Windows Defender Inconsistencies

Topic

New Reply

For a friend, I’m setting up a Win 8.1 Pro 64 bit laptop purchased from Dell Refurbished. I’ve installed Opera, Firefox, Gimp and about 100 games from Big Fish. All the preceding software is up to date, as is Windows 8.1 (through October with what used to be called Group A).

When I do either a quick or full scan with Windows Defender I get a yellow triangle/exclamation point with the statement that preliminary results indicate the presence of malware or other potentially unwanted software and that I can review the affected files at the end of the scan. But, at the end of the scan, the triangle/exclamation point and message all disappear and at the top of the Defender Dialog box I get a green check mark, a statement of the number of files scanned and that my computer is being protected. The History box is empty. Well OK, its probably nothing, but…

… in an effort to determine what files weren’t “liked”, I did a bunch of custom scans to try and narrow down where the file(s) is(are). No matter what custom scan I try I never get the triangle/exclamation point/warning message, and when the scan is done I get the green check mark, a statement of the number of files scanned, a statement that my computer is being protected, AND a statement that no infected files were found. This last statement never showed up after a quick or full scan (although it always shows up on my own 8.1 computer when I do a quick or full scan and nothing is found). The other interesting thing is that after I do a custom scan on the C: drive, the reported number of files scanned is smaller (by about 25000) than the number reported for a full scan.

So, my questions are, is the occurrence of the triangle/exclamation point/warning statement of any significance? If so, how do I find the suspected file? Also, shouldn’t the number of files scanned be the same for a custom scan of C: as for a full scan?

I’ve run the Microsoft Safety Scanner (downloaded from this link https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download) and everything comes up completely clean.

I’ve also rum Malwarebytes Free, which also came up totally clean, but interestingly, said it only scanned about 280,000 files (as opposed to more than 600,000 files for a full scan or custom C: scan with Defender).

I’d appreciate any insight into what’s going on, particularly on whether this is worth pursuing and/or how likely it is that something is infected. This laptop is a gift, and while I suspect it will not be heavily used for internet surfing, I’d really like to get this right.

Thanks.

Reply | Quote

Replies

I don’t get that issue with Defender in my W8.1 Home box. No suggestions either.  🙁

cheers, Paul

1 user thanked author for this post.

DrBonzo

Reply | Quote

I remember seeing the same symptoms once on a Windows 7 computer with Microsoft Security Essentials. It was a Dell laptop and while I’m not absolutely sure of this, I think it happened after a Dell Update update, or perhaps some other Dell software update. I ran the MS Safety Scanner, which came up clean. By staring at the MSE window and watching the scan progress I was able to determine that when the scan encountered svchost, the yellow triangle/exclamation point/statement of possible presence of malware was triggered only to disappear at the end of the scan. I searched the hard drive for svchost, found about 15 instances of it, and scanned each one individually each of them coming back clean. My recollection is that the symptoms stopped showing up after maybe a month, but again, I’m not too sure about that

Unfortunately, on the 8.1 computer Defender doesn’t show file names as it scans so I can’t see what file(s) are triggering the triangle/exclamation point/warning. I did search the hard drive for svchost and custom scanned each, and they all come back clean. Of course, I have no way of knowing whether svchost is triggering the symptoms on the present 8.1 computer.

The only Dell software I can find on the computer is Dell Backup and Recovery, and that hasn’t been updated to the best of my knowledge. So it seems to me that something about installing Gimp or one (or more) of the Big Fish games must be triggering the symptoms (I’m thinking Opera and Firefox likely aren’t the culprit or it would have been reported by somebody.) I suppose I could uninstall Gimp and the Big Fish games, but I’d sure rather not do all that.

Reply | Quote

[Chris Greaves]

Hi.

Some 15 years ago my password-protected Word2003/VBA utility library “UW.dot” would cause McAfee to vomit on one particular system

I knew that the code was clean, my colleague knew and trusted me, but we could not get UW.dot installed on his machine.

UW.dot was issued and installed successfully on the machines of all my clients across North America.

At that time I figured that one or more bytes in the password-protected tokenised UW.dot just happened to beat the odds and look like a virus signature – to McAfee on Tim’s system!

Cheers

Chris

Unless you're in a hurry, just wait.

• This reply was modified 2 years, 10 months ago by Chris Greaves.
• This reply was modified 2 years, 10 months ago by Chris Greaves.

1 user thanked author for this post.

