Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft quietly repairs security hole in Windows Defender, CVE-2017-11937

    Home Forums AskWoody blog Microsoft quietly repairs security hole in Windows Defender, CVE-2017-11937

    This topic contains 84 replies, has 16 voices, and was last updated by  walker 8 months ago.

    • Author
      Posts
    • #150823 Reply

      woody
      Da Boss

      A number of security researchers were puzzled yesterday when a new version of the MS Malware Protection Engine, mpengine.dll, suddenly appeared. Here’
      [See the full post at: Microsoft quietly repairs security hole in Windows Defender, CVE-2017-11937]

      7 users thanked author for this post.
    • #150828 Reply

      anonymous

      And there’s evidently yet another; see CVE-2017-11940

      1 user thanked author for this post.
      • #150833 Reply

        woody
        Da Boss

        Yep. Fortunately (for me!) the solution is the same.

    • #150845 Reply

      anonymous

      Do you think by now Microsoft should also deliver the scanning engine patches in with the usual patch blobs to ensure systems are brought up to date?

      • #150858 Reply

        anonymous

        So far as I am aware, the engine is also updated as required whenever the definitions are updated.

        Specifically, I can confirm that the engine was updated on my main Win7, internet-facing, machine as part of the usual daily updates recently;  and I can confirm (by experiment) that the engine is updated in both Win7 (MSE) and Win10 (Defender) off-line machines if the “recent definitions” file mpam-fe.exe is downloaded from the MS site, transferred to the off-line machines via USB drive, and installed there.   I conclude that “definitions update” is adequate to cover this point.

        HMcF

        • #150947 Reply

          anonymous

          Avast and other antivirus suites had made it impossible to update anything without completely uninstalling itself, then using their through installation cleanup utilities. So maybe fetching the definitions package may help the other users here.

        • #150980 Reply

          woody
          Da Boss

          I was surprised to learn that the engine is updated asynchronously. At least, according to one of the engineers. See

          https://twitter.com/AmitaiTechie/status/939244431651127296

          • #151028 Reply

            anonymous

            Thanks Woody, HMcF again here.  Win7 Pro, MSE.

            All I can say is that   a) I have Windows Update set to “never check” and I install updates by a scheme using your AKB2000003 “Group B” listings (my thanks again to you and MVPs) — so a new engine version shouldn’t get on to my machine via WU;   b) I usually update MSE on my main machine by manual update once or twice per day (to get thinking time, or to go for coffee);    c) I suspect that delivery of a new engine version coincides with a change of the 2nd field of the definitions version (currently 259, was 257 before yesterday) — I keep a log of definition numbers but not of engine versions;  d) I imagine that a significant change in the engine might have to be synchronised with a corresponding reset of the definitions data or vice versa.

            To summarise: I didn’t take any special steps to get the new improved engine (1.1.14405.2) but I did, successfully, find that it had arrived both on-line (on my main machine) and off-line (using file mpam-fe.exe to transfer to two off-line machines, one Win7 MSE, one Win10 Defender).  I cannot explain the contrary statement, unless it only refers to on-line Win10 Defender??   I emphasise that my two off-line machines did get the new engine, apparently (merely) by running the current mpam-fe.exe file.

            Thanks again, HMcF

          • #151029 Reply

            anonymous

            Oh! So you can use powershell to check the engine build? Very useful, I’ll try that later. Here’s the command for those interested…

            Get-MpComputerStatus

            -T

            • #151049 Reply

              anonymous

              Turns out this powershell query is not supported in windows 7 so i’m just going to assume for those of us who aren’t going through the rigmarole of uninstalling our AV that it has just updated itself anyway judging by the evidence of others comments in here.

              -T

        • #151046 Reply

          anonymous

          HMcF said:
          Specifically, I can confirm that the engine was updated on my main Win7, internet-facing, machine as part of the usual daily updates recently;  and I can confirm (by experiment) that the engine is updated in both Win7 (MSE) and Win10 (Defender) off-line machines if the “recent definitions” file mpam-fe.exe is downloaded from the MS site, transferred to the off-line machines via USB drive, and installed there.

          I manually downloaded & ran the latest Windows Defender malware definitions for Win 7 (mpam-fe.exe) offline, & can also confirm that this does concurrently update the malware protection engine version as well. (Windows Update service is disabled 24/7 on my PC.)

          Reason being that mpam-fe.exe contains the following files:-

          • mpasbase.vdm
          • mpasdlta.vdm
          • mpengine.dll   => MS Malware Protection Engine
          • MPSigStub.exe  => MS Malware Protection Engine Signature

          The only unusual thing I observed is that although running mpam-fe.exe patches mpasbase.vdm, mpasdlta.vdm & mpengine.dll, it doesn’t patch MPSigStub.exe (located at C:\Windows\System32\).

          Perhaps it’s because for some reason, MpSigStub.exe on my PC has a much higher version number (v10.x.x.xxxx.x) than the latest copy (v1.1.xxxxx.0) contained in the downloaded mpam-fe.exe package. So I manually extracted MpSigStub.exe to the relevant location.

