McAfee Viruscan 8 stops Windows Defender signature downloads

[Guest]

I have just installed Defender on a test VM and encountered the following
behaviour. The first signature update failed with error and I checked the
Mcafee viruscan 8 access protection logs and found the following entries:
-------------------------------------------------------------
24/02/2006 12:33:56 Blocked by behaviour blocking rule NT
AUTHORITY\SYSTEM MsMpEng.exe C:\WINDOWS\system32\tftp.exe Prevent use of
tftp.exe because some worms use it. Action blocked :Read
24/02/2006 12:34:36 Blocked by behaviour blocking rule NT
AUTHORITY\SYSTEM MsMpEng.exe C:\WINDOWS\system32\dllcache\tftp.exe Prevent
use of tftp.exe because some worms use it. Action blocked :Read
---------------------------------------------------------------

I then checked the open TCP connections and noticed that svchost.exe was
trying to connect to windows update, the Mcafee log had many entries for
attempts, saying that it was blocking downloads from the web. I resolved this
issue by adding svchost.exe to the allowed list of executables in Access
protection for Mcafee...in other words allowed svchost to download from port
80.

I have some questions/suggestions:

-Why does WD try and use tftp when this is a known and usually blocked method?

-Why doesnt the interface tell me that its downloading from windows update
or give any indication of why its failing. Luckily i know my way around ports
etc, but most people would be lost. I suggest a more informative message in
the GUI

-Where are the log files for WD, I could find no record showing the download
error, why it may be happeneing etc, only had it in the taskbar popup which
doesnt say anything other than an error string?

I like the new simple UI, but dont take out the ability to see status and
the ability to manually trigger an update

Thx
Tim

 

[Bill Sanderson]

I can give a few answers. WindowsUpdate/autoupdate/WSUS are the update
methods for Windows Defender. Not sure why this isn't printed in large
letters on the box.

The sig updates and scans are done by mpcmdrun.exe.

You can find a text log for this in %windowsroot%\temp--or at least I did on
a Windows 2000 box I was just working on.

Additionally, logging is done to the System event log, with source
WinDefend.

The tftp reference is a mystery to me, too. It should be using AutoUpdate
and bits. If tftp is involved in those mechanisms, it's something I had not
heard before.

 

[Guest]

Thanks Bill, a few more queries based on your info....

How do you manually trigger a signature update?

I have checked for logs and cant find any...any other places they should be?

I have checked the system log and nothing was logged for the download
failures (bad), only a success event when it worked?

 

[Bill Sanderson]

You can go to Help, about, and click check for updates.

Or you can do start, run, \program files\windows defender\mpcmdrun
signatureupdate <enter>

Or you can go to WindowsUpdate and click express.

--

 

[Bill Sanderson]

Sorry--acccidental send:

You should find mpcmdrun.log in \windows\temp, or \winnt\temp or the temp
subdirectory of however your Windows install location is named.

--

 

[Guest]

Found the log....its all in WindowsUpdate.log in c:\windows......errors etc
not in the eventlog though.....bad

Manual update trigger is in help, about.....why isnt this on the Home page
of WD?

 

[Bill Sanderson]

The trigger is well hidden because it is updating via WindowsUpdate or
Autoupdate--and is set by default to trigger a sig update before a scan.

--