waiting for a restart.

Made a restart and now have 16299.309 also installed.

Thank you again for your guidance.

I have re-learned over this weekend that Metered Connection = On can really delay all Feature Updates and Quality Updates.

Also, second, I have learned over this weekend that the Feature Update delay on Windows 10 Pro can be used as a switch that allows me to download only a Feature Update when delay = 0 days.

Also, third, I have learned over this weekend is that the Quality Update delay on Windows 10 Pro can be used as a switch that allows me to download only a Quality Update when delay = 0 days.

By following your example,  I used these controls in the Update & Security section of Settings to upgrade Windows 10 Pro from Version 1703 to Version 1709 and then used these controls to follow Woody’s advice at DEFCON3 to get updated through March 2018.

All of this was done without GPEdit on my Windows 10 Pro machine.  I take this as proof that Microsoft has made Windows 10 Pro a product version that “careful but less sophisticated users” of Windows 10 can manage themselves following Woody’s DEFCON system and the advice of you and other MVPs.

Very truly yours,

Jonathan

 

 

Reply | Quote

Is it Windows Defender in Windows 7 or Microsoft Security Essentials? Windows Defender is “turned off” on my computer with MSE, but those numbers seem to correspond with the About dialog of MSE.

(Open MSE, click the arrow beside the word Help, and then click About. It’s the Engine Version.)

Reply | Quote

It’s kind of the same difference, I believe. My MSE has also updated itself to the new engine version like a good boy. One of the few MS products that gives me no trouble.

1 user thanked author for this post.

Cascadian

Reply | Quote

 

The Surfing Pensioner wrote:

It’s kind of the same difference, I believe. My MSE has also updated itself to the new engine version like a good boy. One of the few MS products that gives me no trouble.

Not the same.  MSE for Win 7 – Defender for 8.1

https://cloudblogs.microsoft.com/microsoftsecure/2013/11/14/windows-defender-and-microsoft-security-essentials-which-one-do-i-need/

Reply | Quote

Windows Defender is installed by default on Win7. If you don’t use MSE, Defender’s engine  still needs to be updated for you to be secure. Many other third-party anti-virus programs turn Defender off. In the ones I use there is an option to turn off real-time protection so you can go into the Activity Center and manually turn on and update Defender.

4 users thanked author for this post.

Chessie, JDeC, The Surfing Pensioner, AJNorth

Reply | Quote

I have Windows 10, and I use avast, I have Windows defender turned off, SHOULD I still update it even though I don’t use it and my antivirus is good enough?

Just someone who don't want Windows to mess with its computer.

Reply | Quote

If you can turn off Avast long enough to turn on Defender and update it, then turn it back off., you should do that. But Avast is a hard one to turn off, I’ve heard. You might find instructions somewhere on the Interned.

Reply | Quote

Mr.Pk This are the numbers I have, am i fully updated?

Just someone who don't want Windows to mess with its computer.

Reply | Quote

That looks good

1 user thanked author for this post.

Zaphyrus

Reply | Quote

Ok, then I will re-install avast now (yeah, had to re-install it)

Just someone who don't want Windows to mess with its computer.

Reply | Quote

You seems to have lots of patience. 🙂

Reply | Quote

You don’t need to uninstall avast to update defender, they do make it difficult to do so but you just need to change one entry in the registry so it can run. Just make sure to switch it back afterwards. We discussed this last time there was a huge security hole in defender – https://www.askwoody.com/forums/topic/microsoft-quietly-repairs-security-hole-in-windows-defender-cve-2017-11937/#post-151067

That worked for me but I just made sure avast was running in quiet mode or whatever it’s called: there’s an option in troubleshooting to do this.

Reply | Quote

Thanks @PKCano, was looking for that info.

Turned on my disabled Defender on my Win7 Pro SP1 x64, but it only updated to Version 1.1.14600.4. Will try again later.

Reply | Quote

We were talking about MSE on Win. 7

Reply | Quote

Oddly, I downloaded the latest Windows Defender update manually and it installed the latest malware engine  1.1.14700.5 but when manually running the Malicious Software Removal tool and looked at the MRT logs in C:/Windows/Debug folder it indicated the old version 1.1.14600.4.

