Windows Defender running with WSUS

[Guest]

Here is an update - Windows Defender has been enabled on the WSUS server -
however, no downloads have come down - the service is running locally on the
client workstations - but still cannot reach the update server. The first
message is that Defender is connecting to obtain updates - after several
seconds the message comes up that No new definition files or updates for
Windows Defender are available. However on the home page of Windows
Defender-- there is displayed that definitions have not been updated in 103
days.
LCD

 

[Bill Sanderson MVP]

This is the best description of the several steps that the WSUS
administrator needs to take to enable Windows Defender definitions over
WSUS:

-----------------------
If your windows update is pointing to your local WSUS, then you must include
the Windows Defender in synchronization setting.
In Products selection, please include Windows Defender
In Update classifications, please include Definition Updates

You must synchronize the server and approve the definition for clients to
get the latest definition.

Regards,
Cheong

 

[Guest]

I have the WSUS set for Defender in products and update classifications set
to include definition updates. I have synched the WSUS server 2-3 times -
but no updates are coming down to the WSUS server. I know the client is
seeing the server - but no updates are getting to the server. I am getting
other updates - i.e. for XP and Office but nothing for Defender. IS there a
setting somewhere I am missing?

 

[Bill Sanderson MVP]

I can't tell what you are doing wrong--I'm afraid I have zero hands-on
experience with WSUS--so I'm not much help. Here's a group where you may
get a better response, though:

http://www.microsoft.com/technet/community/newsgroups/topics/sus.mspx

Click on number 2, under active WSUS groups.

You might also try a search--I know there's been discussion on the topic,
but I don't recall seeing an exhaustive step by step.

--

 

[Guest]

Bill,
Have a couple more questions:
Now the defender is running with WSUS next stage is deploy the defender to
the users. Can Defender be deployed via Group Policy?

Also, can defender run on a system that is also running Malicious software
removal tool?

 

[Bill Sanderson MVP]

I can't answer this one from direct experience, and I can repeat Microsoft's
recommendation that beta software not be deployed on production software.
Additionally, I can say that there are messages in these groups from admins
unhappy that Windows Defender has allowed users to block either
administrative scripts or software (dameware, for example) used for
administrative purposes.

The MSI package seems to respond to normal switches--I've done both silent
installs and uninstalls from a command prompt.

So--I don't know any reason why this wouldn't work, but I've never tried it,
and it isn't recommended.

Except for the warning to turn off antivirus and antispyware scanners during
installation, the known issues don't show any conflicts with other antivirus
or antispyware apps. I've seen nothing at all related to the Malicious
Software Removal tool in these groups--except some occasional confusion
between the two products. There are definitely some issues with Defender
dialogs about antivirus app activity, and antivirus apps logging activity
from Windows Defender.

--

 

[Guest]

Well tried to deploy through GPO - could create the package, and could run
the package from the client computer - but could not get a succesful install.

I have a small group of beta testers (about 13-14) running all sorts of
different software on their systems. So far installation and running has
been very smooth. However, I have one system that is getting a Symantec
Antivirus error:
Symantec Tamper Protection Alert
Target: c:\Program files\common files\Symantec Shared\ccApp.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Program files\Windows Defender\MSmpENG.exe(PIDxxxxxxxx)
When trying to address this by adding folders to Defender to ignore or
allow, etc. get the same error. Have you run across this before? The other
Beta Testers also have Norton running on their systems - but do not get this
message, so I am pretty sure it is something about the computer?

 

[Bill Sanderson MVP]

The Symantec issue is posted a number of times in some of the other
groups--basically, view it as a "known issue"--Microsoft knows about it, but
the situation hasn't changed.

These log entries involve an optional setting in some Norton versions--so
either other machines on which you don't see this are either running
different versions, or don't have the tamper-protection option turned on.

As far as I am aware, there's no harm going on here--just these ominous
sounding log messages. The workaround is to turn off the feature, or ignore
the log messages. Some folks have tried the exclude from scanning route,
but without success. Oh--you can also "fix" this by turning off one of the
real-time protection elements: "Application Execution."

Here's what the help has to say about what that protects against:
---
Monitors when programs start and any operations they perform while running.
Spyware and other potentially unwanted software can use vulnerabilities in
programs that you have installed to run harmful or unwanted software without
your knowledge. For example, spyware can run itself in the background when
you start a program that you frequently use. Windows Defender monitors your
programs and alerts you if suspicious activity is detected.
---
Given that we have I think several incidents in the past few months of
vulnerabilities in several prominent anti-virus vendors application code, I
would not want to turn this off. Any app that deals with binaries from the
outside world can constitute a vulnerability, and the binaries that
anti-virus vendors deal with are particularly likely to constitute a risk.
--

Thinking about this, I suspect that Symantec would say "turn off the
Microsoft feature, just as they do about the Windows firewall, and Security
center. Perhaps Symantec's tamper-protection feature provides the same
level of protection for Symantec's executables as Windows Defender does.
However, the Windows features protect all the applications on the system,
not just Symantec's.

 

[Guest]

Thank Bill that was it - but one thing I found - the Tamper protection is 2
parts - you can have it enabled but disable the message part.

 

[Bill Sanderson MVP]

Thanks--I don't believe anyone's mentioned that so far--useful to know.

--

 

[Guest]

Hi Turbo,

I am facing the same problem that you did with WSUS. WSUS is not able to
download any definitons for Windows Defender.

Please tell me what you did to solve your problem. All help greatly
appreciated.

Thanks

 

[Steve Dodson [MSFT]]

You may want to make sure steps in http://support.microsoft.com/kb/919772
are followed. Let me know if any steps in this new KB are confusing.

-steve

 

[Bill Sanderson MVP]

Thanks1

--

You may want to make sure steps in http://support.microsoft.com/kb/919772
are followed. Let me know if any steps in this new KB are confusing.

-steve