DrBonzo

Reply | Quote

When I do either a quick or full scan with Windows Defender I get a yellow triangle/exclamation point with the statement that preliminary results indicate the presence of malware or other potentially unwanted software and that I can review the affected files at the end of the scan

Can you post file paths and names? Type of threat (for example HackTool:Win32/Keygen, or Trojan:Win32/CryptInject!ml)?

You can upload suspected file to http://www.virustotal.com and it will run through series of tests to be sure.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

DrBonzo

Reply | Quote

Oh sorry. I see that list is empty. I misread your post. This is hard to troubleshoot. I suggest to install some free AV and then remove it. Maybe the issue will disappear. Also make sure all updates are installed.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

DrBonzo

Reply | Quote

I downloaded and installed Malwarebytes Free, ran a scan, and it came up clean. I turned it off but haven’t uninstalled it yet.

The virus definitions for Defender are up to date, but I haven’t checked to see if Defender itself is up to date. I just assumed it was but I’ll check to make sure.

1 user thanked author for this post.

doriel

Reply | Quote

[SB9K]

I’ve been getting the exact same behavior lately. My gaming rig was built by me with off the shelf parts, so maybe that at least rules out a Dell-specific issue.

I had assumed it was because I had added Blackbird (which I use to kill known telemetry) in “Excluded files and locations”, as Windows Defender definitely flags it as unwanted software. But as a test, I deleted all traces of Blackbird, removed the exclusion, and ran the scan again. Still the same behavior.

And then I found what seems like an actually useful explanation on the Microsoft Answers forum. So with other scanners not finding an issue, I’ve decided not to worry about it.

• This reply was modified 2 years, 10 months ago by SB9K.

2 users thanked author for this post.

DrBonzo, b

Reply | Quote

Malware can be sneaky…

I like to run through MajorGeeks Malware Removal… it uses multiple tools, but steps you through a specific sequence of steps in running them… just in case?

Non-techy Win 10 Pro and Linux Mint experimenter

1 user thanked author for this post.

DrBonzo

Reply | Quote

Bumped into this recently: while running Windows Defender scans, a legacy Windows 8.1 system (running flawlessly with zero security incidents, no significant issues over the years and still up for the job and tasks and goals it was set up and meant for – which is quite remarkable comparing to the effort put in dealing with, and fixing, a rather long list of issues while managing “modern” Windows 10/11 WaaS systems) suddenly began showing up the yellow warning symbol and the alarming message

“Preliminary scan results show that there might be malicious or potentially unwanted software on your system”

but the scan always ended with a “green” status reporting a “safe” machine, with 0 results (no malware findings at all). In every single scan, roughly at the very same point of the scanning progress, the warning message came up but, in the end, there were no quarantined contents, history was clear (no detections), there were no defined exclusions involved and – what’s more annoying – there were no useful log contents to help.

If that wasn’t odd enough, disk cleanups and system restarts made no difference: it was a sticky, “persistent” situation of a “false positive” that refused to go away, no matter what (and yes, that was confirmed to be the case after spending a couple of hours extensively applying advanced malware scanning techniques that ensured, with a high degree of confidence, that the system in question was, indeed, “clean” and that there were no active infections whatsoever).

It turns out there’s a reasonable explanation for this odd behavior:
https://learn.microsoft.com/en-us/answers/questions/326108/mar-17-21-msert-detects-items-during-scan-but-at-e

Rob Koch’s post (here quoted by Andy David, replying to a similar scenario when running the MSERT standalone tool – one of the many Microsoft security products that, like Windows Defender, share the same common antimalware platform) is enlightening but doesn’t tell you the whole picture, neither does it pinpoint exactly WHY or HOW this scenario might happen. It also doesn’t tell you how to FIX it, so here’s the deal (based merely upon my observations and assumptions and how I was able to workaround the issue and fix it)…

1. Consider a legacy Windows 7 system running Microsoft Security Essentials (or, in my case, a legacy Windows 8.x system running the same rebranded and upgraded Windows Defender product that, incidentally, never had any malware detection before) with the Settings > MAPS option configured to be either ‘Basic membership’ or (as it was the case) ‘Advanced membership’.

2. While executing an OFFLINE scan, the yellow warning symbol is shown and the “Preliminary scan results” message appears. In the end, a PuP (Potentially Unwanted Program) is found.