Reply | Quote

Running Win7 Pro x64 with Windows Update set to manual. Checked for updates and installed “Definition Update for Microsoft Security Essentials – KB2310138 (Definition 1.265.36.0)” and the engine version was updated.

Anyway, always have a hard time getting worked up about most of these vulnerabilities. I use a content blocker, uBlock Origin, with 3rd-party iframes globally blocked. And, I use No-Script Suite Lite to automatically disable javascript when landing on a new site, basically just using the addon as a js whitelist. Same setup with Chrome and FF. Remote code execution? Bring it. LoL

Reply | Quote

Oops, does anybody still use windows defender of win7?

I believe it’s very easy to disable this integrated but pretty much useless app completely thru services or control panel immediately next to any fresh install of win7.

Then you have no updates and therefore no headaches.

In my personal case a combination of N360 & MWB Premium on all win7 machines around performs just fine.

Reply | Quote

? says:

i dunno? considering the current insecurity trifecta, eg. hardware, operating system, and security program

one can download the latest definitions here:

https://www.microsoft.com/en-us/wdsi/definitions

or wait for the auto update whilst waiting for usable March updates

Reply | Quote

It seems to me pertinent to ask:

How often does Windows Defender (et. al.) actually detect malware?

In a way, this is essentially asking: How good are you at not getting infected in the first place?

No one really should be relying upon Windows Defender or other AV software to protect them. It’s a safety net that ideally should never be exercised.

-Noel

7 users thanked author for this post.

Mele20, JDeC, AJNorth, Sessh, HiFlyer, walker

Reply | Quote

Years ago, Windows Defender routinely achieved roughly a 50% detection rate year after year and also greatly slowed down the user’s computer. I recall that Microsoft greatly improved Windows Defender in 2016 such that Windows Defender started producing rather good test scores starting in 2017. On the other hand, this latest glaring security hole, along with one or two similar ones in the past, forces me to keep Windows Defender fully disabled on my Win7 computers. Instead I rely on third party antivirus software. Still, it is a good idea to periodically enable Windows Defender to update it, and then disable it after it has been updated such that Windows Defender can be used if your primary AV program gets clobbered.

Reply | Quote

A couple of years ago I had a period of visiting some… erhm… let’s just say “not exactly suited for work”-sites…

Not too proud of it, but anyway. That was the only time, I’ve ever seen MSE catch some js scripts, a trojan and a virus… never got into any troubles with regards to system integrity.

So, if you wanna test your MSE/Defwnder, I have a stack of links! 😀

Reply | Quote

Hey Noel Carboni:

According to av-comparatives.org, in their February 2018 real-world detection test, Windows Defender detected 100% of the malware thrown at it.

Not too shabby…

1 user thanked author for this post.

Jonathan Handler

Reply | Quote

I use Malwarebytes Premium on my Win 7 PC.  Windows Defender will not work in addition to or together with MBAM.  You have to choose which one you want.  I would never trust Windows Defender to keep my PC malware safe.

iPhone 13, 2019 iMac(SSD)

Reply | Quote

pmcjr6142 wrote:

I use Malwarebytes Premium on my Win 7 PC. Windows Defender will not work in addition to or together with MBAM. You have to choose which one you want. I would never trust Windows Defender to keep my PC malware safe.

I believe that may be accurate for W7 Windows Defender, but it is not for MSE. Version 3 does not NEED an AV component, but it says the MSE was COMPATIBLE.

In fact, according to their User Guide, Malwarebytes for Windows User Guide, Version 3.4.4 dated 6 March 2018 says:

“You don’t need to pay for a traditional AV anymore! At Malwarebytes, we have always approached things differently and, as many people know based on their own positive experience with Malwarebytes finding and remediating malware that gets past AVs, we know a thing or two about zero-day malware and their infection tactics. We have always believed that no one product can do it all, and the free AV that comes with modern operating systems, in conjunction with Malwarebytes is all you will ever need.”

I have had both MSE and MB make detections, but only once on the same item.

My MSE shows:

Antimalware Client Version: 4.10.209.0
Engine Version: 1.1.14700.5
Antivirus definition: 1.265.69.0
Antispyware definition: 1.265.69.0
Network Inspection System Engine Version: 2.1.14600.4
Network Inspection System Definition Version: 119.0.0.0

1 user thanked author for this post.

