News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it

    Home Forums AskWoody blog Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it

    • This topic has 150 replies, 28 voices, and was last updated 3 years ago.
    Viewing 53 reply threads
    • Author
      Posts
      • #113551 Reply
        woody
        Da Boss

        Post coming in InfoWorld
        [See the full post at: Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it]

        3 users thanked author for this post.
      • #113552 Reply
        woody
        Da Boss

        For those of you who know the inner workings of wuauserv, the Windows Update service…

        My observations early this morning lead me to believe that Windows Defender is NOT updated if wuauserv is disabled.

        True? Or was I testing incorrectly?

        • #113557 Reply
          PKCano
          Da Boss

          Another question related:
          For those running Internet Security or AntiVirus that disable/turn off Windows Defender –  are they vulnerable?

          4 users thanked author for this post.
          • #113564 Reply
            ch100
            AskWoody_MVP

            This is interesting, but I would say that if any of the affected products is disabled, then it would become vulnerable only if not patched and turned back on at a later stage.

            1 user thanked author for this post.
          • #113608 Reply
            NetDef
            AskWoody_MVP

            This is likely the best question I have seen on the topic, and sadly . . .  I cannot find a definitive answer!

            What I can tell you:  when a third party AV product installs correctly on Windows 10 — MOST of them “disable” Windows Defender.  I am looking at my task manager now and I can see my own AV product running, but not the recently patched MsMpEng.

            However . . . what alarms me a little bit is how Windows 10 behaves if your AV is temporarily disabled.  After the next reboot, WD kicks ON and in my test just now, it’s not been patched yet.  So there is a period of time between when MsMpEng starts, and when it gets patched that a user would be vulnerable.

            So: my test . . .

            I run a product called Vipre AV for Enterprise.  A pre-check of MsMpEng shows this morning that it’s NOT updated after forcing a WU check, nor does it appear in the Update History at any time for the last month.  I actually picked up the last update for WD on March 27th, 2017 (I disabled my AV to install something.)

            Now: disabling Vipre AV . . . futz around a few minutes, then a reboot and Viola!  MsMpEng is running and in Active Protection mode.  I am now vulnerable.

            Approximately 18 minutes later MsMpEng gets an update and I now show that update on my history log.

            ~ Group "Weekend" ~

            6 users thanked author for this post.
          • #113691 Reply
            anonymous
            Guest

            I’d like to know this as well. Currently, windows defender is disabled in services because i use another AV product, as everyone else’s should also be but can it still be exploited!

            -T

        • #113563 Reply
          ch100
          AskWoody_MVP

          Woody, I am not sure. You said so many times before that MSE and Defender are updating outside of WU and I think those claims were right.
          There is a qualification though.
          MSE/Defender have a built-in timeout period (1 day for home editions/14 days for enterprise editions?) which means that if the regular server does not respond (WU or WSUS if configured), then they update from an alternative antimalware dedicated site only. And there is a third backup option too.
          There are Registry keys and Group Policies for each product which can modify the default behaviour which I described above.

          4 users thanked author for this post.
        • #113578 Reply
          Noel Carboni
          AskWoody_MVP

          For those of you who know the inner workings of wuauserv, the Windows Update service…

          My observations early this morning lead me to believe that Windows Defender is NOT updated if wuauserv is disabled.

          True? Or was I testing incorrectly?

          I have been disabling the Windows Update service for eons in order to ensure I retain control. I have also been monitoring communications and system health for a long time.

          Microsoft Security Essentials updates just fine when Windows Update is disabled.

          Please allow me to offer this screen grab as evidence. Note the green marks next to “OS – Microsoft Malware Protection Command Line Utility (MpCmdRun.exe) indicating successful communications. Note the up-to-date status in the Security Essentials dialog. This Windows 7 machine hasn’t had the Windows Update service enabled in a long time.

          ScreenGrab_NoelC4_2017_05_09_102216

          It logs a message in the System Event log claiming failure, then immediately falls back on its own components and gets the updates done successfully and logs another event claiming success. It’s a nice feature, assuming you want MSE on task. Note the relative times of these.

          ScreenGrab_SVN_2017_05_09_102926

          ScreenGrab_SVN_2017_05_09_102932

          -Noel

          Attachments:
          7 users thanked author for this post.
          • #113588 Reply
            woody
            Da Boss

            So it seems that, as ch100 noted, if wuauserv is turned off, the Windows Defender update process goes to a second source of updates.

            I wonder what the time lag is between the two? In your screen shots, it was a whole 25 seconds. I wonder if that’s true in general?

            • #113594 Reply
              Noel Carboni
              AskWoody_MVP

              I’ve been off Windows Defender on my Windows 10 v1703 “Creator’s” test system for a few weeks, but I’ve seen it work just the same way there too. Here’s an event sequence I turned up in the logs…

              ScreenGrab_W10VM_2017_05_09_105232

              ScreenGrab_W10VM_2017_05_09_105235

              The time delay was 11 seconds in this case.

              -Noel

              Attachments:
              1 user thanked author for this post.
            • #113870 Reply
              ch100
              AskWoody_MVP

              The possible sources to be configured in Group Policy (and I think regular area of the Registry, but this is less documented) are:
              “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”

              This is the description of the relevant Group Policy for Windows Defender in Windows 10 1703.

              This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”

              For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }

              If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.

              If you disable or do not configure this setting, definition update sources will be contacted in a default order.

              The default Windows Update scan is 22 hours with a randomization of 0 to -20%.
              The home products for Microsoft Antimalware have a default interval of 1 day when configured to update from MicrosoftUpdateServer which is not the regular WU/MU server, but the one dedicated to antimalware definitions.

              With wuauserv disabled, the correct configuration is to change the order of the sources for updating in policy or remove everything else and leave only MicrosoftUpdateServer
              I use this configuration even with WSUS because I don’t want to synchronise definitions in WSUS, which I use mostly for proof of concept and not production and I change its configuration often. But I want the antivirus (Microsoft only) to be updated regularly.

              A lot of those details are found in the Group Policies descriptions. Those interested can go through them and find correlations between various modes of updating.

              1 user thanked author for this post.
        • #113601 Reply
          NetDef
          AskWoody_MVP

          This matches my observation:  Disabled WU = no WD update for executables via WU, but WD appears to have a fallback and gets the update anyway.

          ~ Group "Weekend" ~

          2 users thanked author for this post.
          • #113871 Reply
            ch100
            AskWoody_MVP

            I think Woody’s question has changed to “how often does MSE/WD update from the alternative source if it cannot find Windows Update (which is default)”.

            1 user thanked author for this post.
            • #113877 Reply
              woody
              Da Boss

              And it appears as if the answer is “in seconds.”

              Which means my admonishment in the InfoWorld article to avoid disabling wuauserv is wrong.

              Sigh.

              4 users thanked author for this post.
              • #113893 Reply
                ch100
                AskWoody_MVP

                Well, it may work like this, if the correct answer is in seconds.
                When the time to check Windows Update comes, it cannot find it and then fallbacks instantaneously to the definitions site.
                However, there is a flaw in this logic. How does WD/MSE know when to check Windows Update if wuauserv is disabled?!
                I think the correct answer is either 24 hours or 8 hours, depending on the version and edition, because the only available source for definitions remains the definitions site and the engine would use that fallback mechanism to update.
                What am I missing here?

              • #114625 Reply
                walker
                AskWoody Lounger

                @ch100:  What is    “wuauserv”?   I don’t think I have anything like this, however do not know because I’m not computer literate.  Many thanks for all of the information you provide for all of us here trying to “survive”.    🙂

              • #113894 Reply
                ch100
                AskWoody_MVP

                Actually it is possible that the engine searching on Windows Update does not depend on the service to run, but only to update and is exactly the same updating mechanism for any other source of definitions, outside of regular Windows Update/svchost.exe
                Which may explain the 11 seconds delay as provided by Noel.

                1 user thanked author for this post.
              • #113912 Reply
                woody
                Da Boss

                You must be right.

                Curiouser and curiouser….

      • #113558 Reply
        anonymous
        Guest

        If Windows Defender’s off and you don’t use some other listed MS security product, it doesn’t matter, right?