• At this point, Defender has a copy of the “suspicious fragment” that triggered the warning and lead to the PuP detection. Because the MAPS option was set accordingly, if there had been internet connectivity when the detection occurred, or roughly at 95% of the progress accordingly to Rob Koch’s post, the fragment should have been sent directly to Microsoft, so that the MAPS servers would analyze it and return further information about its nature (confirming if it was, indeed, a known piece of malware or a possible unknown strain of malware that should be further analyzed and included in upcoming antimalware signature definitions). This “cloud protection” feature implementation is not uncommon, it’s just how modern security products work.
  .
• Defender’s MAPS option is roughly equivalent to the “heartbeat” feature of both the Malicious Software Removal Tool (MRT) and Microsoft Safety Scanner (MSERT) standalone removal utility. All the three products set their own Registry REG_DWORD value that determines if any detection findings shall be sent, or not, to Redmond:

  ; Microsoft Security Essentials [Windows 7] / Windows Defender [Windows 8.x]
  ;
  ; If the 'SpyNetReporting' REG_DWORD is set to 0,
  ; Defender should not submit any findings to Microsoft MAPS servers
  ;
  [HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\SpyNet\]
  [HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\]
  ;
  ; 0 = I don't want to join MAPS <- Privacy-minded preferred option
  ; 1 = Basic membership
  ; 2 = Advanced membership
  ;
  "SpyNetReporting"=dword:00000000
  ;
  ; Microsoft Malicious Software Removal Tool (MRT) / Microsoft Safety Scanner (MSERT)
  ;
  ; The Registry key and the 'DontReportInfectionInformation' REG_DWORD might not exist,
  ; which is the default and equivalent to having the REG_DWORD set to 0
  ;
  ; 0 = Send the detection findings to Microsoft ("heartbeat" report)
  ; 1 = Do *NOT* send the detection findings to Microsoft <- Privacy-minded preferred option
  ;
  [HKLM\SOFTWARE\Policies\Microsoft\MRT\]
  [HKLM\SOFTWARE\Policies\Microsoft\MSERT\]
  "DontReportInfectionInformation"=dword:00000001

• The system’s MAPS option is set to submit the “suspicious fragment” (SpynetReporting REG_DWORD > 0). However, because the user is OFFLINE, Defender was unable to do so: instead, it keeps the “suspicious fragment” in a local “cached” folder. Presumably, once the internet connectivity is (re)established, the fragment may be queued and sent to the MAPS servers – either automatically or, eventually, when the next scan happens.

3. Realizing the detected PuP is NOT a malware infection, but rather a false positive scenario triggered by a specific tool that the user had been temporarily using for troubleshooting purposes (case in point: NirSofer’s WirelessNetView), the user not only dismisses the question and accepts Defender’s automatic action (the tool was put into quarantine) but he also uses the ‘Remove all’ button in the ‘History’ tabsheet to clear the scanning history and remove the item from quarantine (effectively confirming the tool’s deletion).

• At this point, the machine is still OFFLINE but Defender is smart enough to honor its MAPS settings: therefore, despite being instructed to clear its scanning history and quarantined contents, the “suspicious fragment” that triggered the PuP detection still exists, and will be kept. The “cached copy” of it (which is now an orphan reference to something that doesn’t exist anymore, because the tool was deleted) will supposedly be submitted to the MAPS servers once the internet connectivity is (re)established, or the next scan happens. But here’s the catch:

4. The user also realizes the MAPS option in the ‘Settings’ tabsheet is set to ‘Advanced membership’ but, because he recently had middle management “security training” and had received, and read, internal company emails alerting to “privacy issues” that could arise from inadvertently having software misconfigured to “disclose corporate privileged information” he promptly changes the MAPS setting to ‘I don’t want to join MAPS’.

I won’t digress about the user’s decision. The important thing here is, what should Defender do? Honor the MAPS option that had been previously set (and keep the cached “suspicious fragment”, now an orphan reference, for later submission) or adapt and adjust to the new MAPS option (and remove the “suspicious fragment”, since the now chosen MAPS option clearly states that “No information will [shall] be sent to Microsoft” anymore)? I’d say BOTH:

