Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it

Topic

New Reply

Post coming in InfoWorld
[See the full post at: Microsoft Security Advisory 4022344 plugs a bad hole in Windows Defender – here’s how to see if you got it]

3 users thanked author for this post.

Elly, ebrke, Fred

Reply | Quote

Replies

For those of you who know the inner workings of wuauserv, the Windows Update service…

My observations early this morning lead me to believe that Windows Defender is NOT updated if wuauserv is disabled.

True? Or was I testing incorrectly?

Reply | Quote

Another question related:
For those running Internet Security or AntiVirus that disable/turn off Windows Defender –  are they vulnerable?

4 users thanked author for this post.

walker, grams, jburk07, Karlston

Reply | Quote

This is interesting, but I would say that if any of the affected products is disabled, then it would become vulnerable only if not patched and turned back on at a later stage.

1 user thanked author for this post.

walker

Reply | Quote

This is likely the best question I have seen on the topic, and sadly . . .  I cannot find a definitive answer!

What I can tell you:  when a third party AV product installs correctly on Windows 10 — MOST of them “disable” Windows Defender.  I am looking at my task manager now and I can see my own AV product running, but not the recently patched MsMpEng.

However . . . what alarms me a little bit is how Windows 10 behaves if your AV is temporarily disabled.  After the next reboot, WD kicks ON and in my test just now, it’s not been patched yet.  So there is a period of time between when MsMpEng starts, and when it gets patched that a user would be vulnerable.

So: my test . . .

I run a product called Vipre AV for Enterprise.  A pre-check of MsMpEng shows this morning that it’s NOT updated after forcing a WU check, nor does it appear in the Update History at any time for the last month.  I actually picked up the last update for WD on March 27th, 2017 (I disabled my AV to install something.)

Now: disabling Vipre AV . . . futz around a few minutes, then a reboot and Viola!  MsMpEng is running and in Active Protection mode.  I am now vulnerable.

Approximately 18 minutes later MsMpEng gets an update and I now show that update on my history log.

~ Group "Weekend" ~

6 users thanked author for this post.

walker, Karlston, MrBrian, woody, PKCano

Reply | Quote

I’d like to know this as well. Currently, windows defender is disabled in services because i use another AV product, as everyone else’s should also be but can it still be exploited!

-T

Reply | Quote

Woody, I am not sure. You said so many times before that MSE and Defender are updating outside of WU and I think those claims were right.
There is a qualification though.
MSE/Defender have a built-in timeout period (1 day for home editions/14 days for enterprise editions?) which means that if the regular server does not respond (WU or WSUS if configured), then they update from an alternative antimalware dedicated site only. And there is a third backup option too.
There are Registry keys and Group Policies for each product which can modify the default behaviour which I described above.

4 users thanked author for this post.

Elly, walker, Karlston, woody

Reply | Quote

woody wrote:

For those of you who know the inner workings of wuauserv, the Windows Update service…

My observations early this morning lead me to believe that Windows Defender is NOT updated if wuauserv is disabled.

True? Or was I testing incorrectly?

I have been disabling the Windows Update service for eons in order to ensure I retain control. I have also been monitoring communications and system health for a long time.

Microsoft Security Essentials updates just fine when Windows Update is disabled.

Please allow me to offer this screen grab as evidence. Note the green marks next to “OS – Microsoft Malware Protection Command Line Utility (MpCmdRun.exe) indicating successful communications. Note the up-to-date status in the Security Essentials dialog. This Windows 7 machine hasn’t had the Windows Update service enabled in a long time.

It logs a message in the System Event log claiming failure, then immediately falls back on its own components and gets the updates done successfully and logs another event claiming success. It’s a nice feature, assuming you want MSE on task. Note the relative times of these.

-Noel

7 users thanked author for this post.

Elly, walker, ch100, HiFlyer, JLeigh, woody, MrBrian

Reply | Quote

So it seems that, as ch100 noted, if wuauserv is turned off, the Windows Defender update process goes to a second source of updates.

I wonder what the time lag is between the two? In your screen shots, it was a whole 25 seconds. I wonder if that’s true in general?

Reply | Quote

I’ve been off Windows Defender on my Windows 10 v1703 “Creator’s” test system for a few weeks, but I’ve seen it work just the same way there too. Here’s an event sequence I turned up in the logs…

The time delay was 11 seconds in this case.

-Noel

1 user thanked author for this post.

woody

Reply | Quote

The possible sources to be configured in Group Policy (and I think regular area of the Registry, but this is less documented) are:
“InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”

This is the description of the relevant Group Policy for Windows Defender in Windows 10 1703.

This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”

For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }

If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.

If you disable or do not configure this setting, definition update sources will be contacted in a default order.

The default Windows Update scan is 22 hours with a randomization of 0 to -20%.
The home products for Microsoft Antimalware have a default interval of 1 day when configured to update from MicrosoftUpdateServer which is not the regular WU/MU server, but the one dedicated to antimalware definitions.

With wuauserv disabled, the correct configuration is to change the order of the sources for updating in policy or remove everything else and leave only MicrosoftUpdateServer
I use this configuration even with WSUS because I don’t want to synchronise definitions in WSUS, which I use mostly for proof of concept and not production and I change its configuration often. But I want the antivirus (Microsoft only) to be updated regularly.

A lot of those details are found in the Group Policies descriptions. Those interested can go through them and find correlations between various modes of updating.

1 user thanked author for this post.

woody

Reply | Quote

This matches my observation:  Disabled WU = no WD update for executables via WU, but WD appears to have a fallback and gets the update anyway.

~ Group "Weekend" ~

2 users thanked author for this post.

ch100, woody

Reply | Quote

I think Woody’s question has changed to “how often does MSE/WD update from the alternative source if it cannot find Windows Update (which is default)”.

1 user thanked author for this post.

woody

Reply | Quote

And it appears as if the answer is “in seconds.”

Which means my admonishment in the InfoWorld article to avoid disabling wuauserv is wrong.

Sigh.

4 users thanked author for this post.

Elly, HiFlyer, walker, ch100

Reply | Quote

Well, it may work like this, if the correct answer is in seconds.
When the time to check Windows Update comes, it cannot find it and then fallbacks instantaneously to the definitions site.
However, there is a flaw in this logic. How does WD/MSE know when to check Windows Update if wuauserv is disabled?!
I think the correct answer is either 24 hours or 8 hours, depending on the version and edition, because the only available source for definitions remains the definitions site and the engine would use that fallback mechanism to update.
What am I missing here?

Reply | Quote

@ch100:  What is    “wuauserv”?   I don’t think I have anything like this, however do not know because I’m not computer literate.  Many thanks for all of the information you provide for all of us here trying to “survive”.    🙂

Reply | Quote

Actually it is possible that the engine searching on Windows Update does not depend on the service to run, but only to update and is exactly the same updating mechanism for any other source of definitions, outside of regular Windows Update/svchost.exe
Which may explain the 11 seconds delay as provided by Noel.

1 user thanked author for this post.

walker

Reply | Quote

You must be right.

Curiouser and curiouser….

Reply | Quote

If Windows Defender’s off and you don’t use some other listed MS security product, it doesn’t matter, right?

Reply | Quote

It already doesn’t matter pretty much any way you look at it. The fix has already rolled out from Microsoft using the normal Windows Defender update processes.

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

From https://technet.microsoft.com/en-us/library/security/4022344
If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk.
This would suggest that WD, when disabled by third-party AV, is not vulnerable? Or is that just wishful thinking?

Annemarie

1 user thanked author for this post.