        • #113599 Reply
          Noel Carboni
          AskWoody_MVP

          It already doesn’t matter pretty much any way you look at it. The fix has already rolled out from Microsoft using the normal Windows Defender update processes.

          -Noel

          1 user thanked author for this post.
      • #113570 Reply
        anonymous
        Guest

        From https://technet.microsoft.com/en-us/library/security/4022344
        If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk.
        This would suggest that WD, when disabled by third-party AV, is not vulnerable? Or is that just wishful thinking?

        Annemarie

        1 user thanked author for this post.
        • #113587 Reply
          woody
          Da Boss

          Two very good questions, which I’ve seen repeated in several locations.

          So far, I don’t have a definitive answer.

          1 user thanked author for this post.
        • #113764 Reply
          TJ
          AskWoody Plus

          “This would suggest that WD, when disabled by third-party AV, is not vulnerable? Or is that just wishful thinking?”

          I had an online chat today with a Symantec rep and he assured me that it is patched by live update. Probably other av vendors will do the same.

      • #113581 Reply
        MrBrian
        AskWoody_MVP

        Microsoft rates this vulnerability as “Exploitation Less Likely,” probably due to these technical details.

        • #113592 Reply
          woody
          Da Boss

          That’s a fascinating article. The poster really knows his stuff….

      • #113589 Reply
        Noel Carboni
        AskWoody_MVP

        In my opinion, if you have an active AV solution (e.g., Windows Defender / Microsoft Security Essentials) and it detects malware regularly or even from time to time…

        YoureDoingItWrong

        A good, secure computing environment (possibly most importantly) operated thoughtfully can see to it that NO malware ever gets even close to the computer.

        -Noel

        Attachments:
        2 users thanked author for this post.
      • #113598 Reply
        Silver_Crow
        AskWoody Lounger

        I wouldn’t really be all that be surprised to learn that even if you completely disabled the windows defender service and unchecked the “use this program” option inside WD that it still connected to the outside world somehow, given the way that windows programming is tied together.

        • #113617 Reply
          abbodi86
          AskWoody_MVP

          I only used security protection program once in XP era

          never after that, never will 🙂

          1 user thanked author for this post.
          • #113618 Reply
            Silver_Crow
            AskWoody Lounger

            Do you mean 3rd party security protection or Windows Defender?

            • #113643 Reply
              abbodi86
              AskWoody_MVP

              None

              just the default Windows Firewall

              1 user thanked author for this post.
      • #113620 Reply
        JLeigh
        AskWoody Lounger

        We keep Windows Update Service disabled and run the command
        “MpCmdRun.exe -SignatureUpdate -MMP” hourly to keep Defender up to date.
        The command works on 7, 8 and 10

      • #113623 Reply
        Silver_Crow
        AskWoody Lounger

        @Woody

        After reading your article I’m stuck on one thing, do we need to make sure Windows Defender is up to date and then check for another update on Windows Update? Or is making sure Defender is updated enough?

        • #113920 Reply
          woody
          Da Boss

          For this problem, making sure the Windows Defender engine is up-to-date is enough.

      • #113630 Reply
        MrBrian
        AskWoody_MVP

        Correction to article: 1.1.13701.0 is the last version that has the security hole.

      • #113628 Reply
        Kobold Curry Chef
        AskWoody Lounger

        Interesting. In my corp environment, I have everyone on Symantec Endpoint Protection & Windows 7, so Windows Defender is turned off. WSUS is set to auto-approve all Windows Defender definition updates. Just checked one system and turned WD on.

        The engine hadn’t been updated in ages, if ever.

        If Windows Defender is not active, then it seems to ignore updates completely, leaving the vulnerable bits in place until it is turned back on and updated. Also, MpCmdRun.exe is not available.

        This makes me a little uneasy.

        1 user thanked author for this post.
        • #113634 Reply
          Kobold Curry Chef
          AskWoody Lounger

          Using a test Win7 VM, I turned on WD for the first time in a long time.The About screen did not even show an “Engine Version” or an “Antispyware definitions” version. Not sure what that means regarding its status for this exploit.

          Took nearly 20 minutes for it to update. It grabbed the update from our WSUS server.

          I am considering temporarily activating WD across the enterprise long enough for this update to kick in. Doesn’t seem wise to leave the vulnerable engine in place, even if it is inactive.

          • #113638 Reply
            NetDef
            AskWoody_MVP

            . . . . I am considering temporarily activating WD across the enterprise long enough for this update to kick in. Doesn’t seem wise to leave the vulnerable engine in place, even if it is inactive.

            May I humbly suggest you do this a) after hours and b) entire network off-internet at the main firewall/gateway? (after making sure your WSUS server is synched)

            I bet you can guess why . . .  🙂

            ~ Group "Weekend" ~

        • #113635 Reply
          NetDef
          AskWoody_MVP

          This is pretty much exactly what we see.  WSUS controlled environment, WD updates automatically approved, but a third party AV is being used.  None of our normal Windows 7 workstations have seen a WD update for a looooong time.  Trying to run WD shows an error result (correctly) that it’s been disabled by Group Policy. In this case I am not feeling terribly worried . . .  I doubt very much that anything can enable it.  This might not be true outside of a GP controlled site.

           

          ~ Group "Weekend" ~

          1 user thanked author for this post.
          • #113637 Reply
            Kobold Curry Chef
            AskWoody Lounger

            I don’t have WD disabled via GPO, since I want something to be running before we install SEP on a new box. I just let SEP turn it off. Problem is, that means it’s too easy to fire up WD. (Don’t even need to be an admin, it seems.)

            Might need to reconsider that now…

      • #113629 Reply
        anonymous
        Guest

        Leave it to Microsoft to issue a critical security advisory about the worst vulnerability ever!!, and not include a link to a patch that users who run third-party antivirus products can download and install without enabling the vulnerable software.

        • #113642 Reply
          abbodi86
          AskWoody_MVP

          The vulnerability is in Microsoft first-party products, why would any other external products need it?

          • #113687 Reply
            anonymous
            Guest

            Apologies, you’ve misunderstood my point.

            I don’t use Windows Defender. Nevertheless (as I’m not certain it’s possible to uninstall it altogether, which would really be my preferred solution) I do want it patched.

            Why? Because, as others have noted elsewhere in this discussion, under certain circumstances, it’s possible Windows could turn Defender on without notifying me or asking my permission. I’d then have a vulnerable program running on my computer, possibly without even being aware of it.

            I also do not want to have to turn Defender on to patch it. I’d much rather just download and run a standalone file.

            2 users thanked author for this post.
      • #113640 Reply
        TheSuffering
        AskWoody Lounger

        I use MSE since I got my pc and WD has been deactivated ever since (about 2010),since woody says mse has been patched too, that means I’m good right?

      • #113646 Reply
        NetDef
        AskWoody_MVP

        Here’s another fun question:

        New machine setup.  I’ve never ever seen a workstation delivered with current “anything” installed.  For one-off’s (no master image * ) we de-cr*pify, patch, install apps etc.  There is a significant time period where that machine will be highly vulnerable, and on-line, during the deployment phase.

        Likely best answer:  At some point MS needs to place this on the Update Catalog for off-line installation.  (I cannot find it yet – if it’s there I would appreciate someone with better search skills to point it out! )  And all admins will need to add that to our off-line USB installers for new machines.

        * Note, for larger installations where golden masters are used:  Setup to our domains generally means snapping a well maintained image to new machines. This will not be a problem as long as the master image has been updated to this patch for WD.  Even if you don’t use WD on your work network, you should update your image(s)!

        ~ Group "Weekend" ~

      • #113716 Reply
        EP
        AskWoody_MVP

        actually woody, your Infoworld article is referencing the wrong file.

        The crucial file for the Microsoft Malware Protection Engine is MPENGINE.DLL, not MsMpEng.exe. mpengine.dll should be the file users should check whether using MSE or WD.

        5 users thanked author for this post.
        • #113721 Reply
          David F
          AskWoody Plus

          Thank you for that, I was able to confirm I was on the latest by checking the dll, so no need to turn on WD (it’s off by default due to MSE running on win7).

