Author Topic: Windows Defender definitions update is a virus?  (Read 4035 times)

Offline zygomatic

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)
Windows Defender definitions update is a virus?
« on: April 17, 2012, 07:34:28 AM »
This is the second time for this to happen.
Windows 7 Ultimate 64bit notifies me that there's an update for Defender. I download it and the installation starts. All of a sudden there's a red alert from Avast 7 (7.0.1426) saying that a virus has been moved to the chest. I take a look at the installation of the definitions (Windows Defender) and it failed. The virus type is Win32:Gremo. Then, I run the update manually and the installation finishes without a problem. And it all happened on two separate occasions.

Help!  :(

Oh, by the way, what should I do with the viruses once they're inside the chest?

Offline craigb

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 8058
  • Gender: Male
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #1 on: April 17, 2012, 08:49:38 AM »
Preferably imo! you could just disable defender as it's not doing anything that avast hasn't already got covered and defender's detection rate is next to usless.
Windows 8.1 Pro X64/ IE 11/ Avast 9.0.2016/ MBAM Premium 2

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69200
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #2 on: April 17, 2012, 09:25:53 AM »
The problem is that the WD update the virus signatures that it is installing aren't encrypted or otherwise protected. So you have a resident antivirus installed, which is actively looking for such virus signatures and alerts when it finds them.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline tscharlii

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #3 on: April 17, 2012, 09:31:00 AM »
I use avast! Free 7.0.1426 (virus definition: 120417-0) on Windows 7 64bit Professional and I'm experiencing almost the same issue as the thread starter, just a different virus.

Avast reports a Win32:Bolzano-W virus residing in a randomly named folder within C:\
It is accessed by the process C:\windows\system32\mpsigstub.exe.

Here is the log (C:\windows\temp\mpsigstub.log) of the failed automatic Windows Defender signature update. It failed because avast! interfered and i chose to put the file into quarantine:
Code: [Select]
----------------------------------------------------------------------------------
Command:    MpSigStub.exe /program c:\46a30492c161b189d597ef56838f1a\MpMiniSigStub.exe  WD /q
Start time: 17.04.2012 10:36 (version 11.1.3927.0)

=================================== ProductSearch ==================================

             Microsoft Windows Defender (Windows 7):
     Status: Active                                 
    Product: 6.1.7600.16385                         
     Engine: 1.1.8202.0                             
 Signatures: 1.123.1683.0                           

================================ PackageDiscovery ================================

Package files discovered:
c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p (?.?.?.?)

               AS BDD:     
       Engine: Not included
  AS base VDM: Not included
  AV base VDM: Not included
 AS delta VDM: 1.123.1936.0
 AV delta VDM: Not included

================================ PatchApplication ================================

Using directory c:\46a30492c161b189d597ef56838f1a for temporary storage,
ERROR 0xffffffef : ApplyVdmPatch(C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{94C82271-A582-4C10-A343-809FF71783D9}\mpasdlta.vdm, c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p, c:\46a30492c161b189d597ef56838f1a\F4FFFCE3-ABB1-44C4-9D6E-CDDDF0D9B623mpasdlta.vdm)

                         Watson Report:                          Position:
                HRESULT: 0xffffffef                              P1       
         FailedFunction: PatchApplication                        P2       
              Operation: AS BDD                                  P3       
 SourceComponentVersion: 11.1.3927.0                             P4       
    SourceComponentName: mpsigstub.exe                           P5       
         ProductVersion: 6.1.7600.16385                          P6       
            ProductName: Microsoft Windows Defender (Windows 7)  P7       

Set BddUpdateFailure to 1
ERROR 0xffffffef : One or more of the packages found failed to update for Microsoft Windows Defender (Windows 7).
ERROR 0xffffffef : One or more of the products found failed to update; returning this error
Deleted c:\46a30492c161b189d597ef56838f1a\1.123.1683.0_to_1.123.1936.0_mpasdlta.vdm._p
ERROR 0xffffffef : MpSigStubMain
End time: 17.04.2012 10:39
----------------------------------------------------------------------------------

And here is the successful update, after looking for windows updates manually and installing the defender update. avast! did not interfere here at all.

Code: [Select]
----------------------------------------------------------------------------------
Command:    c:\b938e948a89fd0342ec5\MPSigStub.exe  WD /q
Start time: 17.04.2012 10:43 (version 11.1.3927.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\Windows\system32\MpSigStub.exe

=================================== ProductSearch ==================================

             Microsoft Windows Defender (Windows 7):
     Status: Active                                 
    Product: 6.1.7600.16385                         
     Engine: 1.1.8202.0                             
 Signatures: 1.123.1683.0                           

================================ PackageDiscovery ================================

Package files discovered:
c:\b938e948a89fd0342ec5\mpasdlta.vdm (1.123.1936.0)

               AS Delta:   
       Engine: Not included
  AS base VDM: Not included
  AV base VDM: Not included
 AS delta VDM: 1.123.1936.0
 AV delta VDM: Not included

================================= MpUpdateEngine =================================

Package files for the engine update:
c:\b938e948a89fd0342ec5\mpasdlta.vdm (1.123.1936.0)

Updated from c:\b938e948a89fd0342ec5 (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (Windows 7) using the AS Delta package.