Karlston

Reply | Quote

Two very good questions, which I’ve seen repeated in several locations.

So far, I don’t have a definitive answer.

1 user thanked author for this post.

jburk07

Reply | Quote

“This would suggest that WD, when disabled by third-party AV, is not vulnerable? Or is that just wishful thinking?”

I had an online chat today with a Symantec rep and he assured me that it is patched by live update. Probably other av vendors will do the same.

LMDE is my daily driver now. Old friend Win10 keeps spinning in the background

Reply | Quote

Microsoft rates this vulnerability as “Exploitation Less Likely,” probably due to these technical details.

Reply | Quote

That’s a fascinating article. The poster really knows his stuff….

Reply | Quote

In my opinion, if you have an active AV solution (e.g., Windows Defender / Microsoft Security Essentials) and it detects malware regularly or even from time to time…

A good, secure computing environment (possibly most importantly) operated thoughtfully can see to it that NO malware ever gets even close to the computer.

-Noel

2 users thanked author for this post.

Elly, ch100

Reply | Quote

I wouldn’t really be all that be surprised to learn that even if you completely disabled the windows defender service and unchecked the “use this program” option inside WD that it still connected to the outside world somehow, given the way that windows programming is tied together.

Reply | Quote

I only used security protection program once in XP era

never after that, never will 🙂

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Do you mean 3rd party security protection or Windows Defender?

Reply | Quote

None

just the default Windows Firewall

1 user thanked author for this post.

Reply | Quote

We keep Windows Update Service disabled and run the command
“MpCmdRun.exe -SignatureUpdate -MMP” hourly to keep Defender up to date.
The command works on 7, 8 and 10

Reply | Quote

@Woody

After reading your article I’m stuck on one thing, do we need to make sure Windows Defender is up to date and then check for another update on Windows Update? Or is making sure Defender is updated enough?

Reply | Quote

For this problem, making sure the Windows Defender engine is up-to-date is enough.

Reply | Quote

Correction to article: 1.1.13701.0 is the last version that has the security hole.

Reply | Quote

Interesting. In my corp environment, I have everyone on Symantec Endpoint Protection & Windows 7, so Windows Defender is turned off. WSUS is set to auto-approve all Windows Defender definition updates. Just checked one system and turned WD on.

The engine hadn’t been updated in ages, if ever.

If Windows Defender is not active, then it seems to ignore updates completely, leaving the vulnerable bits in place until it is turned back on and updated. Also, MpCmdRun.exe is not available.

This makes me a little uneasy.

1 user thanked author for this post.

NetDef

Reply | Quote

Using a test Win7 VM, I turned on WD for the first time in a long time.The About screen did not even show an “Engine Version” or an “Antispyware definitions” version. Not sure what that means regarding its status for this exploit.

Took nearly 20 minutes for it to update. It grabbed the update from our WSUS server.

I am considering temporarily activating WD across the enterprise long enough for this update to kick in. Doesn’t seem wise to leave the vulnerable engine in place, even if it is inactive.

Reply | Quote

Kobold Curry Chef wrote:

. . . . I am considering temporarily activating WD across the enterprise long enough for this update to kick in. Doesn’t seem wise to leave the vulnerable engine in place, even if it is inactive.

May I humbly suggest you do this a) after hours and b) entire network off-internet at the main firewall/gateway? (after making sure your WSUS server is synched)

I bet you can guess why . . .  🙂

~ Group "Weekend" ~

Reply | Quote

This is pretty much exactly what we see.  WSUS controlled environment, WD updates automatically approved, but a third party AV is being used.  None of our normal Windows 7 workstations have seen a WD update for a looooong time.  Trying to run WD shows an error result (correctly) that it’s been disabled by Group Policy. In this case I am not feeling terribly worried . . .  I doubt very much that anything can enable it.  This might not be true outside of a GP controlled site.

 

~ Group "Weekend" ~

1 user thanked author for this post.

Kobold Curry Chef

Reply | Quote

I don’t have WD disabled via GPO, since I want something to be running before we install SEP on a new box. I just let SEP turn it off. Problem is, that means it’s too easy to fire up WD. (Don’t even need to be an admin, it seems.)

Might need to reconsider that now…

Reply | Quote

Leave it to Microsoft to issue a critical security advisory about the worst vulnerability ever!!, and not include a link to a patch that users who run third-party antivirus products can download and install without enabling the vulnerable software.

Reply | Quote

The vulnerability is in Microsoft first-party products, why would any other external products need it?

Reply | Quote

Apologies, you’ve misunderstood my point.

I don’t use Windows Defender. Nevertheless (as I’m not certain it’s possible to uninstall it altogether, which would really be my preferred solution) I do want it patched.

Why? Because, as others have noted elsewhere in this discussion, under certain circumstances, it’s possible Windows could turn Defender on without notifying me or asking my permission. I’d then have a vulnerable program running on my computer, possibly without even being aware of it.

I also do not want to have to turn Defender on to patch it. I’d much rather just download and run a standalone file.

2 users thanked author for this post.

Elly, grams

Reply | Quote

This MS Windows Defender linked page may contain the installer you seek – scroll down to “Antimalware and antispyware updates” section.

Reply | Quote

I use MSE since I got my pc and WD has been deactivated ever since (about 2010),since woody says mse has been patched too, that means I’m good right?

Reply | Quote

Here’s another fun question:

New machine setup.  I’ve never ever seen a workstation delivered with current “anything” installed.  For one-off’s (no master image * ) we de-cr*pify, patch, install apps etc.  There is a significant time period where that machine will be highly vulnerable, and on-line, during the deployment phase.

Likely best answer:  At some point MS needs to place this on the Update Catalog for off-line installation.  (I cannot find it yet – if it’s there I would appreciate someone with better search skills to point it out! )  And all admins will need to add that to our off-line USB installers for new machines.

* Note, for larger installations where golden masters are used:  Setup to our domains generally means snapping a well maintained image to new machines. This will not be a problem as long as the master image has been updated to this patch for WD.  Even if you don’t use WD on your work network, you should update your image(s)!

~ Group "Weekend" ~

Reply | Quote

actually woody, your Infoworld article is referencing the wrong file.

The crucial file for the Microsoft Malware Protection Engine is MPENGINE.DLL, not MsMpEng.exe. mpengine.dll should be the file users should check whether using MSE or WD.

5 users thanked author for this post.

Elly, woody, digideth, NetDef, David F

Reply | Quote

Thank you for that, I was able to confirm I was on the latest by checking the dll, so no need to turn on WD (it’s off by default due to MSE running on win7).

Reply | Quote

EP wrote:

actually woody, your Infoworld article is referencing the wrong file. The crucial file for the Microsoft Malware Protection Engine is MPENGINE.DLL, not MsMpEng.exe. mpengine.dll should be the file users should check whether using MSE or WD.

When I read this, I looked and found that I have three copies of MPEngine.dll –>

1. C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
   modified 8/19/2010
2. C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1068FD24-C391-429A-B881-D51ACBFC75A0}\mpengine.dll
   modified 11/16/2010
3. C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8E099210-7D74-4C89-AD82-B47763A2FDA7}\mpengine.dll
   modified 5/6/2017

The last one is version 1.1.13704

I think this has happened (I am guessing now) because a long time ago I must have turned off WD and have used only MSE and Malwarebytes for a long time.  That combo has worked just fine for on my Win 7 machine.

I don’t like having those vulnerable files sitting around on my hard drive, but I don’t know how to remove Windows Defender, I think it is somehow interwoven with MSE.

Thank you for any comments.