        • #113832 Reply
          alphacharlie
          AskWoody Plus

          actually woody, your Infoworld article is referencing the wrong file. The crucial file for the Microsoft Malware Protection Engine is MPENGINE.DLL, not MsMpEng.exe. mpengine.dll should be the file users should check whether using MSE or WD.

          When I read this, I looked and found that I have three copies of MPEngine.dll –>

          1. C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
            modified 8/19/2010
          2. C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1068FD24-C391-429A-B881-D51ACBFC75A0}\mpengine.dll
            modified 11/16/2010
          3. C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8E099210-7D74-4C89-AD82-B47763A2FDA7}\mpengine.dll
            modified 5/6/2017

          The last one is version 1.1.13704

          I think this has happened (I am guessing now) because a long time ago I must have turned off WD and have used only MSE and Malwarebytes for a long time.  That combo has worked just fine for on my Win 7 machine.

          I don’t like having those vulnerable files sitting around on my hard drive, but I don’t know how to remove Windows Defender, I think it is somehow interwoven with MSE.

          Thank you for any comments.

           

           

          • #114063 Reply
            David F
            AskWoody Plus

            I have something similar, though in the Microsoft Antimalware folder

            I checked in MSE though and it is using the latest engine (13704), so I think it’s safe as it’s only using the latest version

      • #113758 Reply
        anonymous
        Guest

        Instead of installing Windows Updates manually, as outlined by Woody, executing Update-MpSignature via PowerShell console also updates the malware protection engine.

        • #113921 Reply
          woody
          Da Boss

          Will that update the engine, even if some other antivirus product is blocking Windows Defender?

          Great tip, by the way.

      • #113767 Reply
        anonymous
        Guest

        I am disturbed to discover that Windows Defender is disabled on my computer (running Windows 7) and cannot be enabled due to error 0x800704ec. Should I be concerned? It means it is impossible to run it so I can’t follow your directions.
        Also, I am hopelessly confused at this point about whether I should have Windows Update on the “check for updates but ask me before downloading and installing” setting or turned off altogether. Just today I have been instructed to do both. Please clarify!!

        • #113811 Reply
          MrBrian
          AskWoody_MVP
        • #113806 Reply
          carol
          AskWoody Lounger

          Ok, so if I understand correctly, my WD is disabled because of my third-party antivirus program? I did a search on my computer for all occurrences of “defender” and found a lot of folders and files related to WD, and none of them appear to have been modified since July 2014, so do I then assume I have not miraculously acquired the update? I searched the computer for mpengine.dll and did not find it. What does THAT mean? I gather that turning off my antivirus and trying to enable WD so that I can update it is not what I should be doing; what IS the recommended course of action?

          • #113834 Reply
            alpha128
            AskWoody Plus

            I searched the computer for mpengine.dll and did not find it. What does THAT mean?

            I tried to access the “C:\ProgramData\Microsoft\Windows Defender” on my Windows 7 system and it told me I didn’t currently have access to it, but I could get access by clicking Continue.  Apparently you’re in the the same boat and this lack of permissions is hiding mpengine.dll from the search.

            I gather that turning off my antivirus and trying to enable WD so that I can update it is not what I should be doing; what IS the recommended course of action?

            Yes, that’s a very good question.  Windows Defender is disabled on my computer as well because I’m running Avast!

      • #113791 Reply
        anonymous
        Guest

        What a goatfest. My love/hate relationship with Microsoft continues to intensify. As an admin, Microsoft sorta pays my bills, but thanks to their variety of antics over the past few years, I’ve been seeing my psychologist more frequently. 😉

        Guess I’ll be updating WD this weekend across the domain. It’s not like I had anything better to do anyway.

      • #113835 Reply
        Noel Carboni
        AskWoody_MVP

        Hm…

        Even without Windows Defender on task, when you download a file – for example an installer – Internet Explorer always puts up a small “Running Security Scan” message across the bottom of the browser window after the download is done but before the file is fully available.

        I wonder what components that scan uses…

        -Noel

      • #113837 Reply
        James Bond 007
        AskWoody Lounger

        Windows Defender vulnerability that can result in remote code execution? Another critical security hole? I hate Microsoft!

        One of the first things I did after installing Windows 7 / 8.1 / 10 (10 for testing) is to disable Windows Defender. No definition updates have been received via Windows Update since. Is my system vulnerable? Do I have to temporarily reenable Windows Defender to patch it?

        Hope for the best. Prepare for the worst.

        • #113840 Reply
          James Bond 007
          AskWoody Lounger

          Windows Defender vulnerability that can result in remote code execution? Another critical security hole? I hate Microsoft!

          One of the first things I did after installing Windows 7 / 8.1 / 10 (10 for testing) is to disable Windows Defender. No definition updates have been received via Windows Update since. Is my system vulnerable? Do I have to temporarily reenable Windows Defender to patch it?

          Answered my own questions.

          Yes, apparently I have the vulnerable version on my computer running Windows 7 (mpengine.dll version 1.1.6402). I temporarily reenabled Windows Defender and instructed it to check for updates. After a while it was updated to 1.1.13704. I then disabled it again (within the program and the Windows Defender service).

          Hope for the best. Prepare for the worst.

          1 user thanked author for this post.
        • #113839 Reply
          anonymous
          Guest

          Yes, you should enable Windows Defender to download the patch. I’m using Windows 10, no update for Windows Defender was shown when using WUShowHide.

        • #113853 Reply
          James Bond 007
          AskWoody Lounger

          One more thing, I don’t have any other AV or security products on my computer, so I have no worries about temporarily reenabling Windows Defender, updating it, and then disabling it again.

          But for people who have another AV or security product installed (thus Windows Defender is disabled), how are they going to update their vulnerable version of Windows Defender? Are they vulnerable to this hole? If Windows Defender can still update behind the scenes quietly, well and good. If not, are they going to have to temporarily reenable Windows Defender to update? Will the security product installed prevent the activation of Windows Defender? Will it be necessary to disable the security product temporarily?

          These are questions that many of us want to have answers. So far it seems nobody has definitive answers.

          Hope for the best. Prepare for the worst.

          2 users thanked author for this post.
      • #113860 Reply
        anonymous
        Guest

        Just updated my W10 laptop. Windows Defender-engine is up to 1.1.13802.0 by now. Anyone else can confirm?

        Annemarie

        EDIT html to text

        1 user thanked author for this post.
        • #113867 Reply
          Kirsty
          Da Boss

          According to Technet, you are protected from this vulnerability as long as you have Version 1.1.13704.0 or higher.

      • #113865 Reply
        grams
        AskWoody Plus

        MsMpEng.exe. mpengine.dll

        Nice summary of my questions. Thanks!

         

      • #113868 Reply
        James Bond 007
        AskWoody Lounger

        Woody, I have not turned off the Windows Update service, but I have (1) disabled Windows Defender from within the program, and (2) disabled the Windows Defender service (in Windows 7). I have received no Windows Defender updates since that point. That’s why the mpengine.dll version was still at 1.1.6402 (dated November 2010) before I forced it to update.

        So I believe that the failure of Windows Defender to update itself is not related to the status of the Windows Update service. Or at least, it is not the only reason.

        Hope for the best. Prepare for the worst.

        1 user thanked author for this post.
        • #113874 Reply
          James Bond 007
          AskWoody Lounger

          I have another computer running Windows 7 that disabled Windows Defender (but not the Windows Defender service), and when I just went to check I found that the mpengine.dll version was at 1.1.6402, that is, it has not received updates to the scanning engine for a long time.

          I forced it to update, and then disabled the program and the Windows Defender service.

          So it seems to me that when the Windows Defender program is disabled in Windows 7, it will not receive updates to its scanning engine.

          Hope for the best. Prepare for the worst.

          2 users thanked author for this post.
      • #113878 Reply
        anonymous
        Guest

        The majority use third party AV/Malware programs that over-ride Windows Defender, to disable 3rd party programs in order to receive a security update for Windows Defender just seem ludacrious to me..

        Why, oh Why haven’t MS just released a patch update for W7/W8/W8.1 and W10?