Cascadian

Reply | Quote

Windows Defender has greatly improved to a really decent level, yet MSE is a joke.

Reply | Quote

I don’t understand why Windows Defender (eg in Win10) should out-perform MSE (in Win7), given that the definitions and the engine appear to be identical when downloaded as the composite mpam-fe.exe file.

I must be missing something.  (Possible: the single mpam-fe.exe file might contain two different engines, with the same engine version number, for the two target architectures. Now THAT thought is worrying me.)

1: Win7 Pro SP1 x64, MSE up-to-date now, otherwise Group B until Dec 2017 then Group W;

2: Win10 Pro 1703 x64, originally updated from a prior Win7 installation, but which now refuses to install 1709 (“threats, entreaties, all useless” — a quote).

I sometimes download the two mpam-fe.exe files in quick succession, and then compare them, and always find them identical.  Can I rely on that being true in future (to save on the data cap) — probably not.

HMcF

Reply | Quote

Force updates:

Press the Windows + R keys > copy paste the following: “%ProgramFiles%\Windows Defender\MSASCui.exe” -Update

Reply | Quote

As always, Windows 10 is the most secure version of Windows ever!

Heck, I’d trust Kaspersky Free on my computer more than Windows Defender! I have Kaspersky Internet Security, and thankfully Defender stays out of its way. Good.

Reply | Quote

The Event Viewer shows that the MSE Engine Version updated at 17:27:46 on 2018.04.03, from 1.1.14600.4 to 1.1.14700.5 (WIN7 PRO SP1 x64), which was at the beginning of a scheduled daily scan.

From what I have discerned from the logs, as Automatic Updates are set to Check for updates but allow me to choose whether to download and install them, MSE automatically updates once per day (as it initializes the daily scan); therefore, I tend to check for updates manually every couple of hours or so (sometimes signatures will update within the same hour, at others with an interval longer than twenty-four).

MSE is used in conjunction with Malwarebytes Premium.  (Oh, and our old friend KB2952664 reappeared yesterday… .)

Reply | Quote

Should Windows Defender be turned ‘on’ or ‘off’ when MSE is being used?

Reply | Quote

If you’re on Win7, it automatically disables Defender.

Reply | Quote

My MSE updated its self.  I also use the ADW Cleaner.  Malwarebytes bought them out . They are stand alone.  No big down load like Malwarebytes it`s self.  Both MSE and ADW are free.  Work for me.

Reply | Quote

Didn’t we have this exact issue a month or two ago?  I seem to remember having to scramble to update WD as we use it as our 5th?/6th? line of defense.

Is this issue them finally realizing the last one was never fixed, or is this new?  From reading the description is sounds like the former.

Reply | Quote

This is a new revealed bug, but it is similar.

Reply | Quote

I know its an obvious and even a stupid question, but I have to ask anyway for the sake of clearing any confusion.

So, If you have Windows defender deactivated and you have another antivirus can you safely ignore this?

Just someone who don't want Windows to mess with its computer.

Reply | Quote

Please see #181243 above.

Reply | Quote

Who would have thought that even programs you dont use or run, would pose a great security risk.

Just someone who don't want Windows to mess with its computer.

1 user thanked author for this post.

Cybertooth

Reply | Quote

They don’t — as long as you fully disable them. On second thought, they shouldn’t — as long as you fully disable them. It depends on whether or not disabling them actually kills the loading of all components, and in particular low level I/O drivers which have deep hooks into the kernel. I/O is I/O. Low level I/O drivers are generally are really stupid. They rely on correct data being passed to them by their parent program. This is what makes low level I/O drivers kind of scary, since malicious programs could pass crafted data to a low level I/O driver in order to get the low level I/O driver to do something which it shouldn’t. An example of a low level I/O driver, which many people might be familiar with, is the low level I/O driver which whatever your favorite brand of backup software installs. For example, Macrium Reflect or Acronis True Image backup software.

Now let me give you all an example of a very similar type of driver. Let’s call it a Utility. This Utility is built into nearly all antivirus programs. This type of Utility has one function — to unpack compressed files so that the antivirus program can scan the contents of the compressed file for malware. There are many types of compression techniques and file packers which are widely used for the distribution of software. The list is rather dizzying, and the Utility has to know how to decompress or unpack files which were compressed or packed by any of this dizzying list of compression and packing techniques.