 

 

Reply | Quote

I have something similar, though in the Microsoft Antimalware folder

I checked in MSE though and it is using the latest engine (13704), so I think it’s safe as it’s only using the latest version

Reply | Quote

Instead of installing Windows Updates manually, as outlined by Woody, executing Update-MpSignature via PowerShell console also updates the malware protection engine.

Reply | Quote

Will that update the engine, even if some other antivirus product is blocking Windows Defender?

Great tip, by the way.

Reply | Quote

I am disturbed to discover that Windows Defender is disabled on my computer (running Windows 7) and cannot be enabled due to error 0x800704ec. Should I be concerned? It means it is impossible to run it so I can’t follow your directions.
Also, I am hopelessly confused at this point about whether I should have Windows Update on the “check for updates but ask me before downloading and installing” setting or turned off altogether. Just today I have been instructed to do both. Please clarify!!

Reply | Quote

Fix Error Code 0x800704ec

Reply | Quote

Ok, so if I understand correctly, my WD is disabled because of my third-party antivirus program? I did a search on my computer for all occurrences of “defender” and found a lot of folders and files related to WD, and none of them appear to have been modified since July 2014, so do I then assume I have not miraculously acquired the update? I searched the computer for mpengine.dll and did not find it. What does THAT mean? I gather that turning off my antivirus and trying to enable WD so that I can update it is not what I should be doing; what IS the recommended course of action?

Reply | Quote

carol wrote:

I searched the computer for mpengine.dll and did not find it. What does THAT mean?

I tried to access the “C:\ProgramData\Microsoft\Windows Defender” on my Windows 7 system and it told me I didn’t currently have access to it, but I could get access by clicking Continue.  Apparently you’re in the the same boat and this lack of permissions is hiding mpengine.dll from the search.

carol wrote:

I gather that turning off my antivirus and trying to enable WD so that I can update it is not what I should be doing; what IS the recommended course of action?

Yes, that’s a very good question.  Windows Defender is disabled on my computer as well because I’m running Avast!

Reply | Quote

What a goatfest. My love/hate relationship with Microsoft continues to intensify. As an admin, Microsoft sorta pays my bills, but thanks to their variety of antics over the past few years, I’ve been seeing my psychologist more frequently. 😉

Guess I’ll be updating WD this weekend across the domain. It’s not like I had anything better to do anyway.

Reply | Quote

Hm…

Even without Windows Defender on task, when you download a file – for example an installer – Internet Explorer always puts up a small “Running Security Scan” message across the bottom of the browser window after the download is done but before the file is fully available.

I wonder what components that scan uses…

-Noel

Reply | Quote

Windows Defender vulnerability that can result in remote code execution? Another critical security hole? I hate Microsoft!

One of the first things I did after installing Windows 7 / 8.1 / 10 (10 for testing) is to disable Windows Defender. No definition updates have been received via Windows Update since. Is my system vulnerable? Do I have to temporarily reenable Windows Defender to patch it?

Hope for the best. Prepare for the worst.

Reply | Quote

James Bond 007 wrote:

Windows Defender vulnerability that can result in remote code execution? Another critical security hole? I hate Microsoft!

One of the first things I did after installing Windows 7 / 8.1 / 10 (10 for testing) is to disable Windows Defender. No definition updates have been received via Windows Update since. Is my system vulnerable? Do I have to temporarily reenable Windows Defender to patch it?

Answered my own questions.

Yes, apparently I have the vulnerable version on my computer running Windows 7 (mpengine.dll version 1.1.6402). I temporarily reenabled Windows Defender and instructed it to check for updates. After a while it was updated to 1.1.13704. I then disabled it again (within the program and the Windows Defender service).

Hope for the best. Prepare for the worst.

1 user thanked author for this post.

Reply | Quote

Yes, you should enable Windows Defender to download the patch. I’m using Windows 10, no update for Windows Defender was shown when using WUShowHide.

Reply | Quote

One more thing, I don’t have any other AV or security products on my computer, so I have no worries about temporarily reenabling Windows Defender, updating it, and then disabling it again.

But for people who have another AV or security product installed (thus Windows Defender is disabled), how are they going to update their vulnerable version of Windows Defender? Are they vulnerable to this hole? If Windows Defender can still update behind the scenes quietly, well and good. If not, are they going to have to temporarily reenable Windows Defender to update? Will the security product installed prevent the activation of Windows Defender? Will it be necessary to disable the security product temporarily?

These are questions that many of us want to have answers. So far it seems nobody has definitive answers.

Hope for the best. Prepare for the worst.

2 users thanked author for this post.

grams, samak

Reply | Quote

Just updated my W10 laptop. Windows Defender-engine is up to 1.1.13802.0 by now. Anyone else can confirm?

Annemarie

EDIT html to text

1 user thanked author for this post.

woody

Reply | Quote

According to Technet, you are protected from this vulnerability as long as you have Version 1.1.13704.0 or higher.

Reply | Quote

James Bond 007 wrote:

MsMpEng.exe. mpengine.dll

Nice summary of my questions. Thanks!

 

Reply | Quote

Woody, I have not turned off the Windows Update service, but I have (1) disabled Windows Defender from within the program, and (2) disabled the Windows Defender service (in Windows 7). I have received no Windows Defender updates since that point. That’s why the mpengine.dll version was still at 1.1.6402 (dated November 2010) before I forced it to update.

So I believe that the failure of Windows Defender to update itself is not related to the status of the Windows Update service. Or at least, it is not the only reason.

Hope for the best. Prepare for the worst.

1 user thanked author for this post.

ebrke

Reply | Quote

I have another computer running Windows 7 that disabled Windows Defender (but not the Windows Defender service), and when I just went to check I found that the mpengine.dll version was at 1.1.6402, that is, it has not received updates to the scanning engine for a long time.

I forced it to update, and then disabled the program and the Windows Defender service.

So it seems to me that when the Windows Defender program is disabled in Windows 7, it will not receive updates to its scanning engine.

Hope for the best. Prepare for the worst.

2 users thanked author for this post.

woody, MrBrian

Reply | Quote

The majority use third party AV/Malware programs that over-ride Windows Defender, to disable 3rd party programs in order to receive a security update for Windows Defender just seem ludacrious to me..

Why, oh Why haven’t MS just released a patch update for W7/W8/W8.1 and W10?

MS in their ultimate wisdom have created a security flaw otherwise.

 

Reply | Quote

plugs a bad hole

Have you ever heard of a “good [security] hole”?

 

And in the Infoworld article:

it was a stunning response to a bad bug

Have you ever seen a “good bug”?

Just wondering…

-- rc primak

2 users thanked author for this post.

Elly, woody

Reply | Quote

rc primak wrote:

Have you ever seen a “good bug”? Just wondering…

When I was in the code business, we called those “features!”  {evil grin}

~ Group "Weekend" ~

Reply | Quote

I’m getting emails from all directions asking about conflicts with other antivirus products. Specific mentions for Trendmicro and Avast, but I’m sure others behave similarly. Here’s an example:

Thanks for your InfoWorld article on the Windows Defender update and how to check if its installed. But, in doing this, I found more to the story

A computer with Avast antivirus disables Windows Defender. And, I can’t figure out how to run Windows Defender to update it. JUST between us, Avast is a miserable av program.

Specifically:

I went to the control panel, then Windows Defender and got an error:
   This program is turned off.

There is a “Click here to turn it on” link and but clicking on it failed with:
“This program is blocked by group policy. Error code 0x800704ec”

I also tried to enable Windows Defender using the Action center and that failed too.

My reaction is that you should disable the antivirus program, then manually turn on Windows Defender, then check to see if you have the latest engine update.