           

    • #150850 Reply

      Seff
      AskWoody Lounger

      To find out your version number with MSE, open MSE and in the top right corner click on the down arrow (additional help options) then on “About”. That displays a small window with the engine version number among other things.

      1 user thanked author for this post.
    • #150849 Reply

      BobbyS
      AskWoody Lounger

      I’m running Win 7 64 bit Home.  I tried to check the Windows Defender version number but when I tried to open the program I got a message saying that Windows Defender was turned off because I was using another program to check for malware, etc.  I am using Avast Free and Malwarebytes Free but I was unaware the one or both of these had turned Windows Defender off.  Should I just leave it off and assume I am OK or should I turn it on and check the version number?  If I turn Windows Defender on should I leave it on or turn it back off?  And how would I turn it back off anyway?.

      • #150854 Reply

        PKCano
        AskWoody MVP

        Your anti-virus software turned off Defender, probably Avast. If there is a choice (check box or the like) under settings, turn off Avast (and/or MB). Open the Action Center. Under Security, there is a link to show the anti-virus programs installed and turn them on and off. If Avast is off, you can turn on Defender and update. Then turn it back off and turn Avast back on.

        • #150893 Reply

          Jan K.
          AskWoody Lounger

          In W7, Defender is turned off, when you install MSE… if I remember correctly?

          1 user thanked author for this post.
        • #151033 Reply

          anonymous

          my Windows Defender is also off, and i have both Norton and Malawarebytes Premium on and running.  is there any reason to turn WD on and update if it is not and has not been running at all for at least the past several years?

      • #150897 Reply

        pmcjr6142
        AskWoody Lounger

        I have the same situation except I have Malwarebytes Premium and Avast Free.  I’m keeping those two and Windows Defender off.  I don’t remember exactly what turned Win Defender off.  But off is fine with me.  Malwarebytes is far better and know I have one less Microsoft product to worry about.

        3 users thanked author for this post.
    • #150852 Reply

      anonymous

      How can this be checked on Window 10 build 1709?  The steps you had on Computerworld.com May 9th article do not apply to this build.

      • #150857 Reply

        anonymous

        I think I found it. Go to Cortana, type in Windows Defender Settings and the option comes up. Do not open Windows Defender Security Center but the Windows Defender Settings option with the black shield. We use Bitdefender here so Windows Defender is turned off and I cannot see the Engine Version info. Will the update still get applied even with it off due to another AV program being installed?

        1 user thanked author for this post.
        • #150869 Reply

          woody
          Da Boss

          Thanks for finding the location of the engine version in 1709. Nice of Microsoft to move it again.

          Yes, as I understand it, the version should be updated even if you have a third-party antivirus app installed. But please check and let us know what happened.

    • #150856 Reply

      walker
      AskWoody Lounger

      @woody:  It’s been quite a while, however seems that I recall reading at one point in time that the MSE was not “a good program” to have on your computer, so I’m sure I got rid of it.

      I do have a third party AV/malware program, and it’s ESET which I think would quality for  being one of the better grades (??).

      It is safe to install MSE if I already have ESET?

      I appreciate any guidance you may be able to provide on this one.   Great work continues on the website, Woody!  Thank you for EVERYTHING!!!    🙂   🙂

      • #150896 Reply

        Jan K.
        AskWoody Lounger

        I think, I’ve tried all of them… and MSE has clearly been my favorite. Never had any problems and find it extremely light-weighted.

        Would never install a number two av program. Always had this rule: only one installed.

    • #150861 Reply

      walker
      AskWoody Lounger

      @woody:  I think that the following link is the one I am thinking of which referred to the MSE quite a while ago.   Here is the link:

      https://www.howtogeek.com/173291/goodbye-microsoft-security-essentials-microsoft-now-recommends-you-use-a-third-party-antivirus/

      I must have missed something that changed the opinion on the MSE (??).  Apologies for the confusion on my part, as I’m not certain about the MSE.   Your guidance would be most welcome.   Thank you for providing the latest, most accurate information.   I always follow your advice to the best of my ability.  Thank you once again.

      • #150870 Reply

        woody
        Da Boss

        I’ve never recommended that you uninstall MSE. For that matter, I haven’t recommended a third-party antivirus product in almost a decade.

        You’re probably covered.

        3 users thanked author for this post.
        • #151005 Reply

          walker
          AskWoody Lounger

          @woody:  Thank you for the information, Woody.    I think I’m “safe” by just leaving the Win Defender alone for the present time, and hopefully it will get caught up with itself.   I noted a brief mention elsewhere that the Win Defender problem had been fixed.    Now I can’t locate that message.  Thank you once again for your help, Woody.   🙂

        • #151014 Reply

          walker
          AskWoody Lounger

          @woody:  The only recent reference I have for an “engine version” is the following:

          If you see version 1.1.14306  do not touch it.  Until the version is up to 1.1.14405.2  which was supposed to be okay is showing it’s best to leave it alone.

          Is this information still valid?   I haven’t touched anything, nor done any “check updates.  It’s set to NEVER CHECK UPDATES.