        MS in their ultimate wisdom have created a security flaw otherwise.

         

      • #113914 Reply
        rc primak
        AskWoody_MVP

        plugs a bad hole

        Have you ever heard of a “good [security] hole”?

         

        And in the Infoworld article:

        it was a stunning response to a bad bug

        Have you ever seen a “good bug”?

        Just wondering…

        -- rc primak

        2 users thanked author for this post.
        • #113990 Reply
          NetDef
          AskWoody_MVP

          Have you ever seen a “good bug”? Just wondering…

          When I was in the code business, we called those “features!”  {evil grin}

          ~ Group "Weekend" ~

      • #113922 Reply
        woody
        Da Boss

        I’m getting emails from all directions asking about conflicts with other antivirus products. Specific mentions for Trendmicro and Avast, but I’m sure others behave similarly. Here’s an example:

        Thanks for your InfoWorld article on the Windows Defender update and how to check if its installed. But, in doing this, I found more to the story

        A computer with Avast antivirus disables Windows Defender. And, I can’t figure out how to run Windows Defender to update it. JUST between us, Avast is a miserable av program.

        Specifically:

        I went to the control panel, then Windows Defender and got an error:
           This program is turned off.

        There is a “Click here to turn it on” link and but clicking on it failed with:
        “This program is blocked by group policy. Error code 0x800704ec”

        I also tried to enable Windows Defender using the Action center and that failed too.

        My reaction is that you should disable the antivirus program, then manually turn on Windows Defender, then check to see if you have the latest engine update.

        Unfortunately, I don’t run third party AV products on my machines, so… can anybody provide a definitive answer?

        1 user thanked author for this post.
        • #113925 Reply
          PKCano
          Da Boss

          I have the same problem with TrendMicro Internet Security, Panda Free and BitDefender Free. All three disable WD.

        • #113936 Reply
          rc primak
          AskWoody_MVP

          Not all third-party AV programs have a conflict, though some do.

          My patching results for this issue:

          Windows 10 Pro 64-bits, ver. 1607, Avira Antivirus Free Edition left up and running (not disabled).

          Go To Search (Cortana disabled). Type Windows Defender. Program comes up, but is all Amber. Turn On with Admin Shield clicked once. Update Tab. Run Updates. All works as normally. Definitions updated, and engine appears to have become the correct version. Real Time Protection still handled by Avira. Go to Settings for Windows 10, and turn off Periodic Scanning with Windows Defender again.

          After  updating Windows Defender:

          Engine 1.1.13704.0

          Definitions 1.243.110.0

          (Woody missed a digit in the Infoworld article for the AV/AS Definitions Version.)

          Did this work?

          Run stand alone installation as per Kirsty’s link (#113872) — nothing happened when I tried to run the download. When updated, WD does not respond to running the stand-alone installer. (Nothing seems to happen at all.)

          32-bits Win 10 Pro 1607 tablet, also running Avira Free — I did not update from within the Windows Defender program. I used the download link supplied by Kirsty.  Here, the offline updater ran. One must temporarily enable WD Periodic Scanning (you can turn this off from Windows 10 Settings later — WD has a link in its Settings for this) to see which version of the scanning engines and the program itself are in place.  Before vs. After showed a change.  Again, after correcting for the missing digit in Woody’s Infoworld posting, the AV and AS versions are updated.

          So, did I do this right? Am I now protected?

          -- rc primak

          • #114057 Reply
            anonymous
            Guest

            Yes, also McAfee allows Windows Defender to run.

        • #113937 Reply
          anonymous
          Guest

          Same problem with Norton Internet Security. Have reached out to Norton on their forum, but no response yet.

        • #113960 Reply
          MrBrian
          AskWoody_MVP

          I had this same issue. The registry fix at https://www.fixtechproblems.com/fix-error-code-0x800704ec/ involving HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender!DisableAntiSpyware worked for me on Windows 7 x64.

          4 users thanked author for this post.
      • #113941 Reply
        anonymous
        Guest

        If your computer is running Windows 8, you can use the built-in Windows Defender to help you get rid of viruses, spyware, or other malware. If your computer is running Windows 7, Windows Vista, or Windows XP, Windows Defender only removes spyware.
        To get rid of viruses and other malware, including spyware, on Windows 7, Windows Vista, and Windows XP, you can download Microsoft Security Essentials for free.

        Read more at https://blogs.microsoft.com/microsoftsecure/2013/11/14/windows-defender-and-microsoft-security-essentials-which-one-do-i-need/#Q01LARXgcQ69yiYM.99

        The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it’s simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft’s malware protection engine—websites, file shares—could be used as an attack vector. Tavis Ormandy, one of the Google Project Zero researchers who discovered the flaw, warned that exploits were “wormable,” meaning they could lead to a self-replicating chain of attacks that moved from vulnerable machine to vulnerable machine.

        https://arstechnica.com/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/
        _ _ _

        For my Win 7 home-computer, I have disabled the built-in Windows Defender. I also do not install the monthly Patch Tuesday’s MSRT. So, I do not think my Win 7 computer is affected by this flaw.

        • #113955 Reply
          rc primak
          AskWoody_MVP

          So, I do not think my Win 7 computer is affected by this flaw.

          I don’t like to “think” I am not affected. I would require proof or expert advice. Of which we have neither. Patching (updating) the WD Scanning Engine is the only surefire way to be safe. I did this on both of my PCs, even though both run third-party AV products.

          -- rc primak

          1 user thanked author for this post.
        • #113950 Reply
          anonymous
          Guest

          Does MSRT rely on Windows Defender?

          • #113962 Reply
            anonymous
            Guest

            Did some Googling and found this, an CVE from 2011. https://technet.microsoft.com/en-us/library/security/2491888.aspx. Can I conclude that yes, the MSRT uses the Microsoft Malware Protection Engine, but it is embedded in MRST and not depending on the version installed on te pc?

          • #113967 Reply
            anonymous
            Guest

            Not to my knowledge. MSRT is designed to run as a stand-alone scanner. MSERT (Microsoft Safety Scanner) downloads its own scanning engine and definitions very time it is to be run, but MSRT is a much smaller download. So, maybe, and patch Windows Defender regardless. This vulnerability affects a lot more than on-demand antivirus scanning.

            • #113975 Reply
              rc primak
              AskWoody_MVP

              #post-113967 was me. Forgot to log in. And I was wrong — MSRT does leverage Windows Defender’s scanning engine. But it carries its own (limited) definitions update.

              MSERT (Microsoft Emergency Scanner) is the download which does carry the engine and the definitions with it, for stand-alone scanning.

              I use both MSRT and MSERT, and leave WD turned all the way off (not even periodic scans or those other annoyances which are turned on by default in Settings).

               

              -- rc primak

        • #113964 Reply
          anonymous
          Guest

          @ anonymous#113950

          I think MSRT relies on Microsoft malware protection engine to scan the computer for malicious software and to remove them, as implied by …
          https://support.microsoft.com/en-us/help/2510781/microsoft-malware-protection-engine-deployment-information

          • #113973 Reply
            rc primak
            AskWoody_MVP

            In other words, even if you are only running the monthly MSRT, you’d be wise to patch Windows Defender now.

            -- rc primak

            • #113978 Reply
              anonymous
              Guest

              Clicking through on https://support.microsoft.com/en-us/help/2510781/microsoft-malware-protection-engine-deployment-information to the security bulletin https://technet.microsoft.com/library/security/2846338 it states that at that time, vulnerable was:

               

              Microsoft Malicious Software Removal Tool (x64)

              and then:

              Applies only to April 2013 or earlier versions of the Microsoft Malicious Software Removal Tool.

              This implies to me that the used engine in MSRT was embeddeed and updated in the MRST-tool itself. If not, higher powers help us: many millions of people who cannot update Defender due to 3rd party AV would be at risk of MSRT as well…

            • #113991 Reply
              anonymous
              Guest

              @ anonymous#113978

              many millions of people who cannot update Defender due to 3rd party AV

              You are quite right and are on to something.
              . . AFAIK, affected Windows users should not install/run the MSRT unless they are able to update/patch the MS malware protection engine in Windows Defender or MS Security Essentials.
              . . But then, they are already running 3rd-party AV programs which conflict with AV programs/tools from MS. IOW, affected users have to choose one or the other.

