Window Security is behaving strangely…

Topic

New Reply

I’m running Windows 10 Pro 22H2 Build 19045.4412 64 bit. Last night I noticed that Windows Security had suddenly turned itself off.   So I quickly turned it back on and tried using Event Viewer to investigate.  It seems to have all started with a 5004 event followed by a lot of 5007 events as shown by the following small sample:

9:44:30 PM 5007
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x1

5004 9:44:30
Microsoft Defender Antivirus Real-time Protection feature configuration has changed.
Feature: Network Inspection System
Configuration: 1

5007 9:44:40
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x1
New value: Default\NIS\Consumers\IPS\DisableBmNetworkSensor = 0x0
5004 9:44:41

Microsoft Defender Antivirus Real-time Protection feature configuration has changed.
Feature: Network Inspection System
Configuration: 0

I can post more logs if need be. What bothers me about this is that this was all unprompted! It also turns out that every attempt Windows Security makes to run an automatic background scan fails. Thankfully this is not the case for any manual scans. Can anyone tell me what’s going on?

Reply | Quote

Replies

crimsoncricket wrote:

9:44:30 PM 5007 Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

Hi crimsoncricket:

I’d suggest you run a scan with Malwarebytes Free (https://www.malwarebytes.com/mwb-download) to see if it detects any malware that might have been missed by Microsoft Defender.

The first time you install Malwarebytes you will receive a 14-day trial of Malwarebytes Premium *** that includes extra features like real-time protection. To switch to Malwarebytes Free before the trial period ends click the “person” icon in the top right corner and choose My Subscription | Deactivate) and you will be able to continue using Malwarebytes Free as a second-opinion on-demand scanner.

I also have Malwarebytes configured to warn me before it removes any lower-risk PUPs or PUMs at Settings | Scans and Detections | Potentially Unwanted Items so I have a chance to review any lower-risk threats like browser toolbars, etc. detected by Malwarebytes that I might want to keep.

_______________________

*** If you want to test the Malwarebytes Premium features during the 14-day trial period you can turn OFF Settings | General | Windows Security Center | Always Register Malwarebytes in the Windows Security Center to ensure that Microsoft Defender (or whatever antivirus you use) continues to provide your primary real-time antivirus protection. When you turn this setting OFF Malwarebytes Premium will not disable your antivirus, and Malwarebytes will continue to run in the background as “secondary” protection and monitor your system for any threats missed by your antivirus. This is the configuration used by most Malwarebytes Premium users (assuming their antivirus is working correctly).

————
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4412 * Firefox v126.0.1 * Microsoft Defender v4.18.24050.7-1.1.24050.5 * Malwarebytes Premium v5.1.5.116-1.0.1252 * Macrium Reflect Free v8.0.7783

1 user thanked author for this post.

Lars220

Reply | Quote

Hi lmacri,

Thanks for the help!  I installed Malwarebytes free awhile back, so I was only able to run an on demand scan with rootkit scaning enabled.  Thankfully it didn’t find anything.  Should I try running anything else?

Reply | Quote

ESET has a free online scanner if you want another “opinion”.

https://www.eset.com/int/home/online-scanner/

Note:  If you’re a Revo Uninstall Pro user, I’d suggest tracking the one time run of the ESET scanner.  It will likely leave some tracks including nag screens later.

 

 

 

Desktop mobo Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

2 users thanked author for this post.

crimsoncricket, Lars220

Reply | Quote

crimsoncricket wrote:

Should I try running anything else?

Hi crimsoncricket:

If you click the Windows Security “shield” icon in your system tray and go to Settings | About does it show that you have the latest Microsoft Defender Client (Platform) v4.18.24050.7 and Engine v1.1.24050.5? The release notes at https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-updates?view=o365-worldwide#monthly-platform-and-engine-versions show that Platform v4.18.24050.7 started rolling out on 04-Jun-2024 (mine just updated from v4.18.24040.4 to v4.18.24050.7 yesterday or today) and it’s possible something went wrong during your Platform update that corrupted your Microsoft Defender installation.