          I can’t uninstall my ESET, however I don’t think that would make any difference (?).  I don’t know where to “find” the version number on the Windows Defender showing up, unless it would be in the “check updates” information.   Correct?  I would think that by this time the update would be “safe”.   PKCano references an article that you had just posted about this, however I’ve not been able to locate it.   Apologies for my inability to understand.   🙁

    • #150876 Reply

      Purg2
      AskWoody Lounger

      When Windows Defender wouldn’t open I tried the below suggestion by PK

      Your anti-virus software turned off Defender, probably Avast. If there is a choice (check box or the like) under settings, turn off Avast (and/or MB). Open the Action Center. Under Security, there is a link to show the anti-virus programs installed and turn them on and off. If Avast is off, you can turn on Defender and update. Then turn it back off and turn Avast back on.

      This didn’t work for me either.  Defender would not turn on (see image).  This makes me think that only uninstalling AV will make it show up.  Which I’m not willing to do at the moment.

      When I did a search for msmpeng.exe in windows explorer things got more fun.  I wasn’t sure which to choose, so I just went with this one.

      amd64_windows-defender-service_31bf3856ad364e35_6.3.9600.17927_none_b6a857db2a904750_msmpeng.exe_2f1c6923

      C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_6.3.9600.17927_none_b6a857db2a904750\msmpeng.exe

      Checking the file properties gave no joy.  Nothing to indicate the engine version.  Last modified date 7-7-15.

      It would appear that Win 8.1 machines with an AV installed may have to simply hope for the best, ugh.  Any other suggestions?  Or will I be forced to uninstall AV?

      Win 8.1 Group B, Linux Dabbler

      • #150878 Reply

        PKCano
        AskWoody MVP

        Your problem is your AV is “Snoozed,’ it’s not OFF.
        If it is on or snoozed you can’t open Defender.

    • #150877 Reply

      anonymous

      Thanks PKCano for replying to my post.  I turned off Avast Free, went to the Action Center as you suggested to confirm that it was off (Avast doesn’t let you turn it off – it temporarily disables protection by putting it in snooze mode).  Then I entered Windows Defender in the search bar, clicked on Windows Defender, got the message that it was turned off – but a link was there to turn Defender on if you wanted to.  I clicked on the link and got this message: “This program is blocked by group policy.  For more information contact your system admistrator (Error code Ox800704ec).  I have no idea what this means.  Is there some other way to turn Windows Defender on?

       

      • #150881 Reply

        PKCano
        AskWoody MVP

        See the reply above. Snoozed is not OFF.

        • This reply was modified 8 months ago by  PKCano.
        1 user thanked author for this post.
      • #151062 Reply

        MrBrian
        AskWoody MVP

        ‘I clicked on the link and got this message: “This program is blocked by group policy.  For more information contact your system admistrator (Error code Ox800704ec).  I have no idea what this means.  Is there some other way to turn Windows Defender on?’

        See https://www.askwoody.com/forums/topic/microsoft-security-advisory-4022344-plugs-a-bad-hole-in-windows-defender-heres-how-to-see-if-you-got-it/#post-113960.

        • This reply was modified 8 months, 1 week ago by  MrBrian.
        • This reply was modified 8 months, 1 week ago by  MrBrian.
        3 users thanked author for this post.
        • #151113 Reply

          walker
          AskWoody Lounger

          @Mr.Brian:  I am “out of the loop” on this one, and I have only “ONE” restore point which you assisted me with setting up.  I do not have the MSE.

          I think I’m fine just leaving the Win Defender alone, however am lost with all of the various “fixes, problems, etc.” which are related to this problem (which I hope and pray are solved by this time).   Thank you for all of your expert advice and for sharing your knowledge with everyone, as always.     🙂  🙂

    • #150882 Reply

      Purg2
      AskWoody Lounger

      There is no off setting.  Unless “permanently disable,” eeek.

      Win 8.1 Group B, Linux Dabbler

      • #150883 Reply

        PKCano
        AskWoody MVP

        Disable till computer restart?

        • This reply was modified 8 months, 1 week ago by  PKCano.
      • #150885 Reply

        Purg2
        AskWoody Lounger

        Same results-snooze.  To which my hunch about uninstall keeps nagging me.  Double darn.

        Win 8.1 Group B, Linux Dabbler

        • #150887 Reply

          PKCano
          AskWoody MVP

          I don’t have Avast on any of mine. I’m using Bitdefender Free on most that I don’t have paid AV on. So I have no way to find out how to turn it off.

          1 user thanked author for this post.
          • #151020 Reply

            walker
            AskWoody Lounger

            @pkcano:  Are we “safe” now to “check for updates”?  I am set at NEVER CHECK FOR UPDATES.    I haven’t touched the “check for updates” option to try to find out which version of Windows Defender I am running at the present time.

            I am just attempting to determine if I am “safe” in running my “check for updates” now, or wait longer.   Running ESET so don’t know if the WD is on or not, however from past experience it appears when there is an update to the WD and it’s checked, it does it run.   However if not checked, I would not run it anyway (or in a situation which could be risky, I would uncheck it).