      • #113968 Reply
        grams
        AskWoody Plus

        After reading the article on PCWorld, I discovered that MSE is also at risk. So although I have Defender disabled, I now have the correct/updated version of MSE and feel safe. Hope this helps others.

        “Finally, users of Microsoft’s anti-malware products, including Windows Defender and Microsoft Security Essentials should make sure that their engine is updated to version 1.1.13704.0. Older versions contain a highly critical vulnerability that can be easily exploited by attackers to take complete control of computers.”

        http://www.pcworld.com/article/3195809/security/microsoft-fixes-55-vulnerabilities-3-exploited-by-russian-cyberspies.html

        • #114007 Reply
          Marty
          AskWoody Plus

          I’m running MSE on my Windows 7 computers, and of course MSE disables Windows Defender.  MSE is apparently also at risk for the bug, but it’s not clear to me how to fix that.  My latest Windows Update check doesn’t show a new engine for MSE.  My current engine # is 1.1.13704.0 (safe according to PC World), but I think that’s been the case for some time; if so, I’m not clear why that engine isn’t compromised.

           

      • #113986 Reply
        NetDef
        AskWoody_MVP

        Instead of installing Windows Updates manually, as outlined by Woody, executing Update-MpSignature via PowerShell console also updates the malware protection engine.

        This, as well as the normal CMD version of the update command, fails on Windows 10 systems that have WD disabled by a third party AV.

        I still want a stand-alone, off-line updater from the Microsoft Update Catalog, for new system deployment.  Still have not seen one appear as of this morning.

        ~ Group "Weekend" ~

        1 user thanked author for this post.
      • #114026 Reply
        grams
        AskWoody Plus

        I’m running MSE on my Windows 7 computers, and of course MSE disables Windows Defender. MSE is apparently also at risk for the bug, but it’s not clear to me how to fix that. My latest Windows Update check doesn’t show a new engine for MSE. My current engine # is 1.1.13704.0 (safe according to PC World), but I think that’s been the case for some time; if so, I’m not clear why that engine isn’t compromised.

        You should be fine since your MSE engine is the most current. At least that’s how I interpret the PCWorld article. However, I’m no ‘techie’, so if someone with more knowledge has a different response, I’d appreciate seeing it.

        Thanks to Woody and this great group!

      • #114094 Reply
        L95
        AskWoody Plus

        Hello Woody:   I had to do a manual update to Windows Defender in order to get the fix described in your article on Microsoft Security Advisory 4022344.   The information I’ve read in your “Woody on Windows” article (and also in the Microsoft article)  seems to indicate I should have gotten it automatically.  Could it be that the reason I didn’t get it automatically be due to the fact that I have my updates set for “check for updates but let me choose whether to download and install them”?    The other possibility for a reason why I didn’t get it automatically was that the update was rolled out gradually,  and therefore I simply hadn’t received it yet.   However,  I see that it was offered to me in the form of an update to Windows Defender,  but I simply hadn’t chosen to download and install it yet,  because I don’t check my updates being offered to me very often,  and I hadn’t realized the critical nature of this particular update.   So it appears to me that some sort of manual action was required on my part in order to get the update.  Please note:  I do not have an antivirus package that shuts off Windows Defender.   So am I correct in assuming the reason I didn’t get the update automatically was because I have my updates set for “check for updates but let me choose whether to download and install them”?

        Also, is there a way for me to check whether I was infected by this malware,  due to my delay in getting the update installed?

      • #114095 Reply
        anonymous
        Guest

        Wow, first their gwx campaign, then the problem with eternalblue and doublepulsar, and now this problem with windows defender… what’s next to have a problem, windows update? Geez, M$ track record is doing a nosedive. I mean sure they are quick about it, but correct me if I’m wrong, but isn’t there a saying that fits this, someting about a boat and patching leaks just delaying the inevitable?

        • #114148 Reply
          James Bond 007
          AskWoody Lounger

          Wow, first their gwx campaign, then the problem with eternalblue and doublepulsar, and now this problem with windows defender… what’s next to have a problem, windows update? Geez, M$ track record is doing a nosedive. I mean sure they are quick about it, but correct me if I’m wrong, but isn’t there a saying that fits this, someting about a boat and patching leaks just delaying the inevitable?

          Agreed.

          Windows Defender (and now Microsoft Security Essentials as well?) was supposed to protect users from malware, but now has become an attack target, even though as you said they were quick to fix it this time, what about the next time there is a problem? I am ready to bet that there are other vulnerabilities in Windows Defender and MSE, and perhaps they are already being exploited? Scary and terrifying.

          If antivirus and antimalware programs themselves have critical security holes and become attack targets (the Microsoft ones are especially troublesome as they are included with Windows and cannot be removed, only disabled), what should we do? Are we better off not having them?

          Hope for the best. Prepare for the worst.

      • #114119 Reply
        ebrke
        AskWoody Lounger

        Thanks very much for this info. My elderly parent’s win machine had not updated, so I was able to update manually. Help I get here is invaluable.

      • #114121 Reply
        ebrke
        AskWoody Lounger

        Should also have said that machine runs ESET Security. Win Defender appeared to be active (not disabled) but still had not received the automatic update. I have WU set not to look for updates, but in update history I have seen Win Defender updates come down anyway.

        • #114135 Reply
          walker
          AskWoody Lounger

          @ebrke:    I have ESET Windows Smart Security, Version 9.   Had a notice a few days ago that it has an update ready to be installed (however did not have the time to do it).  I don’t recall ever seeing that ESET ever disabled anything such as the Windows Defender.

          For quite some time, I have had the updates set at “NEVER UPDATE”, and have not updated the MSRT or the Windows Defender.  I have no sophisticated programs on the computer.  Just trying to determine “EXACTLY” what steps should “computer illiterate” users do to protect themselves when they don’t know how to determine if they are vulnerable or not.   I’m not connected to any “networks”, or anything else, just the one computer.

          Are there specific directions to enable us to determine if we are vulnerable to this malware under these circumstances?   We, who are totally ignorant and helpless, have no knowledge that most of the users here have.

          Any and ALL guidance will be very much appreciated.    Afraid to even check the updates because I don’t know where we stand.   I have no way of knowing if the WD is functional or not…. it hasn’t been updated to my knowledge for several months.   Also I do not have the MSE.

           

           

           

           

           

      • #114139 Reply
        walker
        AskWoody Lounger

        @ebrke:   Congratulations on successfully protecting your parent’s computer.    I did find the following information on my Windows Defender:

        Last scan:  10/1/16

        Real Time Protection:      ON

        Version:   1.229.1054.0   Created 10/6/2016

        I have no idea what steps to take at this point to protect the computer from this malware problem.   Is there any way out of this horrible dilemma???  🙁

         

         

      • #114144 Reply
        alpha128
        AskWoody Plus

        I’m getting emails from all directions asking about conflicts with other antivirus products. Specific mentions for Trendmicro and Avast, but I’m sure others behave similarly. Here’s an example: Thanks for your InfoWorld article on the Windows Defender update and how to check if its installed. But, in doing this, I found more to the story A computer with Avast antivirus disables Windows Defender. And, I can’t figure out how to run Windows Defender to update it. JUST between us, Avast is a miserable av program. Specifically: I went to the control panel, then Windows Defender and got an error: This program is turned off. There is a “Click here to turn it on” link and but clicking on it failed with: “This program is blocked by group policy. Error code 0x800704ec” I also tried to enable Windows Defender using the Action center and that failed too. My reaction is that you should disable the antivirus program, then manually turn on Windows Defender, then check to see if you have the latest engine update. Unfortunately, I don’t run third party AV products on my machines, so… can anybody provide a definitive answer?

        I’m very interested in hearing a definitive answer as well.  I too am running Avast!,  so my Windows Defender is disabled and I can’t turn it back on.  I don’t know what, if anything, I need to do.