Unfortunately, I don’t run third party AV products on my machines, so… can anybody provide a definitive answer?

1 user thanked author for this post.

rc primak

Reply | Quote

I have the same problem with TrendMicro Internet Security, Panda Free and BitDefender Free. All three disable WD.

Reply | Quote

Not all third-party AV programs have a conflict, though some do.

My patching results for this issue:

Windows 10 Pro 64-bits, ver. 1607, Avira Antivirus Free Edition left up and running (not disabled).

Go To Search (Cortana disabled). Type Windows Defender. Program comes up, but is all Amber. Turn On with Admin Shield clicked once. Update Tab. Run Updates. All works as normally. Definitions updated, and engine appears to have become the correct version. Real Time Protection still handled by Avira. Go to Settings for Windows 10, and turn off Periodic Scanning with Windows Defender again.

After  updating Windows Defender:

Engine 1.1.13704.0

Definitions 1.243.110.0

(Woody missed a digit in the Infoworld article for the AV/AS Definitions Version.)

Did this work?

Run stand alone installation as per Kirsty’s link (#113872) — nothing happened when I tried to run the download. When updated, WD does not respond to running the stand-alone installer. (Nothing seems to happen at all.)

32-bits Win 10 Pro 1607 tablet, also running Avira Free — I did not update from within the Windows Defender program. I used the download link supplied by Kirsty.  Here, the offline updater ran. One must temporarily enable WD Periodic Scanning (you can turn this off from Windows 10 Settings later — WD has a link in its Settings for this) to see which version of the scanning engines and the program itself are in place.  Before vs. After showed a change.  Again, after correcting for the missing digit in Woody’s Infoworld posting, the AV and AS versions are updated.

So, did I do this right? Am I now protected?

-- rc primak

Reply | Quote

Yes, also McAfee allows Windows Defender to run.

Reply | Quote

Same problem with Norton Internet Security. Have reached out to Norton on their forum, but no response yet.

Reply | Quote

I had this same issue. The registry fix at https://www.fixtechproblems.com/fix-error-code-0x800704ec/ involving HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender!DisableAntiSpyware worked for me on Windows 7 x64.

4 users thanked author for this post.

Purg2, woody, ebrke, PKCano

Reply | Quote

Michael Horowitz just published his results in bypassing Avast…

http://www.computerworld.com/article/3196124/windows-pcs/third-party-antivirus-programs-interfere-with-windows-defender-critical-patch.html

1 user thanked author for this post.

MrBrian

Reply | Quote

woody wrote:

Michael Horowitz just published his results in bypassing Avast…

http://www.computerworld.com/article/3196124/windows-pcs/third-party-antivirus-programs-interfere-with-windows-defender-critical-patch.html

Ah, Woody, you are quicker. I just found this out.

So by setting that Registry key DisableAntiSpyware from 1 to 0, Windows Defender will be able to start and you can then force it to update. I suppose you should change the key back to 1 after update if, like Michael Horowitz, you have another AV or security product installed?

Isn’t this registry key set when you use the Group Policy Editor to disable Windows Defender in Windows 7 / 8.1 / 10?

As Michael Horowitz also said “This really begs the question of whether Windows anti-virus software helps more than it hurts.” Windows Defender is supposed to help to stop malware, but now it has become an attack target.

Hope for the best. Prepare for the worst.

Reply | Quote

This worked fine on my machine running AVG (which turns off Defender as well). Thanks Woody!

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

If your computer is running Windows 8, you can use the built-in Windows Defender to help you get rid of viruses, spyware, or other malware. If your computer is running Windows 7, Windows Vista, or Windows XP, Windows Defender only removes spyware.
To get rid of viruses and other malware, including spyware, on Windows 7, Windows Vista, and Windows XP, you can download Microsoft Security Essentials for free.

Read more at https://blogs.microsoft.com/microsoftsecure/2013/11/14/windows-defender-and-microsoft-security-essentials-which-one-do-i-need/#Q01LARXgcQ69yiYM.99

The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it’s simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft’s malware protection engine—websites, file shares—could be used as an attack vector. Tavis Ormandy, one of the Google Project Zero researchers who discovered the flaw, warned that exploits were “wormable,” meaning they could lead to a self-replicating chain of attacks that moved from vulnerable machine to vulnerable machine.

https://arstechnica.com/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/
_ _ _

For my Win 7 home-computer, I have disabled the built-in Windows Defender. I also do not install the monthly Patch Tuesday’s MSRT. So, I do not think my Win 7 computer is affected by this flaw.

Reply | Quote

So, I do not think my Win 7 computer is affected by this flaw.

I don’t like to “think” I am not affected. I would require proof or expert advice. Of which we have neither. Patching (updating) the WD Scanning Engine is the only surefire way to be safe. I did this on both of my PCs, even though both run third-party AV products.

-- rc primak

1 user thanked author for this post.

MrBrian

Reply | Quote

Does MSRT rely on Windows Defender?

Reply | Quote

Did some Googling and found this, an CVE from 2011. https://technet.microsoft.com/en-us/library/security/2491888.aspx. Can I conclude that yes, the MSRT uses the Microsoft Malware Protection Engine, but it is embedded in MRST and not depending on the version installed on te pc?

Reply | Quote

Not to my knowledge. MSRT is designed to run as a stand-alone scanner. MSERT (Microsoft Safety Scanner) downloads its own scanning engine and definitions very time it is to be run, but MSRT is a much smaller download. So, maybe, and patch Windows Defender regardless. This vulnerability affects a lot more than on-demand antivirus scanning.

Reply | Quote

#post-113967 was me. Forgot to log in. And I was wrong — MSRT does leverage Windows Defender’s scanning engine. But it carries its own (limited) definitions update.

MSERT (Microsoft Emergency Scanner) is the download which does carry the engine and the definitions with it, for stand-alone scanning.

I use both MSRT and MSERT, and leave WD turned all the way off (not even periodic scans or those other annoyances which are turned on by default in Settings).

 

-- rc primak

Reply | Quote

@ anonymous#113950

I think MSRT relies on Microsoft malware protection engine to scan the computer for malicious software and to remove them, as implied by …
https://support.microsoft.com/en-us/help/2510781/microsoft-malware-protection-engine-deployment-information

Reply | Quote

In other words, even if you are only running the monthly MSRT, you’d be wise to patch Windows Defender now.

-- rc primak

Reply | Quote

Clicking through on https://support.microsoft.com/en-us/help/2510781/microsoft-malware-protection-engine-deployment-information to the security bulletin https://technet.microsoft.com/library/security/2846338 it states that at that time, vulnerable was:

 

Microsoft Malicious Software Removal Tool (x64)

and then:

Applies only to April 2013 or earlier versions of the Microsoft Malicious Software Removal Tool.

This implies to me that the used engine in MSRT was embeddeed and updated in the MRST-tool itself. If not, higher powers help us: many millions of people who cannot update Defender due to 3rd party AV would be at risk of MSRT as well…

Reply | Quote

@ anonymous#113978

many millions of people who cannot update Defender due to 3rd party AV

You are quite right and are on to something.
. . AFAIK, affected Windows users should not install/run the MSRT unless they are able to update/patch the MS malware protection engine in Windows Defender or MS Security Essentials.
. . But then, they are already running 3rd-party AV programs which conflict with AV programs/tools from MS. IOW, affected users have to choose one or the other.

Reply | Quote

After reading the article on PCWorld, I discovered that MSE is also at risk. So although I have Defender disabled, I now have the correct/updated version of MSE and feel safe. Hope this helps others.