            Your guidance, and advice on this would be most appreciated.   Thank you.

            • #151021 Reply

              PKCano
              AskWoody MVP

              If you have Windows Update set for “Never check for updates” it is always safe to click on “check for updates.” It will check but it will NOT download or install anything.

              • This reply was modified 8 months, 1 week ago by  PKCano.
              1 user thanked author for this post.
            • #151023 Reply

              walker
              AskWoody Lounger

              @pkcano:  Thank you so very, very much for verifying this issue.   I sincerely appreciate your help more than words can adequately express.    Your limitless knowledge, expertise, and outstanding abilities are amazing.   Thank you once again for the assistance you provide to me, as well as all of the other members of our groups.    🙂  🙂

      • #150890 Reply

        Purg2
        AskWoody Lounger

        Another fine thing to learn by uninstall.  Maybe later.  Thanks for playing PK.

        Win 8.1 Group B, Linux Dabbler

        • #150922 Reply

          Sessh
          AskWoody Lounger

          I use Win7 x64, but FWIW, I got rid of Avast about a month ago. All I have to say is good luck uninstalling it if you choose to try. It doesn’t seem to like to uninstall even if you use Avast’s uninstall tool which you have to download separately. I had to manually remove registry entries and all Avast files with the help of a third party uninstaller (Revo) and CCleaner including it’s much maligned registry cleaner tool which worked wonderfully, but hope I never have to use such a thing as Revo again. It IS, however, completely gone with no ill effects.

          I also had to go into group policy settings and manually turn Defender on because I was getting the same message you’re getting when I tried to enable it in services. I really only use it for the real-time protection, though.

          If you really want to shut Avast down, you have to disable it’s self protection module VIA settings in the UI and then find the Avast processes in task manager and end task them. Still, I think Defender will stay blocked VIA Group Policy as long as any AV is installed on your system. As for enabling it in GP, you might want to ask someone who uses Windows 8.1.

          • This reply was modified 8 months, 1 week ago by  Sessh.
          • This reply was modified 8 months, 1 week ago by  Sessh.
    • #150891 Reply

      samak
      AskWoody Lounger

      Same problem using AVG anti-virus. Can get it to snooze but not turn off so can’t check Defender.

      UPDATE: Enabling passive mode and rebooting seemed to turn AVG off but trying to activate Defender resulted in the error message “This program is blocked by group policy.  For more information …”

      Nice try but no cigar.

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

      • This reply was modified 8 months, 1 week ago by  samak.
      1 user thanked author for this post.
    • #150901 Reply

      anonymous

      But for anyone with Windows Defender off, this isn’t exactly relevant, is it?

      • #150912 Reply

        samak
        AskWoody Lounger

        I hope you’re right but I still have to install security updates for IE11 even though I don’t use it. I don’t know enough to tell whether this is analogous or not.

        W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

      • #150931 Reply

        anonymous

        If the windows defender service is disabled due to a third party product then surely no action is needed. I’m in the same situation with avast, i can’t run defender unless i go through the headache of completely removing avast first allowing me then to update it. The service WinDefend though is currently stopped so i’m presuming it can’t be exploited by a script if it’s not called upon. Disabling avast permanently and restarting doesn’t work though, it shows as Off in Action Centre but Defender still throws up that error message when trying to open it. Interestingly though I did then see the software protection engine running in processes so it might’ve updated itself in the background.

        -T

        • #150937 Reply

          anonymous

          Disregard that last part, i have noticed the software protection platform running even with an AV program active. I don’t know why I thought it wasn’t but i’ve seen it in processes before occasionally, presumably going through its update cycle.

          -T

    • #150913 Reply

      Purg2
      AskWoody Lounger

      Uninstalled Avast.  Defender cooperated.  All set methinks (see image).

      Interesting how it says that the definitions were updated around noon, prior to avast uninstall & defender manual update.

      Someone said something about definitions in this topic, perhaps they were on to something.

      I should’ve gotten a screenshot of the exact version number, it was something in the 11000 range, well below the recommendation.

      At least I can rest assured now.

      Win 8.1 Group B, Linux Dabbler

      • #150932 Reply

        Sessh
        AskWoody Lounger

        Didn’t see this post before. Glad to hear your Avast uninstalled without drama. You’re one of the fortunate ones. I think you’ll find it never really did much for you anyway. 🙂

      • #150936 Reply

        anonymous

        This is interesting. So, presumably it’s updated itself silently in the background regardless of whether the service is running or not due to a third party product. The software protection process seems to run anyway, i thought it was disabled when another AV program is installed but it doesn’t appear to be the case.

        -T

    • #150918 Reply

      DrBonzo
      AskWoody Lounger

      I’m running Microsoft Security Essentials on a WIN 7 Pro sp1 x64 computer. I believe I’m up to date on Security Essentials with one possible exception.

      My Antimalware Client Version is 4.9.218.0. Woody posted a screen shot either here or in his Computerworld article where the Antimalware Client version was listed as 4.10.209.0. Several other posters have referred to this version number as well. Sometime back in late 2016 I was offered through Windows Update an update to the 4.10.209.0 version. Since I couldn’t find any information about it I decided not to install it and hid it. I still have it listed in the hidden updates window of MSE.