        • #114145 Reply
          walker
          AskWoody Lounger

          @alpha128:     There are a myriad of “situations” with this “nightmare”.    Apparently there are directions for those of us who don’t have additional problems (e.g. inability to enable the WD which was turned off by 3rd party AV programs).

          I did find a link that really provides the information necessary for those who do not have other issues.  This link takes it through all of the “steps” to resolve it.    I do not feel confident enough to try to tackle it at the present time (I have the NEVER update set, and don’t know if I need to stop the Windows Services to install, etc.).

          Here is the first link, and from this one the steps are in place.     Good luck to us all, irrespective of which OS we have.   I’m Win 7, 64 bit, Home P. and “think” I could do this if I knew a little more about it.

          We all thank those who have “saved our bacon” and have worked so diligently to help us all.  We owe them all a huge debt of gratitude.   A special “thank you” to Woody!!

          Here’s the FIRST link which has the information needed to start the process of stopping this  nightmare (for those who do not have other problems).

          https://technet.microsoft.com/en-us/library/security/4022344

           

           

          • #114204 Reply
            alpha128
            AskWoody Plus

            @walker

            Here’s the link that worked for me: http://www.computerworld.com/article/3196124/windows-pcs/third-party-antivirus-programs-interfere-with-windows-defender-critical-patch.html

            I had to:

            1.) Edit the registry to allow Defender to run as described in the article

            2.) Start the Defender service

            3.) Run Defender

            4.) Download updates

            5.) Exit Defender

            6.) Stop the Defender service

            7.) Set the registry key back to its original value

            Not bad once you know what to do.

            2 users thanked author for this post.
            • #114215 Reply
              MrBrian
              AskWoody_MVP

              Those are the steps that I did also. Thanks for posting :).

              • #114269 Reply
                alpha128
                AskWoody Plus

                You’re welcome.  Glad I could help.

            • #114210 Reply
              anonymous
              Guest

              @Alpha: how can I start and stop the Defender Service?

              Thanks,
              ~Annemarie

              • #114224 Reply
                PKCano
                Da Boss

                Control Panel\Administrative Tools\Services – highlight the Windows Defender Service and at the upper left click “start”

                 

                1 user thanked author for this post.
              • #114235 Reply
                anonymous
                Guest

                Thank you!
                ~ Annemarie

              • #114630 Reply
                walker
                AskWoody Lounger

                @PKCano:  Thank you for this information – – – I’ve not had time to keep up with the postings, and am just now getting to it.   Thank you so much for the wonderful help you provide to  us all, it is absolutely “outstanding”, and very, very much appreciated!

              • #114633 Reply
                walker
                AskWoody Lounger

                @PKCano:    Apologies for “one more question”.    The directions for WD on/off using the Administrative menu……

                When you turn WD off/on as you indicated in your message, does it “affect” your 3rd party AV program in any manner?  Like causing your AV program to become corrupted in any way?   Just wondering – – – this dilemma with the WD is horrible.    Thank you once again for your patience, expertise, and willingness to share your wealth of knowledge with us all.    🙂

              • #114270 Reply
                alpha128
                AskWoody Plus

                Thanks PKCano for giving Annemarie the answer.

            • #114222 Reply
              GoTheSaints
              AskWoody Lounger

              @alpha128,

              @walker has Home Premium edition (as I do), therefore we don’t have Group Policy and I assume these instructions are for higher editions than ours, or am I totally wrong there?

              In the CW link I followed the string and under Hkey_Local_Machine….Policies\Microsoft I found there is no Windows Defender there at all.

              I also use Eset (NOD32) as the antivirus and this has turned Defender off, this way to update Defender will not work for me. Or have I got this completely wrong?

            • #114384 Reply
              walker
              AskWoody Lounger

              @alpha128:   I can see that there is no way I can navigate through all of this, since I have never touched the “registry” or “start or stop” Windows Defender.    I cannot see any way out of this dilemma since I am so computer illiterate.   I am not listed as “Administrator” either.  I’ve always tried to keep things as simple as possible, so I have no Administrator listed.

              I admire those of you who have the knowledge to be able to correct this nightmare.   I just don’t know where to begin.

              Thank you to everyone who has posted their information here for everyone to view.

            • #114389 Reply
              walker
              AskWoody Lounger

              @alpha128:    How do you start and stop the Windows Defender?   My computer shows it’s on, however it hasn’t been updated since October 2016, so I don’t really know “where I stand” with this situation.

              I can’t see that I can do “anything” to get this “monster” under control.    🙁

            • #114534 Reply
              anonymous
              Guest

              What worked for me: I went to the Action Center (is that the English word? Where you can check the (safety) status of your pc). Under antispyware it listed Norton as running. But there was also a blue link saying: view all installed programs. Windows Defender is there. I clicked on it. It was shut down again and said: Services stopped. Click here to restart the services. Did that. Could update. Went into Defender-settings. Disabled Scheduled update and realtime protection. Disabled (under Administrator) ‘Use this program’. Checked if the Windows Defender Service had stopped. It said ‘Manual’, so that is a yes. Then checked in the registry. Both disable spyware and disable relatime protection were on value 1 (which is off).

              I did not have to stop Norton whilst doing this. I’m a tech-n00b, but the posts in this thread gave me the confidence I needed to try!

              ~ Annemarie

            • #114820 Reply
              walker
              AskWoody Lounger

              @alpha:    Where do you find the registry?   I don’t even know how to do that, and am anxious that I will do “something wrong” (as is my wont).    This nightmare malware is taking over computers in huge numbers.     Thank you once again for all of your help!  🙂

        • #114155 Reply
          anonymous
          Guest

          @ alpha128

          Please refer to the fix above by Woody at … #114150

          1 user thanked author for this post.
      • #114164 Reply
        anonymous
        Guest
      • #114203 Reply
        alpha128
        AskWoody Plus

        @ alpha128 Please refer to the fix above by Woody at … #114150

        Thank you.  This is just what I needed to get my Windows Defender patched.

        @Woody,

        I think this is important enough to deserve a blog entry of its own.

         

         

      • #114240 Reply
        anonymous
        Guest

        THAT CRAZY BAD BUG!

        Windows 7 (Home Edition)
        ON: Microsoft Security Essentials (MSE).
        OFF: Windows Defender. Disabled by MSE.

        OFF: Windows Update.
        Set to ‘Never Check For Updates’ (Group B).

        OPEN Microsoft Security Essentials (MSE) – Help – About.

        New Engine Version: 1.1.13704.0 – GOOD!

        AUTOMATIC MSE ‘Update definitions’ has installed it.

        OR

        OPEN Microsoft Security Essentials (MSE) – Help – About.

        Old Engine Version: 1.113701.0 – BAD!

        DO MANUAL MSE ‘Update definitions’.

        OPEN Microsoft Security Essentials (MSE) – Help – About.

        New Engine Version 1.1.13704.0 – GOOD!

        MANUAL MSE ‘Update definitions’ has installed it.

        AUTOMATIC OR MANUAL MSE ‘Update definitions’ installs New Engine Version 1.1.13704.0
        With Windows Update OFF!
        Set to ‘Never Check For Updates’ (Group B).

        SAFE!

        Worked for me.

        Top of the Class Noel Carboni!

        Cheers!
        sainty?⛵️???

      • #114271 Reply
        alpha128
        AskWoody Plus

        @alpha128, @walker has Home Premium edition (as I do), therefore we don’t have Group Policy and I assume these instructions are for higher editions than ours, or am I totally wrong there? In the CW link I followed the string and under Hkey_Local_Machine….Policies\Microsoft I found there is no Windows Defender there at all. I also use Eset (NOD32) as the antivirus and this has turned Defender off, this way to update Defender will not work for me. Or have I got this completely wrong?

        It sounds like you’ve got it right to me.  I am running Windows 7 Professional and the registry key was there.  I’m not sure how it works on the Home Premium edition.  Maybe you just need to start the service?  Perhaps someone else with Home Premium experience can weigh in.

      • #114393 Reply
        walker
        AskWoody Lounger

        @alpha128:    I do not have MSE, should I install it now, or would it be a mistake to do “anything” at this point in time?     We’re still at Defcon2, and I don’t even know where to begin to try to start to dig my way out of this mess.  Thank you for sharing with all of us.