“Finally, users of Microsoft’s anti-malware products, including Windows Defender and Microsoft Security Essentials should make sure that their engine is updated to version 1.1.13704.0. Older versions contain a highly critical vulnerability that can be easily exploited by attackers to take complete control of computers.”

http://www.pcworld.com/article/3195809/security/microsoft-fixes-55-vulnerabilities-3-exploited-by-russian-cyberspies.html

Reply | Quote

I’m running MSE on my Windows 7 computers, and of course MSE disables Windows Defender.  MSE is apparently also at risk for the bug, but it’s not clear to me how to fix that.  My latest Windows Update check doesn’t show a new engine for MSE.  My current engine # is 1.1.13704.0 (safe according to PC World), but I think that’s been the case for some time; if so, I’m not clear why that engine isn’t compromised.

 

Reply | Quote

anonymous wrote:

Instead of installing Windows Updates manually, as outlined by Woody, executing Update-MpSignature via PowerShell console also updates the malware protection engine.

This, as well as the normal CMD version of the update command, fails on Windows 10 systems that have WD disabled by a third party AV.

I still want a stand-alone, off-line updater from the Microsoft Update Catalog, for new system deployment.  Still have not seen one appear as of this morning.

~ Group "Weekend" ~

1 user thanked author for this post.

PKCano

Reply | Quote

Marty wrote:

I’m running MSE on my Windows 7 computers, and of course MSE disables Windows Defender. MSE is apparently also at risk for the bug, but it’s not clear to me how to fix that. My latest Windows Update check doesn’t show a new engine for MSE. My current engine # is 1.1.13704.0 (safe according to PC World), but I think that’s been the case for some time; if so, I’m not clear why that engine isn’t compromised.

You should be fine since your MSE engine is the most current. At least that’s how I interpret the PCWorld article. However, I’m no ‘techie’, so if someone with more knowledge has a different response, I’d appreciate seeing it.

Thanks to Woody and this great group!

Reply | Quote

Hello Woody:   I had to do a manual update to Windows Defender in order to get the fix described in your article on Microsoft Security Advisory 4022344.   The information I’ve read in your “Woody on Windows” article (and also in the Microsoft article)  seems to indicate I should have gotten it automatically.  Could it be that the reason I didn’t get it automatically be due to the fact that I have my updates set for “check for updates but let me choose whether to download and install them”?    The other possibility for a reason why I didn’t get it automatically was that the update was rolled out gradually,  and therefore I simply hadn’t received it yet.   However,  I see that it was offered to me in the form of an update to Windows Defender,  but I simply hadn’t chosen to download and install it yet,  because I don’t check my updates being offered to me very often,  and I hadn’t realized the critical nature of this particular update.   So it appears to me that some sort of manual action was required on my part in order to get the update.  Please note:  I do not have an antivirus package that shuts off Windows Defender.   So am I correct in assuming the reason I didn’t get the update automatically was because I have my updates set for “check for updates but let me choose whether to download and install them”?

Also, is there a way for me to check whether I was infected by this malware,  due to my delay in getting the update installed?

Reply | Quote

Wow, first their gwx campaign, then the problem with eternalblue and doublepulsar, and now this problem with windows defender… what’s next to have a problem, windows update? Geez, M$ track record is doing a nosedive. I mean sure they are quick about it, but correct me if I’m wrong, but isn’t there a saying that fits this, someting about a boat and patching leaks just delaying the inevitable?

Reply | Quote

anonymous wrote:

Wow, first their gwx campaign, then the problem with eternalblue and doublepulsar, and now this problem with windows defender… what’s next to have a problem, windows update? Geez, M$ track record is doing a nosedive. I mean sure they are quick about it, but correct me if I’m wrong, but isn’t there a saying that fits this, someting about a boat and patching leaks just delaying the inevitable?

Agreed.

Windows Defender (and now Microsoft Security Essentials as well?) was supposed to protect users from malware, but now has become an attack target, even though as you said they were quick to fix it this time, what about the next time there is a problem? I am ready to bet that there are other vulnerabilities in Windows Defender and MSE, and perhaps they are already being exploited? Scary and terrifying.

If antivirus and antimalware programs themselves have critical security holes and become attack targets (the Microsoft ones are especially troublesome as they are included with Windows and cannot be removed, only disabled), what should we do? Are we better off not having them?

Hope for the best. Prepare for the worst.

Reply | Quote

Thanks very much for this info. My elderly parent’s win machine had not updated, so I was able to update manually. Help I get here is invaluable.

Reply | Quote

Should also have said that machine runs ESET Security. Win Defender appeared to be active (not disabled) but still had not received the automatic update. I have WU set not to look for updates, but in update history I have seen Win Defender updates come down anyway.

Reply | Quote

@ebrke:    I have ESET Windows Smart Security, Version 9.   Had a notice a few days ago that it has an update ready to be installed (however did not have the time to do it).  I don’t recall ever seeing that ESET ever disabled anything such as the Windows Defender.

For quite some time, I have had the updates set at “NEVER UPDATE”, and have not updated the MSRT or the Windows Defender.  I have no sophisticated programs on the computer.  Just trying to determine “EXACTLY” what steps should “computer illiterate” users do to protect themselves when they don’t know how to determine if they are vulnerable or not.   I’m not connected to any “networks”, or anything else, just the one computer.

Are there specific directions to enable us to determine if we are vulnerable to this malware under these circumstances?   We, who are totally ignorant and helpless, have no knowledge that most of the users here have.

Any and ALL guidance will be very much appreciated.    Afraid to even check the updates because I don’t know where we stand.   I have no way of knowing if the WD is functional or not…. it hasn’t been updated to my knowledge for several months.   Also I do not have the MSE.

 

 

 

 

 

Reply | Quote

@ebrke:   Congratulations on successfully protecting your parent’s computer.    I did find the following information on my Windows Defender:

Last scan:  10/1/16

Real Time Protection:      ON

Version:   1.229.1054.0   Created 10/6/2016

I have no idea what steps to take at this point to protect the computer from this malware problem.   Is there any way out of this horrible dilemma???  🙁

 

 

Reply | Quote

woody wrote:

I’m getting emails from all directions asking about conflicts with other antivirus products. Specific mentions for Trendmicro and Avast, but I’m sure others behave similarly. Here’s an example: Thanks for your InfoWorld article on the Windows Defender update and how to check if its installed. But, in doing this, I found more to the story A computer with Avast antivirus disables Windows Defender. And, I can’t figure out how to run Windows Defender to update it. JUST between us, Avast is a miserable av program. Specifically: I went to the control panel, then Windows Defender and got an error: This program is turned off. There is a “Click here to turn it on” link and but clicking on it failed with: “This program is blocked by group policy. Error code 0x800704ec” I also tried to enable Windows Defender using the Action center and that failed too. My reaction is that you should disable the antivirus program, then manually turn on Windows Defender, then check to see if you have the latest engine update. Unfortunately, I don’t run third party AV products on my machines, so… can anybody provide a definitive answer?

I’m very interested in hearing a definitive answer as well.  I too am running Avast!,  so my Windows Defender is disabled and I can’t turn it back on.  I don’t know what, if anything, I need to do.

Reply | Quote

@alpha128:     There are a myriad of “situations” with this “nightmare”.    Apparently there are directions for those of us who don’t have additional problems (e.g. inability to enable the WD which was turned off by 3rd party AV programs).

I did find a link that really provides the information necessary for those who do not have other issues.  This link takes it through all of the “steps” to resolve it.    I do not feel confident enough to try to tackle it at the present time (I have the NEVER update set, and don’t know if I need to stop the Windows Services to install, etc.).