      Do I need to update from 4.9.218.0 to 4.10.209.0? Everything seems to be working just fine, so I’m hesitant to do the upgrade. I don’t care about any right click capabilities, and in fact, my right click scan works just fine, anyway.

      Thanks.

    • #150927 Reply

      anonymous

      FWIW, had to boot up my XP machine to add a MAC filter to my less secure WiFi network to give my OLED TV access since a new motherboard was installed. Updated everything prior to doing that. Defender now has the same engine and definitions which are running on my updated Win7 Pro machine. So…, Defender on XP is still getting engine updates as well as definitions.

      Kaspersky Internet Security 2017 on both machines BTW; interface differs slightly to suit the OS. KIS allows Defender to run without issue.

    • #150944 Reply

      Purg2
      AskWoody Lounger

      This is interesting. So, presumably it’s updated itself silently in the background regardless of whether the service is running or not due to a third party product. The software protection process seems to run anyway, i thought it was disabled when another AV program is installed but it doesn’t appear to be the case. -T

      I’m not entirely certain of that.  My observation was that the definitions “may” have updated.  The engine version could still be separate.  I wouldn’t have been able to find any of that out if I hadn’t uninstalled Avast & then manually updating.  So it still seems murky to me, sighs heavily.

      Win 8.1 Group B, Linux Dabbler

    • #150946 Reply

      anonymous

      I have Windows Defender turned off in group policy. If you get This program is blocked by group policy, you can turn it back on by going to In the Group Policy Management Editor, go to Computer configuration. Click Policies then Administrative templates Windows components > Windows Defender Antivirus and you should see where it says turn Windows Defender off.

    • #150948 Reply

      anonymous

      For those on Windows 10 1703/1709, check out support.microsoft.com/en-us/help/4052623

    • #150972 Reply

      jescott418
      AskWoody Lounger

      I’ve been pretty happy with MSE and now Defender in Win 10. Other security suites have had holes so this is nothing new and the fact Microsoft pushed out a fix pretty quickly was good. Nothing more troubling though then having a security suite you depend on be the focus of the security threat.

    • #151047 Reply

      anonymous

      From the above-linked ComputerWorld article:

      Instead, the new version of mpengine.dll arrived automatically, around the back, even if you have Windows Update turned off.
      […]
      If your machine isn’t yet up to the latest version, 1.1.14405.2, I strongly suggest that you not touch the machine until it updates itself. Go get a cup of coffee, and it’ll likely be done by the time you’re back.

      From the BleepingComputer article:

      This means that most users have already silently received this update unless they have opted to block MMPE updates by tweaking registry keys or via group policies.

      Apparently, updates for Windows Defender have nothing to do with Windows Update service per se (mine is disabled 24/7). Neither have I blocked MS Malware Protection Engine updates in any way via registry or group policy.

      What I did notice is that if Windows Defender service is not running (since my PC already has real-time protection from a 3rd-party anti-malware solution), Windows Defender will NEVER auto-download any updated malware definitions or engine (mpengine.dll )— regardless of how long one’s coffee/ meal/ vacation break is, & even if Windows Update service is enabled (for instance, as a test).

       

    • #151065 Reply

      anonymous

      Hello Woody and all,  I have windows 7  64bit, and can NOT get “Windows Defender” to start. Even going to services, it tries and then fails saying something else is running and preventing it from starting. I disabled my AV for a few minutes and still no difference.

      We need more information on this DEFENDER issue. Windows Defender on Windows 7 and below is a different program from Windows Defender for Windows 8 and above. Is this issue only for Microsoft Security Essentials (MSE) on Windows 7?

      Like the poster above that tried to stop AVAST, I do not feel like going overboard on this EXE version update if it is not running Windows Defender (in Windows 7) since windows defender in windows 7 is just an antispyware program. Further, it is “disabled” by something, I assume the AV and not running.

      Can we be compromised if it is not running?  Are we to uninstall our AV programs to update this EXE file? Samak posted he disabled his AVG but “no cigar” as he said. Sessh posted that he had uninstalled AVAST yet still had a bunch of issues trying to update his Defender.

      Any new information would be appreciated. Thanks to all.

       

    • #151067 Reply

      samak
      AskWoody Lounger

       

      Thanks to MrBrian further up the thread for reminding me that we had seen this problem with updating Defender before. This is how I updated Defender without having to uninstall AVG:

      Logged on as an Administrator. Made a Restore Point, ran regedit and navigated to HKey_Local_Machine\Software\Policies\Microsoft\Windows Defender. The critical registry key is DisableAntiSpyware. If it is zero, then Windows Defender can run free. On the computer with AVG installed, it was 1. Changing the 1 to a 0 was all that it took. After updating the engine, changed the registry key back to 1.