        My ESET Smart Security Version 9 is not showing the WD as being “off”, so perhaps if I contact ESET and ask them they can verify if “Smart Security Version 9” turns off the WD.

        I’m showing under WD that it’s “ON”, so it’s really confusing.  Thank you once again!!

      • #114394 Reply
        MrBrian
        AskWoody_MVP

        How to turn on Windows Defender (video)

        1 user thanked author for this post.
        • #114460 Reply
          walker
          AskWoody Lounger

          @Mr.Brian and @anonymous:

          I checked with ESET and they DO have the WD totally, completely blocked, as apparently the other AV programs do, as well.  Under these circumstances, it means that the user must remove or disable his/her AV program completely.   Is this the scenario?

          Remove the AV program completely, install the WD, try to get the latest update, and if successful, then “reinstall” the AV program?

          Thank you for all of the guidance and help.   I have no clue as to whether or not I’ll have the ability to follow this method, however I may “try”.

           

          • #114502 Reply
            MrBrian
            AskWoody_MVP

            I intended to disable my antivirus (Avast Free) temporarily just before enabling Windows Defender, as a precaution against having two antivirus programs running at the same time. Well I forgot to disable Avast, but things worked out fine for me anyway. Your results might vary.

      • #114404 Reply
        anonymous
        Guest

        @ walker

        For Win 7 Home, try to look for this …

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

        ON
        “DisableAntiSpyware”=dword:00000000

        OFF
        “DisableAntiSpyware”=dword:00000001
        .

        …. or uninstall your 3rd-party AV program and reinstall it after patching WD.

      • #114475 Reply
        alpha128
        AskWoody Plus

        @alpha128: I do not have MSE, should I install it now, or would it be a mistake to do “anything” at this point in time? We’re still at Defcon2, and I don’t even know where to begin to try to start to dig my way out of this mess. Thank you for sharing with all of us. My ESET Smart Security Version 9 is not showing the WD as being “off”, so perhaps if I contact ESET and ask them they can verify if “Smart Security Version 9” turns off the WD. I’m showing under WD that it’s “ON”, so it’s really confusing. Thank you once again!!

        @walker:

        Try doing my procedure…

        https://www.askwoody.com/forums/topic/microsoft-security-advisory-4022344-plugs-a-bad-hole-in-windows-defender-heres-how-to-see-if-you-got-it/#post-114204

        …but with the registry key specified here:

        Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it

        1 user thanked author for this post.
        • #114492 Reply
          walker
          AskWoody Lounger

          @alpha128:

          Thank you for the recommendation…..    Since I an not a “techie” I know nothing about the registry, and of course do not have any confidence due to my serious lack of knowledge relevant to these issues.

          We’re still at Defcon2, and I’m wondering if it’s even safe to do the “check for updates” (with the “NEVER CHECK” always checked).    “Once burned, twice shy” I think the adage goes.   Every day seems to bring more headaches.

          Thank you for sharing the above information with me – – – – I sincerely appreciate it!    🙂

        • #114514 Reply
          GoTheSaints
          AskWoody Lounger

          @alpha & @anon #114404, as I stated in post #114222, @walker has Home Premium so therefore he can’t find that key as it’s not there!

          @walker, I have just updated WD by disabling/pausing (not uninstalling) Eset for 10 mins (you can select how long from the list that appears but this was enough time for the download and update for me). Firstly I created a restore point then started Windows Defender, clicked on update in WD, let it do it’s thing and voila, mpengine.dll had updated to 1.1.13704.

          In Services (before I carried out any of this) WD was Stopped and “Startup Type” was set as Manual. After I completed the above “Startup Type” had changed to Automatic (Delayed Start) so I changed it back to Manual and stopped WD.

          I then rebooted and Eset automatically kicked in.

          @walker, I think this is a bit complicated for you to do, is there anyone who can help you? Or maybe you could try the link Kirsty posted in #113872.

          All the best

          1 user thanked author for this post.
          • #114793 Reply
            walker
            AskWoody Lounger

            @GoTheSaints:   Thank you for sharing your experience with getting the WD problem resolved.    “Yes”, I definitely need help.   I have nightmares about making a “wrong move”.  Common to all of us “non-techies” I’m sure.

            I appreciate the information you shared, and thank you so much for the support.  🙂

            • #115016 Reply
              GoTheSaints
              AskWoody Lounger

              @walker, I’m sorry if I sounded in any way condescending in my earlier reply but I can see you are struggling with this issue.

              Please don’t touch anything to do with the registry (if you don’t know how to get to it, best leave it alone) because if a mistake is made there you can effectively brick your computer (without backing up that key beforehand).

              Hopefully, in the not too distant future (and before it’s not too late), there will be an easier way to patch WD for you automatically somehow.

              I, too, wish I knew more than what I do but at least my limited knowledge comes from reading heaps and learning from the guys who are the experts here and other forums. If I encounter a problem all I do is research it and find someone has already had it and mostly it has been solved.

              Best

              1 user thanked author for this post.
              • #115272 Reply
                walker
                AskWoody Lounger

                 

                 

                @GoTheSaints:    I thought I had replied to your excellent message….  I had difficulty locating it again.   Your thoughtfulness, understanding, and patience are appreciated more than words can adequately express.    I agree with your advice 100% and can’t say “thank you” enough for sharing your very astute thoughts.    I have always been very, very fearful to ever touch anything associated with the Registry.   Thank you once again!!   🙂

                 

                 

                 

                 

                 

                2

                1 user thanked author for this post.
      • #114497 Reply
        alpha128
        AskWoody Plus

        @alpha128: Thank you for the recommendation….. Since I an not a “techie” I know nothing about the registry, and of course do not have any confidence due to my serious lack of knowledge relevant to these issues. We’re still at Defcon2, and I’m wondering if it’s even safe to do the “check for updates” (with the “NEVER CHECK” always checked). “Once burned, twice shy” I think the adage goes. Every day seems to bring more headaches. Thank you for sharing the above information with me – – – – I sincerely appreciate it! 

        When I wrote “check for updates”, I meant within the Windows Defender application.  That will only download Windows Defender updates.  The MS DEFCON level only applies to Windows patches, and yes, you shouldn’t install any of those until Woody raises the level to 3 or higher.

        Editing the registry is not a task to be undertaken lightly, so here are:

        http://www.techrepublic.com/blog/five-apps/-five-tips-for-editing-the-windows-registry-safely/

         

        1 user thanked author for this post.
      • #114536 Reply
        grams
        AskWoody Plus

        I’m running Win7 Home Prem Sp1 with Microsoft Security Essentials (MSE). MSE is now running the correct/updated version, but I gather that I also need to update Windows Defender in case MSE is ever stopped.
        So here’s my plan. Please let me know if I have the steps correct. Thanks so much!

        Set System Restore (done)

        Plan 1 – disable MSE which should allow me to run WD and update, then disable WD and enable MSE (see #post-114514)

        OR Plan 2 (but I think I read that in Win7, the registry key won’t be there?

        run regedit as Administrator
        backup registry
        navigate to HKey_Local_Machine\Software\Policies\Microsoft\Windows Defender
        export Branch to Notepad and edit to change value from 1 to 0
        import back into registry

        Save and Exit registry

        Start the Defender service
        Run Defender
        Download updates
        Exit Defender
        Stop the Defender service

        Set the registry key back to its original value, using the export/import functions

        • #114539 Reply
          grams
          AskWoody Plus

          Well, Plan A might work if I could figure out how to disable MSE. Could someone please provide instructions? Thanks!

        • #114553 Reply
          GoTheSaints
          AskWoody Lounger

          @grams
          Home Premium does not have gpedit (Group Policy). Professional, Enterprise and Ultimate are the editions that do. That’s why we (Home Premium people) can’t update WD starting with the registry, so
          forget those steps.

          I am not running MSE, I use Eset NOD32 and disabled for 10 minutes to do the WD update.