Here is the first link, and from this one the steps are in place.     Good luck to us all, irrespective of which OS we have.   I’m Win 7, 64 bit, Home P. and “think” I could do this if I knew a little more about it.

We all thank those who have “saved our bacon” and have worked so diligently to help us all.  We owe them all a huge debt of gratitude.   A special “thank you” to Woody!!

Here’s the FIRST link which has the information needed to start the process of stopping this  nightmare (for those who do not have other problems).

https://technet.microsoft.com/en-us/library/security/4022344

 

 

Reply | Quote

@walker

Here’s the link that worked for me: http://www.computerworld.com/article/3196124/windows-pcs/third-party-antivirus-programs-interfere-with-windows-defender-critical-patch.html

I had to:

1.) Edit the registry to allow Defender to run as described in the article

2.) Start the Defender service

3.) Run Defender

4.) Download updates

5.) Exit Defender

6.) Stop the Defender service

7.) Set the registry key back to its original value

Not bad once you know what to do.

2 users thanked author for this post.

walker, MrBrian

Reply | Quote

Those are the steps that I did also. Thanks for posting :).

Reply | Quote

You’re welcome.  Glad I could help.

Reply | Quote

@Alpha: how can I start and stop the Defender Service?

Thanks,
~Annemarie

Reply | Quote

Control Panel\Administrative Tools\Services – highlight the Windows Defender Service and at the upper left click “start”

 

1 user thanked author for this post.

walker

Reply | Quote

Thank you!
~ Annemarie

Reply | Quote

@PKCano:  Thank you for this information – – – I’ve not had time to keep up with the postings, and am just now getting to it.   Thank you so much for the wonderful help you provide to  us all, it is absolutely “outstanding”, and very, very much appreciated!

Reply | Quote

@PKCano:    Apologies for “one more question”.    The directions for WD on/off using the Administrative menu……

When you turn WD off/on as you indicated in your message, does it “affect” your 3rd party AV program in any manner?  Like causing your AV program to become corrupted in any way?   Just wondering – – – this dilemma with the WD is horrible.    Thank you once again for your patience, expertise, and willingness to share your wealth of knowledge with us all.    🙂

Reply | Quote

Thanks PKCano for giving Annemarie the answer.

Reply | Quote

@alpha128,

@walker has Home Premium edition (as I do), therefore we don’t have Group Policy and I assume these instructions are for higher editions than ours, or am I totally wrong there?

In the CW link I followed the string and under Hkey_Local_Machine….Policies\Microsoft I found there is no Windows Defender there at all.

I also use Eset (NOD32) as the antivirus and this has turned Defender off, this way to update Defender will not work for me. Or have I got this completely wrong?

Reply | Quote

@alpha128:   I can see that there is no way I can navigate through all of this, since I have never touched the “registry” or “start or stop” Windows Defender.    I cannot see any way out of this dilemma since I am so computer illiterate.   I am not listed as “Administrator” either.  I’ve always tried to keep things as simple as possible, so I have no Administrator listed.

I admire those of you who have the knowledge to be able to correct this nightmare.   I just don’t know where to begin.

Thank you to everyone who has posted their information here for everyone to view.

Reply | Quote

@alpha128:    How do you start and stop the Windows Defender?   My computer shows it’s on, however it hasn’t been updated since October 2016, so I don’t really know “where I stand” with this situation.

I can’t see that I can do “anything” to get this “monster” under control.    🙁

Reply | Quote

What worked for me: I went to the Action Center (is that the English word? Where you can check the (safety) status of your pc). Under antispyware it listed Norton as running. But there was also a blue link saying: view all installed programs. Windows Defender is there. I clicked on it. It was shut down again and said: Services stopped. Click here to restart the services. Did that. Could update. Went into Defender-settings. Disabled Scheduled update and realtime protection. Disabled (under Administrator) ‘Use this program’. Checked if the Windows Defender Service had stopped. It said ‘Manual’, so that is a yes. Then checked in the registry. Both disable spyware and disable relatime protection were on value 1 (which is off).

I did not have to stop Norton whilst doing this. I’m a tech-n00b, but the posts in this thread gave me the confidence I needed to try!

~ Annemarie

Reply | Quote

@alpha:    Where do you find the registry?   I don’t even know how to do that, and am anxious that I will do “something wrong” (as is my wont).    This nightmare malware is taking over computers in huge numbers.     Thank you once again for all of your help!  🙂

Reply | Quote

@ walker

https://support.microsoft.com/en-us/help/310516/how-to-add,-modify,-or-delete-registry-subkeys-and-values-by-using-a-.reg-file

1 user thanked author for this post.

walker

Reply | Quote

@ alpha128

Please refer to the fix above by Woody at … #114150

1 user thanked author for this post.

alpha128

Reply | Quote

FYI, …
https://www.wintips.org/how-to-fix-msmpeng-exe-high-cpu-usage-problem/

Reply | Quote

anonymous wrote:

@ alpha128 Please refer to the fix above by Woody at … #114150

Thank you.  This is just what I needed to get my Windows Defender patched.

@Woody,

I think this is important enough to deserve a blog entry of its own.

 

 

Reply | Quote

THAT CRAZY BAD BUG!

Windows 7 (Home Edition)
ON: Microsoft Security Essentials (MSE).
OFF: Windows Defender. Disabled by MSE.

OFF: Windows Update.
Set to ‘Never Check For Updates’ (Group B).

OPEN Microsoft Security Essentials (MSE) – Help – About.

New Engine Version: 1.1.13704.0 – GOOD!

AUTOMATIC MSE ‘Update definitions’ has installed it.

OR

OPEN Microsoft Security Essentials (MSE) – Help – About.

Old Engine Version: 1.113701.0 – BAD!

DO MANUAL MSE ‘Update definitions’.

OPEN Microsoft Security Essentials (MSE) – Help – About.

New Engine Version 1.1.13704.0 – GOOD!

MANUAL MSE ‘Update definitions’ has installed it.

AUTOMATIC OR MANUAL MSE ‘Update definitions’ installs New Engine Version 1.1.13704.0
With Windows Update OFF!
Set to ‘Never Check For Updates’ (Group B).

SAFE!

Worked for me.

Top of the Class Noel Carboni!

Cheers!
sainty?⛵️???

Reply | Quote

GoTheSaints wrote:

@alpha128, @walker has Home Premium edition (as I do), therefore we don’t have Group Policy and I assume these instructions are for higher editions than ours, or am I totally wrong there? In the CW link I followed the string and under Hkey_Local_Machine….Policies\Microsoft I found there is no Windows Defender there at all. I also use Eset (NOD32) as the antivirus and this has turned Defender off, this way to update Defender will not work for me. Or have I got this completely wrong?

It sounds like you’ve got it right to me.  I am running Windows 7 Professional and the registry key was there.  I’m not sure how it works on the Home Premium edition.  Maybe you just need to start the service?  Perhaps someone else with Home Premium experience can weigh in.

Reply | Quote

@alpha128:    I do not have MSE, should I install it now, or would it be a mistake to do “anything” at this point in time?     We’re still at Defcon2, and I don’t even know where to begin to try to start to dig my way out of this mess.  Thank you for sharing with all of us.

My ESET Smart Security Version 9 is not showing the WD as being “off”, so perhaps if I contact ESET and ask them they can verify if “Smart Security Version 9” turns off the WD.

I’m showing under WD that it’s “ON”, so it’s really confusing.  Thank you once again!!