       

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

      • This reply was modified 8 months, 1 week ago by  samak.
      3 users thanked author for this post.
      • #151072 Reply

        anonymous

        Ah ha! This worked for me, thank you. Saved me the bother of completely uninstalling avast. Even though i still think if your AV disables defender because it might conflict then it’s not active which means it’s not scanning for any potentially malicious files which then means any potentially malicious file can’t exploit it. Right? That’s my logic anyway, which could very well be faulty and i’m happy to be proven wrong.

        -T

      • #151074 Reply

        anonymous

        Hello Samak, I too have W7 SP1 Home Premium 64-bit and under HKey_Local_Machine\Software\Policies\Microsoft\ I do not have “Windows Defender” listed.

        • #151078 Reply

          GoTheSaints
          AskWoody Lounger

          Anon #151074, I also have Home Premium and as you have found out we don’t have that key, only Pro and up do.

          If you go to this thread this is what I did to update WD:

          https://www.askwoody.com/forums/topic/microsoft-security-advisory-4022344-plugs-a-bad-hole-in-windows-defender-heres-how-to-see-if-you-got-it/#post-114514

           

          1 user thanked author for this post.
          • #151080 Reply

            samak
            AskWoody Lounger

            “I also have Home Premium and as you have found out we don’t have that key, only Pro and up do.”

            This is not right – I have Home Premium (not Pro or up) and do have the key. No idea why some would have it and some not.

            UPDATE: I saw someone else mention HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender – do you have that?

            W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

            • This reply was modified 8 months, 1 week ago by  samak.
            • This reply was modified 8 months, 1 week ago by  samak.
            • #151129 Reply

              GoTheSaints
              AskWoody Lounger

              Yes I do have this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.

              I was under the assumption having “Windows Defender” under “….\Policies\Microsoft” meant you had either Pro, Enterprise or Ultimate. If I am wrong on that count, someone with more expertise please chime in and explain this so I can understand.

              I would like to know why you have it and I don’t.

               

              • This reply was modified 8 months, 1 week ago by  GoTheSaints.
              • This reply was modified 8 months, 1 week ago by  GoTheSaints.
              1 user thanked author for this post.
          • #151141 Reply

            anonymous

            Hello GoToTheSaints, I did the same as you, made a restore point, turned off (disabled) my AVG for 10 mins and still would not start the WD service.  Win7 HomePremium 64bit.

            Again We ask, if Windows Defender is turned off basically disabled from use, do we need to worry about this?   I am not eager to edit the registry or uninstall my AV for something that “can’t” run since it is disabled.

            Thanks to all.

      • #151114 Reply

        walker
        AskWoody Lounger

        @samak:  I don’t have AVAST, and am not knowledgeable enough to set up a new restore point.   I think I’m fine with the ESET Smart Security as (hopefully) the Win Defender has updated itself enough to be “safe” by this time.

        I have no knowledge of the registry, etc. so I’m at an extreme disadvantage.

    • #151084 Reply

      Purg2
      AskWoody Lounger

      Same problem using AVG anti-virus. Can get it to snooze but not turn off so can’t check Defender. UPDATE: Enabling passive mode and rebooting seemed to turn AVG off but trying to activate Defender resulted in the error message “This program is blocked by group policy. For more information …” Nice try but no cigar.

      I tried this with Avast (settings/troubleshooting/passive mode) & it worked like a charm.  Wish I would’ve known that before uninstalling it to be able to activate defender, face/palm.  Clearly I don’t know my AV well enough.  Maybe it’ll come in handy later down the line.

      Thanks samak.

      Win 8.1 Group B, Linux Dabbler

      1 user thanked author for this post.
      • #151101 Reply

        PKCano
        AskWoody MVP

        I use TrendMicro (paid) and Bitdefender Free. On both there is a switch to turn them off with the option of how long (time, till reboot, permanently). Works well.

        FYI, I was in the “uninstall” mode too till I figured it out.

        BTW You could also create the Registry key and see if it works.

        • This reply was modified 8 months, 1 week ago by  PKCano.
        1 user thanked author for this post.
        • #151116 Reply

          walker
          AskWoody Lounger

          @pkcano:  I do not know how to “create a registry” key.   This may not be the proper place to ask this question.   It is very upsetting to be unable to relate to much of the dialog which I read here.   Thank you for all of the information you constantly provide to our group.  🙂

          • #151140 Reply

            anonymous

            @walker:

            If it’s any consolation, you are not alone in not understanding the jargon.

            I spent half of my professional life (1980-2010) first supporting, then developing a variant, and then maintaining, one particular professional application — initially on a mainframe (IBM 360 lookalike), then on networked PCs (in two configurations).  But all of my work related in a sense to “legacy apps”, and only in the middle phase (DOS 3-5, Netware 4) did I have to think about OS issues.  Indeed, on the mainframe and on the final network phase, I was told by the OS support team to “leave it to them”.  That’s just my diatribe, a scream against the world.  My point is that, even with 30 years’ experience in IT, I do not know how to, for example, break down the mpam-fe.exe file into its components (or its components’ results) — YOU ARE NOT ALONE.

            I retired in January 2010 and I am glad to be out of it.