If you haven’t already done so, please DISABLE the Windows Fast Startup power option at Control Panel | System and Security | Power Options | Choose What The Power Buttons Do (see Option # 1 of Brink’s TenForums tutorial <here>) and then re-boot a few times to ensure there are no pending updates waiting for a full system restart. The Fast Startup power option (also known as hybrid boot-up / hybrid shutdown) is enabled by default in Win 10 and Win 11 but it can sometimes interfere with the loading and initialization of drivers and services at boot-up and cause all sorts of unexpected glitches and problems. For example, see the Microsoft support article Updates may not be installed with Fast Startup in Windows 10. From my Win 10 Pro v22H2 laptop:

If that doesn’t help you might want to post in Malwarebytes’ Windows Malware Removal Help & Support board and ask one of their trained malware removal specialists to check your system for hidden malware that might be causing your Microsoft Defender antivirus to repeatedly disable. Instructions for posting your Malwarebytes scan log and Farbar Recovery Scan Tool (FRST) diagnostic logs are pinned at the top of that board at I’m infected – What do I do now?. Even if you don’t have hidden malware they might find something relevant in your Event Viewer error logs collected by FRST.

I’m afraid I don’t know enough about the inner workings of Microsoft Defender to tell you what configuration setting controls the registry entry at HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS\DisableBmNetworkSensor, but my Win 10 Pro v22H2 registry doesn’t appear to have that registry value (see image below).  All I can tell you is that when I used Norton Security on my old Vista machine that IPS referred to the network Intrusion Protection System.

————
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4412 * Firefox v126.0.1 * Microsoft Defender v4.18.24050.7-1.1.24050.5 * Malwarebytes Premium v5.1.5.116-1.0.1252 * Macrium Reflect Free v8.0.7783

3 users thanked author for this post.

satrow, windbg, Lars220

Reply | Quote

Hi lmacri,

Great detective work!  Although I now have the latest Microsoft Defender Client (Platform) and Engine, that wasn’t the case when this issue happened.  I have since disabled Windows Fast Startup and have posted at the Malwarebytes forums.  Thanks again for your help!

Reply | Quote

crimsoncricket wrote:

I have since disabled Windows Fast Startup and have posted at the Malwarebytes forums.

Hi crimsoncrickt:

Thanks, I found your topic in Malwarebytes’ Windows Malware Removal Help & Support board and will follow your progress over there.

I’m not clear, though, what happened after you disabled Fast Startup. Did you re-boot a few times and wait to see if disabling Fast Startup solved your Microsoft Defender problem before you posted in the Malwarebytes forum?
————
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4412 * Firefox v126.0.1 * Microsoft Defender v4.18.24050.7-1.1.24050.5 * Malwarebytes Premium v5.1.5.116-1.0.1252 * Macrium Reflect Free v8.0.7783

Reply | Quote

lmacri wrote:

crimsoncricket wrote:

I have since disabled Windows Fast Startup and have posted at the Malwarebytes forums.

Hi crimsoncrickt:

Thanks, I found your topic in Malwarebytes’ Windows Malware Removal Help & Support board and will follow your progress over there.

I’m not clear, though, what happened after you disabled Fast Startup. Did you re-boot a few times and wait to see if disabling Fast Startup solved your Microsoft Defender problem before you posted in the Malwarebytes forum?
————
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4412 * Firefox v126.0.1 * Microsoft Defender v4.18.24050.7-1.1.24050.5 * Malwarebytes Premium v5.1.5.116-1.0.1252 * Macrium Reflect Free v8.0.7783

Yes, I did do that.  Microsoft Defender hasn’t turned off by itself since June 4th and I’m just trying to figure out what caused the issue and those Event Viewer logs.  Especially since one of the automatic background scans successfully completed, only for it to be immediately followed by another failed scan.  On the plus side, I also saw a health report event log that mentioned the BM state being enabled so I hope that means the BMNetwork Sensor was been enable again.

Reply | Quote