Reply | Quote

How to turn on Windows Defender (video)

1 user thanked author for this post.

woody

Reply | Quote

@Mr.Brian and @anonymous:

I checked with ESET and they DO have the WD totally, completely blocked, as apparently the other AV programs do, as well.  Under these circumstances, it means that the user must remove or disable his/her AV program completely.   Is this the scenario?

Remove the AV program completely, install the WD, try to get the latest update, and if successful, then “reinstall” the AV program?

Thank you for all of the guidance and help.   I have no clue as to whether or not I’ll have the ability to follow this method, however I may “try”.

 

Reply | Quote

I intended to disable my antivirus (Avast Free) temporarily just before enabling Windows Defender, as a precaution against having two antivirus programs running at the same time. Well I forgot to disable Avast, but things worked out fine for me anyway. Your results might vary.

Reply | Quote

@ walker

For Win 7 Home, try to look for this …

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

ON
“DisableAntiSpyware”=dword:00000000

OFF
“DisableAntiSpyware”=dword:00000001
.

…. or uninstall your 3rd-party AV program and reinstall it after patching WD.

Reply | Quote

walker wrote:

@alpha128: I do not have MSE, should I install it now, or would it be a mistake to do “anything” at this point in time? We’re still at Defcon2, and I don’t even know where to begin to try to start to dig my way out of this mess. Thank you for sharing with all of us. My ESET Smart Security Version 9 is not showing the WD as being “off”, so perhaps if I contact ESET and ask them they can verify if “Smart Security Version 9” turns off the WD. I’m showing under WD that it’s “ON”, so it’s really confusing. Thank you once again!!

@walker:

Try doing my procedure…

https://www.askwoody.com/forums/topic/microsoft-security-advisory-4022344-plugs-a-bad-hole-in-windows-defender-heres-how-to-see-if-you-got-it/#post-114204

…but with the registry key specified here:

https://www.askwoody.com/forums/topic/microsoft-security-advisory-4022344-plugs-a-bad-hole-in-windows-defender-heres-how-to-see-if-you-got-it/#post-114404

1 user thanked author for this post.

walker

Reply | Quote

@alpha128:

Thank you for the recommendation…..    Since I an not a “techie” I know nothing about the registry, and of course do not have any confidence due to my serious lack of knowledge relevant to these issues.

We’re still at Defcon2, and I’m wondering if it’s even safe to do the “check for updates” (with the “NEVER CHECK” always checked).    “Once burned, twice shy” I think the adage goes.   Every day seems to bring more headaches.

Thank you for sharing the above information with me – – – – I sincerely appreciate it!    🙂

Reply | Quote

@alpha & @anon #114404, as I stated in post #114222, @walker has Home Premium so therefore he can’t find that key as it’s not there!

@walker, I have just updated WD by disabling/pausing (not uninstalling) Eset for 10 mins (you can select how long from the list that appears but this was enough time for the download and update for me). Firstly I created a restore point then started Windows Defender, clicked on update in WD, let it do it’s thing and voila, mpengine.dll had updated to 1.1.13704.

In Services (before I carried out any of this) WD was Stopped and “Startup Type” was set as Manual. After I completed the above “Startup Type” had changed to Automatic (Delayed Start) so I changed it back to Manual and stopped WD.

I then rebooted and Eset automatically kicked in.

@walker, I think this is a bit complicated for you to do, is there anyone who can help you? Or maybe you could try the link Kirsty posted in #113872.

All the best

1 user thanked author for this post.

walker

Reply | Quote

@GoTheSaints:   Thank you for sharing your experience with getting the WD problem resolved.    “Yes”, I definitely need help.   I have nightmares about making a “wrong move”.  Common to all of us “non-techies” I’m sure.

I appreciate the information you shared, and thank you so much for the support.  🙂

Reply | Quote

@walker, I’m sorry if I sounded in any way condescending in my earlier reply but I can see you are struggling with this issue.

Please don’t touch anything to do with the registry (if you don’t know how to get to it, best leave it alone) because if a mistake is made there you can effectively brick your computer (without backing up that key beforehand).

Hopefully, in the not too distant future (and before it’s not too late), there will be an easier way to patch WD for you automatically somehow.

I, too, wish I knew more than what I do but at least my limited knowledge comes from reading heaps and learning from the guys who are the experts here and other forums. If I encounter a problem all I do is research it and find someone has already had it and mostly it has been solved.

Best

1 user thanked author for this post.

walker

Reply | Quote

 

 

@GoTheSaints:    I thought I had replied to your excellent message….  I had difficulty locating it again.   Your thoughtfulness, understanding, and patience are appreciated more than words can adequately express.    I agree with your advice 100% and can’t say “thank you” enough for sharing your very astute thoughts.    I have always been very, very fearful to ever touch anything associated with the Registry.   Thank you once again!!   🙂

 

 

 

 

 

2

1 user thanked author for this post.

GoTheSaints

Reply | Quote

walker wrote:

@alpha128: Thank you for the recommendation….. Since I an not a “techie” I know nothing about the registry, and of course do not have any confidence due to my serious lack of knowledge relevant to these issues. We’re still at Defcon2, and I’m wondering if it’s even safe to do the “check for updates” (with the “NEVER CHECK” always checked). “Once burned, twice shy” I think the adage goes. Every day seems to bring more headaches. Thank you for sharing the above information with me – – – – I sincerely appreciate it! 

When I wrote “check for updates”, I meant within the Windows Defender application.  That will only download Windows Defender updates.  The MS DEFCON level only applies to Windows patches, and yes, you shouldn’t install any of those until Woody raises the level to 3 or higher.

Editing the registry is not a task to be undertaken lightly, so here are:

http://www.techrepublic.com/blog/five-apps/-five-tips-for-editing-the-windows-registry-safely/

 

1 user thanked author for this post.

walker

Reply | Quote

I’m running Win7 Home Prem Sp1 with Microsoft Security Essentials (MSE). MSE is now running the correct/updated version, but I gather that I also need to update Windows Defender in case MSE is ever stopped.
So here’s my plan. Please let me know if I have the steps correct. Thanks so much!

Set System Restore (done)

Plan 1 – disable MSE which should allow me to run WD and update, then disable WD and enable MSE (see #post-114514)

OR Plan 2 (but I think I read that in Win7, the registry key won’t be there?

run regedit as Administrator
backup registry
navigate to HKey_Local_Machine\Software\Policies\Microsoft\Windows Defender
export Branch to Notepad and edit to change value from 1 to 0
import back into registry

Save and Exit registry

Start the Defender service
Run Defender
Download updates
Exit Defender
Stop the Defender service

Set the registry key back to its original value, using the export/import functions

Reply | Quote

Well, Plan A might work if I could figure out how to disable MSE. Could someone please provide instructions? Thanks!

Reply | Quote

@grams
Home Premium does not have gpedit (Group Policy). Professional, Enterprise and Ultimate are the editions that do. That’s why we (Home Premium people) can’t update WD starting with the registry, so
forget those steps.

I am not running MSE, I use Eset NOD32 and disabled for 10 minutes to do the WD update.

A quick search and I found this for disabling MSE:
https://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/disable-microsoft-security-essentials/0bcfa371-fa95-40b1-9a18-00c8db346326?auth=1

2 users thanked author for this post.

Elly, grams

Reply | Quote

@grams:  Thank you for sharing your experiences with this dilemma!  I don’t have MSE so that makes it a little different too.  It is “supposed” to be “optional”, however it appears that it’s definitely tied into a lot of other things in our OS’s.  I’m Win7, 64 bit, Home Premium, and use ESET Smart Security  Version 9.