            1 user thanked author for this post.
            • #151154 Reply

              walker
              AskWoody Lounger

              @Anonymous:  What a “refreshing” message you posted!   It’s good to know that I’m not the “only rose on the bush” that feels utterly “lost” with the jargon that goes back and forth!

              Your statement “YOU ARE NOT ALONE”, makes me feel so much better!  I only wish there were a “techie friend” who could teach me the “ins and outs” of  so many subjects that most of us do not understand.   I am VERY afraid to touch anything that refers to the “registry” because I’ve seen many references to that which make it very clear “not to mess with it”.

              Hopefully “someday” I will learn enough to be among the wonderfully “tech savvy” members who can understand everything that is referred to.   I’m Win7x64, Home Prem. Group A.  I try to avoid any programs that I consider unnecessary, and at this point in time that is about all I can do, other than to try to read every message from the “elite” group to whom we owe so very much.    Good to hear your views!  Thank you for posting!    🙂  🙂

          • #151143 Reply

            anonymous

            Hello Walker, I understand that many do not know about “editing the registry”. It is similar in layout to the “file manager” screens but you can ruin your PC if you edit wrongly. So don’t do it. If you can find a tech friend then OK.

            Seriously, since SO MANY people are saying they cannot open or start WD, I feel MS will eventually make a patch probably next month to correct this old DLL or EXE issue. At least they should.

            Also asking again, if WD is off, disabled, not running, is this patching really needed???? Is one vulnerable if it is disabled??

            Thanks to all.

             

    • #151155 Reply

      Purg2
      AskWoody Lounger

      I use TrendMicro (paid) and Bitdefender Free. On both there is a switch to turn them off with the option of how long (time, till reboot, permanently). Works well. FYI, I was in the “uninstall” mode too till I figured it out. BTW You could also create the Registry key and see if it works.

      I’m good PK.  I was mostly conveying my gratitude to samak, so others could avoid my uninstall woes.  I tried his passive mode trick to see if it worked on Avast.  He used it on AVG.  Kind of a trail of crumbs Purg was following, heh heh heh.

      Sadly there are those that can’t utilize the HKEY method described because it doesn’t exist on their version of windows, go figure. Mine doesn’t have it & others have said the same.

      To those people still struggling with that, perhaps the anti-virus passive mode option will help.  It’s worth a try or at least researching to see if your particular AV allows such an adjustment.  I didn’t even know it was possible until samak gave me the idea to check.  Glad I did because it leads me to believe that if AVG & Avast have that feature, the others are bound to have something similar.

      In “my” situation it took me a bit to get past the obvious temporary disabling of my AV as seen here.  Once I got by that stumbling block I was able to scrounge around the settings until I found the passive mode setting (settings/troubleshooting/passive mode) which released the blockage of Windows Defender so that my security was no longer merely snoozing & fully turned off where defender asked to be enabled.  Whew, what a convoluted trip that was.  Hopefully it won’t be that way for others wondering about passive mode.

      Win 8.1 Group B, Linux Dabbler

    • #151168 Reply

      MrBrian
      AskWoody MVP

      Free program Defender Control allows you to enable, disable, and launch Windows Defender. I tested it on Windows 7 x64; it worked fine. Disabling or enabling sets the registry value that was mentioned in this topic.

      This program’s VirusTotal scan is here. I consider this website trustworthy but you should use your own judgment.

      1 user thanked author for this post.
    • #151302 Reply

      anonymous

      Hello Samak and GoTheSaints, I posted as Anon #151074 & 151141 and wanted to say I had success.

      I tried to end task AVG antivirus but as expected most services came back (I knew this but tried anyway).  I then told AVG to disable for 10 min. Then I tried starting the WD services but it would not start with a statement that it wasn’t allowed or not needed at the time, restricted or something similar. No error number. I then went to Control Panel, Windows Defender and opened it. The normal message appeared that it was off and I clicked to “start it”. It did. I then clicked check for updates and it updated WD. I’m happy. I do not think end-tasking helped, but turning off AVG for 10 min and using the Control Panel method did it. I could never “start the service” in SERVICES.

      I hope this helps others. Windows 7 Home Premium 64bit.
      Thanks to all.

      • #151349 Reply

        anonymous

        Hello All,   -To anon 151307 asking why to enable update then DISABLE, I agree. I never got an answer back on can one be infected if WD was OFF.-

        This is to post back that as stated above, I did get WD to open and update, but then I found out is IS running in the background. So, how does one tell WD to shut down and go back to the disabled state it was???

        I unchecked the 2 boxes for scan schedule on one screen and real time protection on another. Rebooted and the WD service was running. I then Stopped the service and set the service to MANUAL so it won’t start unless I do it. If I find out that fails to keep it off, I will then set it to Disabled.

        Also, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft/policies/Windows Defender was NOT there.

        But, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender \DisableAntiSpyware   WAS there, and was changed from 1 to 0. I cannot change it back to 1 like it was. It is not changeable except by the SYSTEM or Windows Defender itself. I choose not to mess with the permissions since I have it off in WD and in Services.

