reoccuring defender definition update

[Guest]

Definition Update 1.14.1921.2 for Windows Defender (KB915597)

Download size: 771 KB

Update type: Important

This one started to appear yesterday on WUS and I got it installed 5 times
by now, however it still keeps appearing, although and even having defender
disabled. otherwise I am on Vista Ultimate RTM.

How do I get rid of this and if not how do I notify MS about this apparent
bug?

Is there a way to deinstall defender entirely from vista?

 

[Bill Sanderson MVP]

You can turn Windows Defender off--see the options very near the end of the
list in tools, options. You also have to tell the Security center not to
bug you about your decision. I don't recommend making this choice.

This is what I'd try for your situation:

Go to a command prompt--preferably an elevated command prompt, in the
Windows Defender installation folder

i.e. start, all programs, accessories, right-click command prompt and choose
run as administrator, and assent to the elevation. In the command prompt
window, cd \program files\windows defender.

type:

mpcmdrun /RemoveDefinitions /All

and hit enter, then exit to close the command prompt window.

Then go to WindowsUpdate and do an express scan, or within Windows Defender,
go to Help, check for updates.

Apply updates offered.

This should take care of the repeats. WSUS is a factor I can't predict
well--I don't have direct experience with it--but I think that if the
current definitions are available on the WSUS server, you'll end up current
via this process, and the repeats will stop.

 

[Guest]

Bill,

appreciate your support and input, but unfortunately your suggestion does
not work. I got defender disabled via group policy, I am not too fond of it
(it is not a bad product though but not a good one either - in my opion).
Actually I would like to remove defender, haven't just yet found a way to do
it.

Anyways, been following through your mentioned sequences, but this
definition update keeps on poping up. I am pretty sure that this is a bug in
Vista / WSUS, perhaps MS did not thouroghly consider this to happen, at least
in the Ultimate version as being used more by private user then Enterprise.
Probably this issue will not occur in the Enterprise as Corporations will be
turning it off mostly anyway.

 

[Bill Sanderson MVP]

Sorry--not sure what is happening--next step would be to look at the log
file--probably %windir%\windowsupdate.log unless that is different when WSUS
is involved, and see whether there are specific errors noted in the
installation process for that update.

Windows Defender is definitely not targetted at the enterprise market, or
even much of the WSUS market. However, Microsoft has other anti-malware
products which are definitely targetted towards that market, and I'd bet
that they share considerable code with Windows Defender.

I doubt this is Ultimate related--I run that on my laptop, and haven't seen
any issues, but I am running Microsoft Forefront Client Protection, which is
now in public beta, and much better suited to a managed environment.

--

 

[Guest]

I looked already at the WUS log, no errors though. I bet it is because
Defender is not running. Why do you doubt that this could be a flaw? Your
laptop installation seem to be different than mine, thus you cannot rule out
a bug:

- Why is WUS delivering defender definition updates in the first place
whilst Defender is locked down by group policy as well as the being disabled
in services and thus no need for such updates?
- Why there is no option to deinstall defender entirely?
- Why I simply cannot uncheck this update and choose to ignore it, as it
used to be the matter in xp?

From point of view that makes it already 3 bugs...

 

[Bill Sanderson MVP]

Which group policy settings did you use? I haven't looked at what are
available on Vista, but perhaps they are the same as on XP?
----
Setting State
Turn off Windows Defender Not configured
Turn off Real-Time Protection Prompts for Unknown Detection Not configured
Check for New Signatures Before Scheduled Scans Not configured
Download Entire Signature Set Not configured
Enable Logging Known Good Detections Not configured
Enable Logging Unknown Detections Not configured
Configure Microsoft SpyNet Reporting Not configured
Turn on definition updates through both WSUS and Windows Update Not
configured
-----
Did you disable the service directly, or did you use the Tools, Options and
disable within the app?

I don't know why there's no uninstall for Defender under Vista, but I can't
say it bothers me any--the options to turn it off seem enough.

I doubt that what you are seeing is by design--so perhaps there's a bug
involved, but I wonder whether your choice of how to disable Defender is
what's creating the problem.


--

 

[Guest]

Bill,

thanks again for your input. Vista group policy settings in general are a
bit different (more advanced) than XP, however the defender settings are
similar.

Yet I am not certain but could be that this reoccurance happened due to
using the domain profile for applying the group policy in which I did not
define "Turn on definition updates through both WSUS and Windows Update"..
So, I inverted the domain policy, i.e. made defender run again, installed the
update now for 112th time, then turned off defender from whithin
defender-tools-options, then applied local group policies, such as "Turn off
Windows Defender - enabled" and "Turn on definition updates through both WSUS
and Windows Update - disbaled". So far the defender definition update did
not pop up again and I hope it stays that way in the future.

Meanwhile I also took a peak at forefront client security. I did not have a
look under the hood, but on the surface it seems pretty much the same as
defender, except you got all the server-client control/policies stuff.

Anyways, thanks again for the support.

Cheers

 

[Guest]

bummer, this is a seriuousbug, which should be elevated with MS, though I do
not know with whom...

Today a new defender definition update appreared on WSUS and despite having
disabled defender and its updates they are still being delivered via WSUS and
keep on reoccuring unless I put defender back into active state, then deploy
the definition update and then lock donw defender again.

He here a screen shot - http://i17.tinypic.com/49lifsp.png

I reckon that this should be investigated.

 

[Bill Sanderson MVP]

Here's my suggestion. I don't have WSUS to try to replicate what is
happening. I'd strongly recommend that you post this issue in a
WSUS-related group. That should get eyes on it that know WSUS. I know from
experience that there are many WSUS admins that are deploying Windows
Defender definitions.

Via NNTP, that group would be:
microsoft.public.windows.server.update_services

Or, via HTML--links found on this page:

http://www.microsoft.com/technet/community/en-us/sus/default.mspx

I'm quite sure this interaction--Windows Defender and WSUS is getting plenty
of exercise, and yours is the first post of this kind I've seen--although I
don't read the WSUS group except sporadically.

I'm not sure how many folks are updating Vista via WSUS yet, though....

--