Now, imagine that malware authors have figured out a way to maliciously compress or pack files in order to exploit a flaw in the Utility. Yep, this has occurred many times in the past in order to target a flaw which was found in the Utility which is used by a particular antivirus program, and this will inevitably occur many times in the future.

Read the above paragraph again, if necessary, in order to fully grasp the implications of allowing your antivirus software to use this built-in Utility. And now, here are two possible scenarios which depend on whether or not you configure your antivirus program to scan compressed files. There is a third possible scenario (no detection by either of the two scenarios described below), which is due to the the inability of the antivirus program itself to detect the malware — regardless of either of the two scenarios. With this said…

Scenario 1: You have NOT configured your antivirus software to scan compressed files. This disables the Utility. When you run the compressed file, the compressed file decompresses while your antivirus program monitors and scans the decompressed files as they are loaded into your computer’s memory and/or saved to a temporary folder on your computer’s hard drive. Your antivirus program does “see” the malware and blocks it. Bam! You are safe since your antivirus program detected the malware.

Scenario 2: You HAVE configured your antivirus software to scan compressed files. The Utility runs when you try to either run the compressed EXE file or when you try to manually decompress a compressed file such as a ZIP file. The Utility is flawed. The flawed Utility, when called by your antivirus program, allows the maliciously compressed file to gain access to computer memory which your antivirus program does not see and is not monitoring since no program or program data is in this part of your computer’s memory. The flawed Utility just allowed malware to gain access to computer memory, and due to the flaw in the Utility, your antivirus program never saw the malware gaining access to some of your computer’s memory.

In Scenario 1, your antivirus software would have seen and blocked the malware. In Scenario 2, your antivirus software never saw the malware loading into your computer’s memory since your antivirus software’s Utility was flawed. Isn’t this a riot?

The upshot of all of this is that if your antivirus software has an option to scan archives or compressed files, and this option is disabled by default, then there are only two reasons why this feature is disabled by default:

1. Your antivirus vendor isn’t sure if their Utility is completely safe, and/or,

2. Your antivirus vendor has their Utility disabled in order to make scanning your computer faster.

More than likely, it is #1 directly above. This is one reason why third parties test antivirus software “out of the box” and by using all of the default settings.

The final upshot is, do not turn on any scanning within archives or scan within compressed files feature unless you really, really, really trust your antivirus manufacturer to not have any flaws in their Utility which accomplishes this task — especially if this feature is disabled by default. I say this since antivirus manufacturers not only add settings to cater to the ultra paranoid, but also since antivirus manufacturers make additional money by disinfecting computers.

Moderators: This post turned out to be quite long. My apologies. Feel free to edit it and then perhaps move it to some sort of general advice section about antivirus products.

8 users thanked author for this post.

Cascadian, Moonbear, Bill C., Jonathan Handler, Microfix, Cybertooth, AJNorth, Zaphyrus

Reply | Quote

On Win 10 1709, the “Check for Updates” button in WD did not fetch the latest update package, but a manual download of the latest MPAM-FE.EXE from the MS site “Definition Updates for Windows Defender” did update the WD engine as wanted.

Reply | Quote

In my opinion it shouldnt be edited down, it was quite illustrative.

Just someone who don't want Windows to mess with its computer.

2 users thanked author for this post.

Bill C., Cybertooth

Reply | Quote

Hi Woody.
My PC Security Software turns Windows Defender off.
Should I turn it on, update; then, check the build level?
Regards, AK (W7, Home Premium)

Reply | Quote

Tweet from Tavis Ormandy: “This is amazing, Windows Defender used the open source unrar code, but changed all the signed ints to unsigned for some reason, breaking the code. @halvarflake noticed and got it fixed. Remote SYSTEM memory corruption ?”

5 users thanked author for this post.

Cascadian, Moonbear, AJNorth, Microfix, GoneToPlaid

Reply | Quote

There you have it — a perfect example of what I was talking about. Thanks Mr. Brian!

2 users thanked author for this post.

AJNorth, Microfix

Reply | Quote

So in a nutshell, MS have taken/used/tampered with open source under their umbrella and used it on a SECURITY PROGRAM to safeguard their previous and current operating systems.