        MS should had changed this needed file, with user permission, and all of us would had not had these problems.

        Again I hope this helps or informs others.     Windows 7 Home Premium 64bit

        Thanks to all.

         

        • #151369 Reply

          anonymous

          anonymous #post-151338, replying to #post-151349.

          I just wanted to help with terminology. You are frustrated by Windows launching services you did not request. You wrote, “I then Stopped the service and set the service to MANUAL so it won’t start unless I do it. If I find out that fails to keep it off, I will then set it to Disabled.”

          In my experience this is another example of MSpeak being a little different from dictionary English. You might think manual would mean ‘done by hand’, and assume that means a human hand. But in the system first-hierarchy of AUTO, DELAYED, MANUAL, DISABLED: AUTO is at start; DELAYED is on a time-delayed base, but will start with no other triggering event; MANUAL means that when a triggering event occurs, launch the service; only DISABLED means never start without user intervention.

          The triggering event can be something other than human interface, and still launch a service that is set to recognize that event.

          • #151405 Reply

            anonymous

            Hello Anon 151369, yes you are correct. I usually mean manual for me to start a program but yes if could be a triggered on, like with task scheduler or such.

            Some items I have set to manual will not start unless I call it. It may be nothing else is calling it so that setting works for that item. But you are correct, something could start it.

            I may have to set WD to DISABLED.

            Thanks for reading and commenting! It is nice to see people read these posts and put in their expertise too.

    • #151307 Reply

      anonymous

      So why is everyone (with a 3rd party antivirus) trying to re-enable a vulnerable product just to update it and re-disable it?

      • #151338 Reply

        anonymous

        A similar question/statement has been made several times, possibly by several different voices. I’ll answer the best I can, then explain why I cannot offer better.

        Microsoft is not always open about how their operating system works. It is observed and accepted, for instance, that Internet Explorer performs many internal tasks even if you never use it as a visible window to browse the internet. Keeping it current keeps you protected, better than using an older version does. It is not immediately obvious if the same is true for MSE/Defender.

        For myself, I have continued to use the Microsoft offered protection on my Windows systems for 11years. Back then, on WinXP, both the big names in protection were monsters on background busywork. I lacked the skill to tame it, or the patience to cope with it, and in desperation decided to rely on the included package instead. In the years since, I have learned that safe browsing has done more for me than 3rd party protection does. My experience only, not advice for others, do your own assessment.

        What I do not know, is how much I do not know. And that is the weakness of all these security products. They only tell you what they have found, they cannot tell you what they have not found. Which I think is why you are not likely to get a more direct answer.

        • #151521 Reply

          anonymous

          Anon 151338 said, ” I have learned that safe browsing has done more for me than 3rd party protection does. My experience only, not advice for others, do your own assessment.”

          I agree with you. in decades of PC use,  safe browsing is the best. 3rd party programs like adblock plus to stop malicious ads, spybot search and destroy and a decent Antivirus program can only help.

           

          1 user thanked author for this post.
      • #151558 Reply

        anonymous

        I’ve gone with disable all defender services and drivers plus manually setting it to disabled the regular way, additionally with another antivirus installed and the vulnerable (actually all) definitions/engine removed I feel no need to install this update.

    • #152130 Reply

      PKCano
      AskWoody MVP

      For those who are using a Third-party anti-virus and have Defender turned off:

      If you are wondering if you are vulnerable, this from Susan Bradley in the Windows Secrets Newsletter Patch Watch

      Antivirus Used to Exploit

      Often antivirus programs is used to gain access to your computer by attackers. Microsoft’s antivirus tools are no exception. Earlier this month, they released updates to their antivirus platforms to fix an issue documented in Security Center, whereby an attacker can use a specially crafted file to gain full access to your system by using the antivirus tool to scan a specially crafted file.

      You are not vulnerable if you are using a third party antivirus as this replaces Microsoft’s antivirus. It’s wise in general to make sure whatever antivirus you are using that it’s fully up to date as nearly all antivirus has been subject to this type of attack at one time or another.

      - What to do: Review that your antivirus is up to date.

      • This reply was modified 8 months ago by  PKCano.
      2 users thanked author for this post.
      • #152209 Reply

        woody
        Da Boss

        Earlier this month, they released updates to their antivirus platforms to fix an issue documented in Security Center, whereby an attacker can use a specially crafted file to gain full access to your system by using the antivirus tool to scan a specially crafted file.

        Quite correct. That’s the update I talked about a week ago in Computerworld.

        1 user thanked author for this post.
        • #152349 Reply

          Cascadian
          AskWoody Lounger

          It makes me smile when I see a long discussion come full circle, bottom to top.

        • #152683 Reply

          walker
          AskWoody Lounger

          @pkcano:   It only gets more and more confusing with all of the varying opinions.   I’m too busy at the present time to go back to where this discussion began, however hopefully after the holiday rush is over, I will have time to do that.  Thank you for your excellent advice, as always.   You are an outstanding, expert, and knowledgeable contributor.    🙂   🙂

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft quietly repairs security hole in Windows Defender, CVE-2017-11937

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.