Author Topic: Windows Defender definitions update is a virus?  (Read 13357 times)

0 Members and 1 Guest are viewing this topic.

zygomatic

  • Guest
Windows Defender definitions update is a virus?
« on: April 17, 2012, 09:34:28 AM »
This is the second time for this to happen.
Windows 7 Ultimate 64bit notifies me that there's an update for Defender. I download it and the installation starts. All of a sudden there's a red alert from Avast 7 (7.0.1426) saying that a virus has been moved to the chest. I take a look at the installation of the definitions (Windows Defender) and it failed. The virus type is Win32:Gremo. Then, I run the update manually and the installation finishes without a problem. And it all happened on two separate occasions.

Help!  :(

Oh, by the way, what should I do with the viruses once they're inside the chest?

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: Windows Defender definitions update is a virus?
« Reply #1 on: April 17, 2012, 10:49:38 AM »
Preferably imo! you could just disable defender as it's not doing anything that avast hasn't already got covered and defender's detection rate is next to usless.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Windows Defender definitions update is a virus?
« Reply #2 on: April 17, 2012, 11:25:53 AM »
The problem is that the WD update the virus signatures that it is installing aren't encrypted or otherwise protected. So you have a resident antivirus installed, which is actively looking for such virus signatures and alerts when it finds them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

tscharlii

  • Guest
Re: Windows Defender definitions update is a virus?
« Reply #3 on: April 17, 2012, 11:31:00 AM »
I use avast! Free 7.0.1426 (virus definition: 120417-0) on Windows 7 64bit Professional and I'm experiencing almost the same issue as the thread starter, just a different virus.

Avast reports a Win32:Bolzano-W virus residing in a randomly named folder within C:\
It is accessed by the process C:\windows\system32\mpsigstub.exe.

Here is the log (C:\windows\temp\mpsigstub.log) of the failed automatic Windows Defender signature update. It failed because avast! interfered and i chose to put the file into quarantine:
Code: [Select]
----------------------------------------------------------------------------------
Command:    MpSigStub.exe /program c:\46a30492c161b189d597ef56838f1a\MpMiniSigStub.exe  WD /q
Start time: 17.04.2012 10:36 (version 11.1.3927.0)

=================================== ProductSearch ==================================

             Microsoft Windows Defender (Windows 7):
     Status: Active                                 
    Product: 6.1.7600.16385                         
     Engine: 1.1.8202.0                             
 Signatures: 1.123.1683.0                           

================================ PackageDiscovery ================================

Package files discovered:
c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p (?.?.?.?)

               AS BDD:     
       Engine: Not included
  AS base VDM: Not included
  AV base VDM: Not included
 AS delta VDM: 1.123.1936.0
 AV delta VDM: Not included

================================ PatchApplication ================================

Using directory c:\46a30492c161b189d597ef56838f1a for temporary storage,
ERROR 0xffffffef : ApplyVdmPatch(C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{94C82271-A582-4C10-A343-809FF71783D9}\mpasdlta.vdm, c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p, c:\46a30492c161b189d597ef56838f1a\F4FFFCE3-ABB1-44C4-9D6E-CDDDF0D9B623mpasdlta.vdm)

                         Watson Report:                          Position:
                HRESULT: 0xffffffef                              P1       
         FailedFunction: PatchApplication                        P2       
              Operation: AS BDD                                  P3       
 SourceComponentVersion: 11.1.3927.0                             P4       
    SourceComponentName: mpsigstub.exe                           P5       
         ProductVersion: 6.1.7600.16385                          P6       
            ProductName: Microsoft Windows Defender (Windows 7)  P7       

Set BddUpdateFailure to 1
ERROR 0xffffffef : One or more of the packages found failed to update for Microsoft Windows Defender (Windows 7).
ERROR 0xffffffef : One or more of the products found failed to update; returning this error
Deleted c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p
ERROR 0xffffffef : MpSigStubMain
End time: 17.04.2012 10:39
----------------------------------------------------------------------------------

And here is the successful update, after looking for windows updates manually and installing the defender update. avast! did not interfere here at all.

Code: [Select]
----------------------------------------------------------------------------------
Command:    c:\b938e948a89fd0342ec5\MPSigStub.exe  WD /q
Start time: 17.04.2012 10:43 (version 11.1.3927.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

             Microsoft Windows Defender (Windows 7):
     Status: Active                                 
    Product: 6.1.7600.16385                         
     Engine: 1.1.8202.0                             
 Signatures: 1.123.1683.0                           

================================ PackageDiscovery ================================

Package files discovered:
c:\b938e948a89fd0342ec5\mpasdlta.vdm (1.123.1936.0)

               AS Delta:   
       Engine: Not included
  AS base VDM: Not included
  AV base VDM: Not included
 AS delta VDM: 1.123.1936.0
 AV delta VDM: Not included

================================= MpUpdateEngine =================================

Package files for the engine update:
c:\b938e948a89fd0342ec5\mpasdlta.vdm (1.123.1936.0)

Updated from c:\b938e948a89fd0342ec5 (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (Windows 7) using the AS Delta package.