Does anyone know if it’s SAFE to “check for updates” at this point in time?  I would like to check just to see what’s there, however there are so many “bad ones” out there, I don’t even feel comfortable doing that.

Were you successful in getting the latest WD update?

Reply | Quote

GoTheSaints wrote:

@grams Home Premium does not have gpedit (Group Policy). Professional, Enterprise and Ultimate are the editions that do. That’s why we (Home Premium people) can’t update WD starting with the registry, so forget those steps. I am not running MSE, I use Eset NOD32 and disabled for 10 minutes to do the WD update. A quick search and I found this for disabling MSE: https://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/disable-microsoft-security-essentials/0bcfa371-fa95-40b1-9a18-00c8db346326?auth=1

Thanks so much, GoTheSaints! I should be in great shape soon.

Reply | Quote

@ GoTheSaints & grams

MrBrian wrote; … I had this same issue. The registry fix at https://www.fixtechproblems.com/fix-error-code-0x800704ec/ involving HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender!DisableAntiSpyware worked for me on Windows 7 x64.
.
woody wrote; …. Michael Horowitz just published his results in bypassing Avast…

http://www.computerworld.com/article/3196124/windows-pcs/third-party-antivirus-programs-interfere-with-windows-defender-critical-patch.html

The above regedit fix to enable WD is for Win 7 Pro or above, which have gpedit for Group Policies. For Win 7 Home Premium or below, the similar regedit fix is …

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

ON
“DisableAntiSpyware”=dword:00000000

OFF
“DisableAntiSpyware”=dword:00000001

3 users thanked author for this post.

Elly, GoTheSaints, grams

Reply | Quote

@Anonymous Thanks! if the update through the Action Center doesn’t work, I’ll use the regedit method.

Reply | Quote

I’ve been scouring this thread and its various links, but I am at a loss. I have a computer with Windows 10, Creators Update, and a third-party antivirus that disables Windows Defender (WD). I ended up running the risk of this week’s Patch Tuesday in the hopes of receiving an update for WD, but I don’t believe I received one (or if I did, it’s not in the Update History list). I looked in the registry editor, but did not find a “DisableAntiSpyware” key. I disabled the AV in Services and rebooted, hoping it would trigger WD, but the computer still thought my AV was running, so no luck there.

At this rate, the only way to update WD would be to uninstall my AV, but I would really prefer not to do that… any other tips or tricks out there?

Reply | Quote

@anonymous:   I too have been scouring every piece of information (that I can understand) which I can find.    We have been put in an untenable position because of the lack of support from the “offending” entities which together spell “BIG TIME nightmare”.   Without any computer skills, I am in a quandary and don’t know where to begin.

If the WD is activated through using the “Administrator Tools”, etc. is there any assurance that our 3rd party AV programs will not be corrupted?   Wish I knew the answer to that one!!!   I, like you, do not want to disable or uninstall my AV programs.    It appears that it’s “darned if we do, and darned if we don’t”.   Good luck to us all with this problem (the worst I’ve ever had to deal with).

Reply | Quote

@walker,

Same anon here, I think I managed to update Windows Defender! I ran across this website that mentions that, at least for Windows 10, if you want to run any command lines for WD, you have to turn on the periodic scanning option. I decided just to try opening/updating WD with the periodic scanning option turned on first.

Immediately my antivirus gave a warning about the potential clash of running two programs simultaneously. Without closing that warning, I headed to MSASCui.exe in the Program Files > Windows Defender folder to open up WD. Previously, I was unable to click on any of the tabs (Update/History/etc.) when I opened WD, but this time I was able to go to the Update tab and click on the Update button. At first it told me that it failed to update… but after a few moments, it said it updated successfully, and I was able to check the engine version, which was 1.1.13704.0, so it appeared to have been a success! I used the warning that my antivirus gave me to disable WD again, and also went back to settings to disable periodic scanning.

It’s a bit convoluted, but at least this allowed me to update WD without turning off my antivirus. I also reproduced these steps successfully (just to doublecheck that the engine version had indeed updated…), though as I have just completed it, I don’t yet know if there is some consequence for this in the future… but for now, I’m very relieved!

1 user thanked author for this post.

walker

Reply | Quote

walker wrote:

@grams: Thank you for sharing your experiences with this dilemma! I don’t have MSE so that makes it a little different too. It is “supposed” to be “optional”, however it appears that it’s definitely tied into a lot of other things in our OS’s. I’m Win7, 64 bit, Home Premium, and use ESET Smart Security Version 9. Does anyone know if it’s SAFE to “check for updates” at this point in time? I would like to check just to see what’s there, however there are so many “bad ones” out there, I don’t even feel comfortable doing that. Were you successful in getting the latest WD update?

You’re most welcome. I’ve not yet updated WD. As for checking for regular updates, I wouldn’t yet. I rely on Woody’s MS-DefCon status at the top of the page 🙂 all the best!

1 user thanked author for this post.

walker

Reply | Quote

@grams:    I see that you too are apprehensive about “checking for updates”….  I don’t know about others, however it is disconcerting to have to be afraid to “check updates”.

There are others who also are afraid to try to “CHECK UPDATES” too.   I just keep it on NEVER CHECK for now, until the Defcon is raised.   Thank you for sharing your success with the WD problem.   Congratulations!!  🙂

Reply | Quote

walker wrote:

grams

Just successfully updated Windows Defender. Hooray!

uncheck real time protection in Microsoft Security Essentials
Control Panel >System and Security>Action Center (expand Security to view Spyware)
turn on Windows Defender > update > Options to turn off real time protection
back to Action Center (expanded) turn on MSE

Done! and quite easily. thanks to all who’ve helped!

Reply | Quote

@walker, you’re most welcome. Thank goodness for Woody and the others here who are tech savvy to guide us along the winding road of M$ wishing you all the best

Reply | Quote

Round 2! From Microsoft Releases Out-of-Band Update to Fix Malware Protection Engine Flaws (May 30, 2017):

“On Friday, Microsoft released an out-of-band security update to fix several issues with the Malware Protection Engine discovered by Google’s Project Zero team.

The issues are detailed in Project Zero bug reports here, here, and here. They have also been added in Microsoft’s Security Guide as CVE-2017-8535, CVE-2017-8536, CVE-2017-8537, CVE-2017-8538, CVE-2017-8539, CVE-2017-8540, CVE-2017-8541, and CVE-2017-8542.

Five of the eight are basic denial of service (DoS) flaws that crash the Malware Protection Engine (mpengine.dll) or prevent it from doing its job.

Three are remote code execution (RCE) flaws, which are very dangerous as they allow an attacker to execute code on the user’s machine. Because this code is executed in the context of the Microsoft Malware Protection Engine service, the attack code runs with SYSTEM-level privileges.

All eight issues have been fixed with the release of the Microsoft Malware Protection Engine version 1.1.13804.0.”

(Hat tip: Imacri’s post https://www.askwoody.com/forums/topic/cve-2017-0223/#post-119137)

Reply | Quote

Round 3: Microsoft Malware Protection Engine CVE-2017-8558 Remote Code Execution Vulnerability. Reportedly fixed in v1.1.13903.0. Tweet.

Reply | Quote

From https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8558:

“Only x86 or 32-bit based versions of the Malware Protection Engine are affected.”

Reply | Quote

Have you tried following these steps?

https://www.askwoody.com/forums/topic/microsoft-security-advisory-4022344-plugs-a-bad-hole-in-windows-defender-heres-how-to-see-if-you-got-it/#post-114204

 

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

2 users thanked author for this post.

Elly, Oldster

Reply | Quote