Reminder: Degrading Windows Update While Depending Upon Microsoft Defender

Topic

New Reply

A good security suite will update its virus signatures and other data files and settings almost daily. To achieve maximum security protection against malware, these frequent “signature” updates are necessary.

Microsoft Defender depends upon Windows Update to update its “signature” files. But if you disable or perhaps delay Windows Update in certain ways, Defender can go out of date, leaving your PC less secure.

There are ways to check the status of Defender to determine if your configuration is affected by this problem.

A workaround has been mentioned to fix this problem:
https://www.thewindowsclub.com/update-windows-defender-automatic-windows-updates-disabled

If you use a third-party antivirus solution instead of Defender, you are not affected by this Defender limitation. With the right third-party antivirus solution, these “signature” files can be automatically updated so discreetly, you never notice.

Any corrections/elaborations needed here?

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

Replies

Been there, done that… 🙂

https://www.askwoody.com/forums/topic/defender-wont-update-with-a-metered-connection/

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

windbg wrote:

Microsoft Defender depends upon Windows Update to update its “signature” files.

Short version:
Happy to be proved wrong but I looked into this a while ago and I don’t believe this is wholly accurate for Windows 10. I use sordum.org’s small, free, portable Windows Update Blocker (WUB) and Defender‘s signatures are *still* updated (see 1 below).

windbg wrote:

There are ways to check the status of Defender to determine if your configuration is affected by this problem.

The status of Defender, including the date that AV signatures were last updated, can easily be checked in an elevated PowerShell console by entering Get-MpComputerStatus.

(Similarly, Defender signatures can be updated manually (or scripted) using Update-MpSignature.)

Don’t take everything you read online as accurate (See 4 below).

TL:DR version:
1. This question comes up time and time again in Windows Update Blocker comments and the answer is always [since May 2020 – which is how far I went back] ‘Wait 1-2 days and the Defender updates will be downloaded’.

2. Windows 10’s primary scheduled Windows Update check and download mechanism is now via the Update Orchestrator Service – specifically MoUsoCoreWorker.exe or USOCoreWorker.exe (collectively known as Update Session Orchestrator or USO) – rather than wuauclt.exe (used in earlier versions of Windows, I think – I no longer have any legacy versions up and running to check).

Update Orchestrator‘s usoclient.exe has 6 hidden scheduled tasks – two of which scan for updates and 1 which handles installs – which WUB disables. (It’s more complex than that because these 6 tasks have 3 different triggers amongst them.)

Windows 10’s Defender updates are still apparently handled by MpCmdRun.exe via a seperate set of hidden scheduled tasks. The Defender update mechanism may well try to update via Update Orchestrator first but I’ve also watched it apparently using BITS (Background Intelligent Transfer Service) when Update Orchestrator is disabled. I believe this is its built-in fallback mechanism after a few failed tries with USO.

(I also note that Windows Updates are apparently served by CDN’s (Content Delivery Networks) contracted out to Microsoft [here in the UK it’s usually Akamai in Holland] whilst Defender updates via BITS show a source IP within a Microsoft-registered IP block [here in the UK it’s usually Dublin]. Unfortunately, use of virtual IP block addressing and load-balancing of both CDN’s and Microsoft means that the remote endpoints I’ve recorded (using CurrPorts‘s logging) keep changing frequently… so it’s difficult to state with any certainty what may quickly change.)

3. These days PowerShell appears to provide much more granular control over Defender than switches for MpCmdRun.exe. Unfortunately it’s becoming more difficult to tell due to Microsoft’s habit of removing documentation for all but the latest version.

For example, a Google search for Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool shows only this document of variants for Microsoft 365.

Similarly, a Google search for Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus shows only this document of variants for Microsoft 365.

4. Many websites make statements without qualifying them. For example, another webpage on the same website you quoted states about the Update Orchestrator service:

But if you open its Properties and see, you will not be able to change the startup type – it will be grayed out! So stopping the Service can serve as a temporary measure – you cannot disable it. (see here)

A more accurate qualification would be “you cannot disable it within Services“, i.e. the services.msc snap-in. To demonstrate, just look at the Status column in the screenshot above, highlighted by the red border, which quite clearly shows it as Disabled.

Hope this helps…

 

1 user thanked author for this post.

windbg

Reply | Quote