Remember that slogan that emerged from Redmond when W10 was introduced ‘Microsoft Loves Linux’? I kept asking myself why this PR?

Go figure..

Windows - commercial by definition and now function...

Reply | Quote

I managed to manually update the (disabled by av) Windows Defender engine to version 1.1.14700.5 on my Win7 Pro SP1 x64 doing this (not my invention):

Log in as admin to temporarily disable your real time av.
Run: “C:\Program Files\Windows Defender\MSASCui.exe” -Update
(or whatever your path to it is).

When I did this this morning, it was only updated to version .4, but when I did it again tonight it updated to version .5

Good luck

1 user thanked author for this post.

MrBrian

Reply | Quote

Anonymous 181674 and Tweakhound 181247
I want to thank the good people here for giving information to put in the RUN box to force an update for Defender.

But Woody or the moderators need to know that there are certain characters shown on your web site, that do no match with the proper symbols or possibly ANSI codes of those characters on the PC. If I copy and then paste into an email program, or as I tried to copy, then paste into the run command box, it came back with an error. The reason for the error was the apostrophes were not real apostrophes.

I will try to explain. When I copied and pasted the code for updating defender, the error was  C:\Program was not found. Yes that is true IF you do not quote the line so Program Files is seen as a non delimited string – the space would be the delimiter. I had to change the quotes to my computer’s quotes by backspacing over and then putting the quote from MY keyboard. I did this for both beginning and ending quotes and then it ran fine.

Some characters on woody’s web site such as: the Single, the Double Apostrophe (quotes) and the Dash do not match with my computers for some reason and causes weird troubles. My guess is those characters are more of an HTML character or image, and some programs or even computers, do not see them as the real deal, and balk at it.

I have seen this for months, most times I did a copy and paste.       Using Windows 7 64 bit.

 

1 user thanked author for this post.

MrBrian

Reply | Quote

Hi, sorry for alittle off tangent query, i know it’s the busiest time.
The Engine Version has been converted to 1.1.14700.5 willingly in MSE
days ago, however i regularly check and receive 2 new definitions a day
of late, but it seems i’m not not receiving that many new definitions.

If one looks on the pull down tab of the newer definitions on here:
https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes
There seems to be well over 20plus 1.265.xxx.x definitions after 1.263.2034.0

I have only 6 new definitions of the 1.265.x.0 series right now. Is this normal?
1.265.150.0
1.265.126.0
1.265.108.0
1.265.104.0
1.265.89.0
1.265.36.0
1.263.2034.0
Is there a way to get some missed definitions? Alert level severe for many.
Thank you.

Reply | Quote

Definitions are cumulative; the latest definition contains all the information that went before it.

This is a simplified explanation, but you are not going to lose definitions.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

2 users thanked author for this post.

Elly

Reply | Quote

Avira Antivirus Free gives a very different user experience (YMMV):

AskWoody said to update Windows Defender to plug a security hole. Easier said than done when Avira Antivirus is installed!

I finally had to use Geek Uninstaller on the older portion of Avira (not the Connector, but the core AV component, as listed in the Geek Uninstaller listing). Forced the removal of that component. Then restarted Windows.

Ran the Windows Defender interface from the Programs Folder, where the old-style interface is the same file name as in the Post at https://www.askwoody.com/forums/topic/is-your-machine-running-the-latest-malware-protection-engine/#post-181674 .

This allows using the Help drop down to identify the Engine Version. Mine started as 1.1.13xx…(etc). It had not been updated since I first started using Avira Free Antivirus with Windows 10 Pro version 1703! (I have recently upgraded — on purpose — to Version 1709.) So I ran an Update within the WD old-style interface. Then checked, and it was the current engine version.

Restarted Windows. Downloaded the Avira Free installer, and reinstalled the antivirus only. The Web Browser extension installed into Chrome, so I removed that via Chrome’s mechanism. Then Avira’s Real-Time Protections couldn’t quite finish installing. Restart, then run the Avira installer again, and again remove the Chrome extension. This time, success. Restart and clean up with CCleaner and Glary Utilities. WHEW! What a lot of work just to get a security patch installed into an antivirus product I am not using!

Thanks, Microsoft, for a lovely Sunday morning!

-- rc primak

Reply | Quote

I understand Avast is almost as bad.

Reply | Quote