               Original:     Updated to:
 AS delta VDM: 1.123.1683.0  1.123.1936.0

Set DeltaUpdateFailure to 0
Set BddUpdateFailure to 0
Deleted c:\b938e948a89fd0342ec5\mpasdlta.vdm
End time: 17.04.2012 10:43
----------------------------------------------------------------------------------

zygomatic

  • Guest
Re: Windows Defender definitions update is a virus?
« Reply #4 on: April 17, 2012, 11:57:23 AM »
The problem is that the WD update the virus signatures that it is installing aren't encrypted or otherwise protected. So you have a resident antivirus installed, which is actively looking for such virus signatures and alerts when it finds them.

Well, I'm glad that we've settled this one. The fact that I'm not the only one having this issue puts me at ease also.

If any of you guys would be kind enough to tell me what to do with these viruses residing in the chest. There are the two that came from the Defender and another one called SWF:Dropper {Heur} caught on the internet in a separate incident...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Windows Defender definitions update is a virus?
« Reply #5 on: April 17, 2012, 12:10:39 PM »
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?

For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline wonderwrench

  • Sr. Member
  • ****
  • Posts: 223
Re: Windows Defender definitions update is a virus?
« Reply #6 on: April 17, 2012, 01:11:36 PM »
I'm also running W7 64 bit but can't reproduce this problem. Is WD useless? IMO no as it covers stuff most AV's miss though if I start having problems I will disable it.

Bill
Main Box*i7 930*GB X58A-UD3R*3x4 gig Patriot DDR3 1600 EL*EVGA GTX 460 1 gig*Intel X25-M G2 80 gig*WD 2TB Green*ASUS DRW-24B3LT*Samsung SH-S223L*LG WH14NS40*Corsair AX750*Rosewill Challenger case*Windows 8 Pro 64 bit*Avast 8 Free 8.0.1482*MBAM Pro*Firefox 19.0.1*NoScript

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: Windows Defender definitions update is a virus?
« Reply #7 on: April 17, 2012, 01:36:52 PM »
have not seen WD do anything avast/MBAM is not already doing

zygomatic

  • Guest
Re: Windows Defender definitions update is a virus?
« Reply #8 on: April 17, 2012, 03:22:05 PM »
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?

For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.

A screenshot of the virus chest is attached and I hope that it answers your question...
« Last Edit: April 17, 2012, 03:28:15 PM by zygomatic »

snk

  • Guest
Re: Windows Defender definitions update is a virus?
« Reply #9 on: April 17, 2012, 03:47:55 PM »
I have just experiencing the Win32:Gremo inside the chest! on my Windows Vista 32 bit laptop during an auto defender scan.
After reading some of the above comments I decide to stop the real time scanning of the Defender as useless but to let it a daily programmed definitions updating and quick scanning.
If the problem continue I will stop Defender entirely.
The chest is already free from the Gremo... manually!

Nesivos

  • Guest
Re: Windows Defender definitions update is a virus?
« Reply #10 on: April 17, 2012, 04:09:03 PM »
Preferably imo! you could just disable defender as it's not doing anything that avast hasn't already got covered and defender's detection rate is next to usless.

I agree with disabling Windows Defender

As far it its detection rate goes.  I don't know which version of WD is being used with W7 but with W8 which has the full blown anti-malware program the WD detection rate is excellent.   The reason I disabled WD in W8-CP and switched back to avast! AIS after avast! 7 came out was not because of a better detection rate but because WD was significantly slowing down web page loading and file transfers.   avast! 7 is a lot lighter than WD.

After I disabled WD, installed avast! 7 and scanned avast! found only a couple of corrupted files which I deleted.  It found nothing else and this was after using WD on W8-DP and W8-CP on my main computer for about six months.  Note:  I also ran Malwarebytes scans weekly during that six month period and it didn't find anything at all during that time.  Of course it never finds anything with avast! running either ;D   

Just my experience

cheers :)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Windows Defender definitions update is a virus?
« Reply #11 on: April 17, 2012, 04:49:14 PM »
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?

For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.

A screenshot of the virus chest is attached and I hope that it answers your question...


Yes, the first two appear to be temporary files in what is an installation folder and they look like virus definitions updates. I would expect the folder and files to have been cleared after the update. But the interception by avast, may have stopped the clearing of those folders.

The third one, an old detection in the chrome browser cache can safely be removed from the chest.

Generally there is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

zygomatic

  • Guest
Re: Windows Defender definitions update is a virus?
« Reply #12 on: April 17, 2012, 07:34:51 PM »
Thank you very much guys! You've been most helpful!  :) :) :)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Windows Defender definitions update is a virus?
« Reply #13 on: April 17, 2012, 08:17:15 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jack 1000

  • Guest
Re: Windows Defender definitions update is a virus?
« Reply #14 on: April 17, 2012, 09:26:42 PM »
If you have Avast,

1.) Turn off Windows Defender in Windows Vista, 7, or 8-You don't need it, and it is likely to create conflicts like the OP suggested.

2.) If you have Windows XP, uninstall Windows Defender, (You can't remove it from the other systems in #1, just disable it.)

Jack