               Original:     Updated to:
 AS delta VDM: 1.123.1683.0  1.123.1936.0

Set DeltaUpdateFailure to 0
Set BddUpdateFailure to 0
Deleted c:\b938e948a89fd0342ec5\mpasdlta.vdm
End time: 17.04.2012 10:43
----------------------------------------------------------------------------------

Offline zygomatic

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #4 on: April 17, 2012, 09:57:23 AM »
The problem is that the WD update the virus signatures that it is installing aren't encrypted or otherwise protected. So you have a resident antivirus installed, which is actively looking for such virus signatures and alerts when it finds them.

Well, I'm glad that we've settled this one. The fact that I'm not the only one having this issue puts me at ease also.

If any of you guys would be kind enough to tell me what to do with these viruses residing in the chest. There are the two that came from the Defender and another one called SWF:Dropper {Heur} caught on the internet in a separate incident...

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69200
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #5 on: April 17, 2012, 10:10:39 AM »
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?

For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline wonderwrench

  • Sr. Member
  • ****
  • Posts: 226
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #6 on: April 17, 2012, 11:11:36 AM »
I'm also running W7 64 bit but can't reproduce this problem. Is WD useless? IMO no as it covers stuff most AV's miss though if I start having problems I will disable it.

Bill
Main Box*i7 930*GB X58A-UD3R*3x4 gig Patriot DDR3 1600 EL*EVGA GTX 460 1 gig*Intel X25-M G2 80 gig*WD 2TB Green*ASUS DRW-24B3LT*Samsung SH-S223L*LG WH14NS40*Corsair AX750*Rosewill Challenger case*Windows 8 Pro 64 bit*Avast 8 Free 8.0.1482*MBAM Pro*Firefox 19.0.1*NoScript

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #7 on: April 17, 2012, 11:36:52 AM »
have not seen WD do anything avast/MBAM is not already doing
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline zygomatic

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #8 on: April 17, 2012, 01:22:05 PM »
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?

For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.

A screenshot of the virus chest is attached and I hope that it answers your question...
« Last Edit: April 17, 2012, 01:28:15 PM by zygomatic »

Offline snk

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #9 on: April 17, 2012, 01:47:55 PM »
I have just experiencing the Win32:Gremo inside the chest! on my Windows Vista 32 bit laptop during an auto defender scan.
After reading some of the above comments I decide to stop the real time scanning of the Defender as useless but to let it a daily programmed definitions updating and quick scanning.
If the problem continue I will stop Defender entirely.
The chest is already free from the Gremo... manually!

Offline Nesivos

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1360
  • Gender: Male
  • Artists Rendering of New Pauley Pavilion @ UCLA
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #10 on: April 17, 2012, 02:09:03 PM »
Preferably imo! you could just disable defender as it's not doing anything that avast hasn't already got covered and defender's detection rate is next to usless.

I agree with disabling Windows Defender

As far it its detection rate goes.  I don't know which version of WD is being used with W7 but with W8 which has the full blown anti-malware program the WD detection rate is excellent.   The reason I disabled WD in W8-CP and switched back to avast! AIS after avast! 7 came out was not because of a better detection rate but because WD was significantly slowing down web page loading and file transfers.   avast! 7 is a lot lighter than WD.

After I disabled WD, installed avast! 7 and scanned avast! found only a couple of corrupted files which I deleted.  It found nothing else and this was after using WD on W8-DP and W8-CP on my main computer for about six months.  Note:  I also ran Malwarebytes scans weekly during that six month period and it didn't find anything at all during that time.  Of course it never finds anything with avast! running either ;D   

Just my experience

cheers :)
OS: W7-SP1, Security: AIS 7, SAS Pro, WinPatrol Plus Network:2 Dell 570MT x64 1 Dell 660 Desktop with 8GB RAM Default Browser & Email: Firefox & Thunderbird latest Betas

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69200
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #11 on: April 17, 2012, 02:49:14 PM »
Which file name was placed in the chest as you only mention the malware name (signature) that was detected ?

For the most part you should be able to remove them, as they are probably temporary files. Personally I too would disable windows defender.

A screenshot of the virus chest is attached and I hope that it answers your question...


Yes, the first two appear to be temporary files in what is an installation folder and they look like virus definitions updates. I would expect the folder and files to have been cleared after the update. But the interception by avast, may have stopped the clearing of those folders.

The third one, an old detection in the chrome browser cache can safely be removed from the chest.

Generally there is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline zygomatic

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #12 on: April 17, 2012, 05:34:51 PM »
Thank you very much guys! You've been most helpful!  :) :) :)

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69200
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #13 on: April 17, 2012, 06:17:15 PM »
You're welcome.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Jack 1000

  • Poster
  • *
  • Posts: 623
    • Personal Message (Offline)
Re: Windows Defender definitions update is a virus?
« Reply #14 on: April 17, 2012, 07:26:42 PM »
If you have Avast,

1.) Turn off Windows Defender in Windows Vista, 7, or 8-You don't need it, and it is likely to create conflicts like the OP suggested.

2.) If you have Windows XP, uninstall Windows Defender, (You can't remove it from the other systems in #1, just disable it.)

Jack
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now