          A quick search and I found this for disabling MSE:
          https://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/disable-microsoft-security-essentials/0bcfa371-fa95-40b1-9a18-00c8db346326?auth=1

          2 users thanked author for this post.
          • #114643 Reply
            walker
            AskWoody Lounger

            @grams:  Thank you for sharing your experiences with this dilemma!  I don’t have MSE so that makes it a little different too.  It is “supposed” to be “optional”, however it appears that it’s definitely tied into a lot of other things in our OS’s.  I’m Win7, 64 bit, Home Premium, and use ESET Smart Security  Version 9.

            Does anyone know if it’s SAFE to “check for updates” at this point in time?  I would like to check just to see what’s there, however there are so many “bad ones” out there, I don’t even feel comfortable doing that.

            Were you successful in getting the latest WD update?

      • #114564 Reply
        grams
        AskWoody Plus

        @grams Home Premium does not have gpedit (Group Policy). Professional, Enterprise and Ultimate are the editions that do. That’s why we (Home Premium people) can’t update WD starting with the registry, so forget those steps. I am not running MSE, I use Eset NOD32 and disabled for 10 minutes to do the WD update. A quick search and I found this for disabling MSE: https://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/disable-microsoft-security-essentials/0bcfa371-fa95-40b1-9a18-00c8db346326?auth=1

        Thanks so much, GoTheSaints! I should be in great shape soon.

      • #114573 Reply
        anonymous
        Guest

        @ GoTheSaints & grams

        MrBrian wrote; … I had this same issue. The registry fix at https://www.fixtechproblems.com/fix-error-code-0x800704ec/ involving HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender!DisableAntiSpyware worked for me on Windows 7 x64.
        .
        woody wrote; …. Michael Horowitz just published his results in bypassing Avast…

        http://www.computerworld.com/article/3196124/windows-pcs/third-party-antivirus-programs-interfere-with-windows-defender-critical-patch.html

        The above regedit fix to enable WD is for Win 7 Pro or above, which have gpedit for Group Policies. For Win 7 Home Premium or below, the similar regedit fix is …

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

        ON
        “DisableAntiSpyware”=dword:00000000

        OFF
        “DisableAntiSpyware”=dword:00000001

        3 users thanked author for this post.
      • #114592 Reply
        grams
        AskWoody Plus

        @Anonymous Thanks! if the update through the Action Center doesn’t work, I’ll use the regedit method.

      • #114631 Reply
        anonymous
        Guest

        I’ve been scouring this thread and its various links, but I am at a loss. I have a computer with Windows 10, Creators Update, and a third-party antivirus that disables Windows Defender (WD). I ended up running the risk of this week’s Patch Tuesday in the hopes of receiving an update for WD, but I don’t believe I received one (or if I did, it’s not in the Update History list). I looked in the registry editor, but did not find a “DisableAntiSpyware” key. I disabled the AV in Services and rebooted, hoping it would trigger WD, but the computer still thought my AV was running, so no luck there.

        At this rate, the only way to update WD would be to uninstall my AV, but I would really prefer not to do that… any other tips or tricks out there?

        • #114640 Reply
          walker
          AskWoody Lounger

          @anonymous:   I too have been scouring every piece of information (that I can understand) which I can find.    We have been put in an untenable position because of the lack of support from the “offending” entities which together spell “BIG TIME nightmare”.   Without any computer skills, I am in a quandary and don’t know where to begin.

          If the WD is activated through using the “Administrator Tools”, etc. is there any assurance that our 3rd party AV programs will not be corrupted?   Wish I knew the answer to that one!!!   I, like you, do not want to disable or uninstall my AV programs.    It appears that it’s “darned if we do, and darned if we don’t”.   Good luck to us all with this problem (the worst I’ve ever had to deal with).

          • #114691 Reply
            anonymous
            Guest

            @walker,

            Same anon here, I think I managed to update Windows Defender! I ran across this website that mentions that, at least for Windows 10, if you want to run any command lines for WD, you have to turn on the periodic scanning option. I decided just to try opening/updating WD with the periodic scanning option turned on first.

            Immediately my antivirus gave a warning about the potential clash of running two programs simultaneously. Without closing that warning, I headed to MSASCui.exe in the Program Files > Windows Defender folder to open up WD. Previously, I was unable to click on any of the tabs (Update/History/etc.) when I opened WD, but this time I was able to go to the Update tab and click on the Update button. At first it told me that it failed to update… but after a few moments, it said it updated successfully, and I was able to check the engine version, which was 1.1.13704.0, so it appeared to have been a success! I used the warning that my antivirus gave me to disable WD again, and also went back to settings to disable periodic scanning.

            It’s a bit convoluted, but at least this allowed me to update WD without turning off my antivirus. I also reproduced these steps successfully (just to doublecheck that the engine version had indeed updated…), though as I have just completed it, I don’t yet know if there is some consequence for this in the future… but for now, I’m very relieved!

            1 user thanked author for this post.
      • #114751 Reply
        grams
        AskWoody Plus

        @grams: Thank you for sharing your experiences with this dilemma! I don’t have MSE so that makes it a little different too. It is “supposed” to be “optional”, however it appears that it’s definitely tied into a lot of other things in our OS’s. I’m Win7, 64 bit, Home Premium, and use ESET Smart Security Version 9. Does anyone know if it’s SAFE to “check for updates” at this point in time? I would like to check just to see what’s there, however there are so many “bad ones” out there, I don’t even feel comfortable doing that. Were you successful in getting the latest WD update?

        You’re most welcome. I’ve not yet updated WD. As for checking for regular updates, I wouldn’t yet. I rely on Woody’s MS-DefCon status at the top of the page 🙂 all the best!

        1 user thanked author for this post.
        • #115183 Reply
          walker
          AskWoody Lounger

          @grams:    I see that you too are apprehensive about “checking for updates”….  I don’t know about others, however it is disconcerting to have to be afraid to “check updates”.

          There are others who also are afraid to try to “CHECK UPDATES” too.   I just keep it on NEVER CHECK for now, until the Defcon is raised.   Thank you for sharing your success with the WD problem.   Congratulations!!  🙂

      • #115090 Reply
        grams
        AskWoody Plus

        grams

        Just successfully updated Windows Defender. Hooray!

        uncheck real time protection in Microsoft Security Essentials
        Control Panel >System and Security>Action Center (expand Security to view Spyware)
        turn on Windows Defender > update > Options to turn off real time protection
        back to Action Center (expanded) turn on MSE

        Done! and quite easily. thanks to all who’ve helped!

        • #115362 Reply
          grams
          AskWoody Plus

          @walker, you’re most welcome. Thank goodness for Woody and the others here who are tech savvy to guide us along the winding road of M$ wishing you all the best

      • #119543 Reply
        MrBrian
        AskWoody_MVP

        Round 2! From Microsoft Releases Out-of-Band Update to Fix Malware Protection Engine Flaws (May 30, 2017):

        “On Friday, Microsoft released an out-of-band security update to fix several issues with the Malware Protection Engine discovered by Google’s Project Zero team.

        The issues are detailed in Project Zero bug reports here, here, and here. They have also been added in Microsoft’s Security Guide as CVE-2017-8535, CVE-2017-8536, CVE-2017-8537, CVE-2017-8538, CVE-2017-8539, CVE-2017-8540, CVE-2017-8541, and CVE-2017-8542.

        Five of the eight are basic denial of service (DoS) flaws that crash the Malware Protection Engine (mpengine.dll) or prevent it from doing its job.

        Three are remote code execution (RCE) flaws, which are very dangerous as they allow an attacker to execute code on the user’s machine. Because this code is executed in the context of the Microsoft Malware Protection Engine service, the attack code runs with SYSTEM-level privileges.

        All eight issues have been fixed with the release of the Microsoft Malware Protection Engine version 1.1.13804.0.

        (Hat tip: Imacri’s post https://www.askwoody.com/forums/topic/cve-2017-0223/#post-119137)

      • #121877 Reply
        MrBrian
        AskWoody_MVP
      • #114482 Reply
        samak
        AskWoody Plus

        Have you tried following these steps?

        Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it

         

        W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

        2 users thanked author for this post.
    Viewing 53 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.