Windows Security Center reports that Defender is off

[Guest]

Just installed Windows Vista (from MSDN) which includes Windows Defender.
After a couple of days the Windows Security Center showed a notification that
Defender is off. When I click the "Turn on now" button it tries to update the
definitions. After finding no new definitions it goes back to showing that
Defender is off. Checked Windows Defender service and it is started. Stop and
Start/Restart doesn't help. Event Viewer shows this error "The Windows
Security Center Service was unable to establish event queries with WMI to
monitor third party AntiVirus, AntiSpyware and Firewall". Since it is budled
with Vista, I am not able to uninstall or reinstall it. Any ideas on what may
be happening?

 

[Bill Sanderson MVP]

Wierd. I think I'd start by troubleshooting definition update.

If you go to Windows Update, are you offered definitions for Windows
Defender?

Are you on a network which manages updates, via SUS or WSUS, perhaps?

 

[Guest]

Have you installed an Antivirus program? Some AV and other antimalware
packages, including Windows Live OneCare, are disabling Windows Defender now
that it's possible to do this. It's possible that this is happening, but the
selection to allow Windows Security Center to monitor Defender is still
enabled, resulting in an alert.

It's also possible something else like malware might be disabling Defender ,
so I'd still investigate to be certain.

Bitman

 

[Guest]

Hi Bill,

Checked Window Update but there are no pending updates. Also, this is a home
PC so no managed updates.

Have been out of this for quite a while so this may be a stupid question but
is there any way to manually update the definitions for Windows Defender?

 

[Guest]

I installed AVG Free but after the issue occurred to check if I had any
viruses. I also ran a Live OneCare scan to see if any spyware etc was causing
the issue but the machine appears to be clean.

I have other software like VS 2005, VSS 2005, MSSQL 2005, iTunes etc. These
have some known compatibility issues with Vista.

Do you know if I can monitor the calls between Security Center and Windows
Defender?

 

[Guest]

Other than the possible side effects of the other software you mentioned, I
can't see a reason for this problem.

Since your issue is really with Vista, not Defender, I'd think you'd be
better off asking this in those forums. There's enough difference in the
operating system and the version of Defender that's included that the problem
may only display in that OS.

Bitman

 

[Bill Sanderson MVP]

Things change--so there aren't any stupid questions. Windows Defender
updates via either AutoUpdate or Windows (or Microsoft) Update.

There is a "check for updates" button within Windows Defender--in Help--but
what it initiates is an AutoUpdate check.

OK--here are some thoughts about how to dig deeper:

1) Go to a command prompt in the Windows Defender installation folder.
Probably we should go for an elevated command prompt--i.e. go to Start, all
programs, accessories, command prompt, right click that menu choice, and
choose "run as administrator" and click to assent to the elevation.

Navigate to \program files\windows defender, and do:

mpcmdrun -RemoveDefinitions -All

and hit enter.

In theory, that shouldn't change anything--it should take you back to 1.0.0
where you seem to be--but possibly there is an initial update which is
"stuck"--and this might clear it.

Follow that up with an update attempt--either via "check for updates" in the
help menu within Vista (this is "gold"--not one of the beta's??) or via
Windows Update.

If you use the button within Windows Defender, you should first see a
balloon notification from the system tray stating that Defender is
connecting to the Internet to look for definition updates. That should go
away after awhile, and eventually (remember, AutoUpdate is intentionally
slow and very careful of bandwidth)--you'll see another such balloon stating
either that no definition updates were found, or that Defender is now up to
date. Do you see those?

If this process fails, I think the next thing to do is to analyze the tail
end of %windir%\windowsupdate.log which can be opened in Notepad. do
Start, run, notepad %windir%\windowsupdate.log to open the file, then scroll
to the end. Scroll back up to the start of those update attempts you just
made, and take a look--the relevant lines will be the ones indicating what
server you are connecting to (should be Microsoft) and any error messages
relating to attempting to install definitions.

You can post that tail end of the log file back here, or portions, via cut
and paste.

I've got one other "outlyer" thought: You have a home machine, but you also
have an MSDN subscription. You've installed Vista, but: if you had an XP
machine which had previously been part of a domain, and upgraded Vista,
rather than clean installing, Vista would inherit group policy settings
which might direct AutoUpdate to corporate servers, which you are no longer
connected to. As I say--this is an outlyer--not terribly likely--but it has
come up here more than once, in the XP context, so it isn't impossible!

--

 

[Bill Sanderson MVP]

AVG has their own anti-spyware component, which was previously available as
freeware, and quite well thought of. You should check whether this is
running or not. I'm unfamiliar with AVG's current packages on Vista, but
this could be the issue. I wouldn't expect it to disable Windows Defender
or prevent it from updating, but it might concievably supplant it in the
Security Center--that will only monitor one app at a time.
The previous name for AVG's antispyware component was Ewido , and many folks
ran it concurrently with Windows Defender under XP. I don't recall any
discussion about this in relation to Vista, though.

--

 

[Guest]

While investigating another issue that occurred on my machine while
installing SQL Server 2005, I found that there was potential corruption in
the WMI database. The steps to fix it were:

Set the WMI service to Disabled
Stop the WMI service
Delete system32\wbem\repository
Set WMI service to Automatic
Restart the WMI service
Restart machine (as a good measure)

This also appears to have fixed the issue with Windows Defender. I guess the
WMI repository corruption had caused the Security Center from being unable to
communicte with Window Defender causing the alert.

What I don't know as yet is what caused the issue in the first place.