• If the system restarts now it is acceptable that, after a reboot, the new MAPS option should be honored and the orphan, “suspicious fragment” leftover shall be removed (similarly to what happens in the legacy software installation process, requiring a reboot to replace drivers, reapply settings and so on);
• If the system doesn’t restart yet and internet connectivity is (re)established in the meantime, it is also acceptable to assume that the old MAPS option should still be honored and the “suspicious fragment” should still be sent anyway because, at the time of its detection, the MAPS option was set to send it to Microsoft (and, it might be worth noting, that an additional ‘SubmitSamplesConsent’ REG_DWORD was also set to 1). Therefore, it is acceptable that the user’s decision otherwise shall only be taken into account from the time it was changed onwards and that the user’s decision doesn’t apply to the previously detected items. If the submission doesn’t happen automatically, it is also acceptable that it may happen at the next scan. Either way, internet connectivity must exist, so that the item can be submitted to the MAPS server, and only then – after submitting that “fragment” – the ‘SubmitSamplesConsent’ REG_DWORD can also be set to 0, honoring the user’s current decision (MAPS option set to ‘I don’t want to join MAPS’ [anymore]).

But, wait: what if the system DOESN’T restart yet, internet connectivity is (re)established and Defender is updated with new antimalware signature definitions before it has a chance to submit the “suspicious fragment”?

In that scenario, it is fair to assume that a “bug” MIGHT exist in the legacy Win7/8.x Defender’s interface that, when applying the new antimalware signature definitions corrupts somehow the orphanized “suspicious fragment” state and that cached, orphanized “suspicious fragment” becomes a “zombie” that might be repeatedly read and re-interpreted as a “preliminary scan result”, consistently and incorrectly triggering a warning message that refers to something that doesn’t even exist anymore!

In my case, that assumption was enforced by the fact that doing the obvious (changing back the MAPS option to ‘Basic membership’ or ‘Advanced membership’, connecting to the Internet and executing a scan so that the fragment could be submitted and subsequently removed from the local cache) didn’t seem to work, either. Not even after multiple system restarts and MAPS option changes in between. Whatever the reason was (probably related with the order in which the user actions occurred, the internet connectivity was (re)established, the new signature updates were applied or even the very nature of those specific signature definitions – eventually an intermmediate beta, buggy “delta” version), something went wrong in Defender’s interface: a glitch in the expected workflow that prevented the product from ever submitting the orphanized “fragment” to the MAPS server or removing it from the local cache – leaving that “fragment” indefinitely lying as a “zombie” leftover that kept triggering a misguiding warning to a non-existent “preliminary sign” of a non-existent malware infection!

Thus, I ended up fixing the situation by rebuilding Windows Defender’s internal “cached” history (a word of caution applies here: be advised not to do that unless you’re absolutely sure that the machine isn’t infected by malware – otherwise, you might be doing more harm than good. When in doubt, always seek experienced help). Here’s how:

1. Boot from a rescue disk (or a Linux live system that gives you root access to the filesystem) – “Safe Mode” won’t do here.
   .
2. From an elevated prompt, rename the history folder (as a convenient and temporary backup to rollback things up, if necessary) and create a new one, with nothing but the minimum, required subfolder structure and the main .bin control file(s):

   cd /d "C:\ProgramData\Microsoft\Windows Defender\Scans"
   ren History History.BAK
   mkdir History\CacheManager
   copy History.BAK\CacheManager\Mp*.bin History\CacheManager /v /y
   mkdir History\Results\Quick
   mkdir History\Results\Resource
   mkdir History\Service
   mkdir History\Store

3. Reboot and perform a Quick scan. Wait for it to finish: if the system is indeed “clean”, the yellow warning symbol and the “Preliminary scan results” message shouldn’t appear anymore. For completeness (if you want to double check and make sure all’s clean and well) you may wish to run a Full scan, too.
   .
4. From an elevated prompt, the old folder can now be safely removed:

   cd /d "C:\ProgramData\Microsoft\Windows Defender\Scans"
   rd /s History.BAK

That’s it. Hope it helps. 😉

1 user thanked author for this post.

DrBonzo

Reply | Quote

Not running 8.1 anymore. The issue was sporadic but we finally noticed a strong correlation between recent downloading of a game(s) and appearance of the issue. We would get the warning for a week or two, then it would go away, but reappear (usually) the next time a game was downloaded.

Haven’t noticed anything similar using Defender in Windows 10.

Regarding your comparison of 8.1 with 10 in your first paragraph, I’d have to agree. W10 is a LOT more work. I haven’t had any trouble with patches but keeping up with the sneaky unexpected changes, OOB patches, etc. is a real time suck. 8.1 was simple in comparison and absolutely rock solid.

Reply | Quote