Category Archives: Security

Beware Potential Defender Engine 1.1.18100.5 Gotcha

Here’s an interesting item. Check your system/boot (usually C:) drive in Windows 10. If it’s filling up (or full), that may come from a (hopefully temporary) Windows Defender gotcha. The program starts creating loads of 2K binary files in the Scans/History/Store subfolder. Ghacks reports tens of thousands to nearly a million such files showing up on affected PCs. Normally, a healthy Defender installation has one or two files in this folder (shown in the lead-in graphic). That makes it easy to check if a system is subject to this potential Defender Engine 1.1.18100.5 gotcha.

How to Check For Potential Defender Engine 1.1.18100.5 Gotcha

The complete directory path to check is:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store
If  you see more than a handful of files there, you may be subject to the gotcha. It it’s chock-full of files and your C: drive is filling up, the gotcha is active! It’s OK to delete those files (Defender will make more), according to Brinkmann.

Brinkmann theorizes that the current Defender Engine version — namely 1.1.18100.5 — is responsible. He says MS is aware of the gotcha, and is planning a  fix with the next engine update. That new version should carry an ID of 1.1.18100.6, and be ready as soon as Thursday, May 6.

FWIW, I checked all of my Windows 10 PCs. While all of them are indeed running Engine version 1.1.18500.5, none of them is showing symptoms indicative of the gotcha. Clearly, it’s out there. But it’s not clear how widespread or active this gotcha may be. And it sounds like MS is already working on a fix that should do away with it completely.

At least, we don’t have to wait too long to find out if a fix is forthcoming. As I write this item, it could be just over 24 hours from release. For the record, Microsoft updates usually hit the Internet at 9:00 AM Pacific Time on release days. That’s about 26.5 hours from now.

Note Added May 5 Afternoon

A new engine build is already out,  and should download automatically to all Windows 10 PCs running Defender. I just found it already installed on my test PCs, to wit:

Potential Defender Engine 1.1.18100.5 Gotcha.new-engine

Note the new engine is out: 1.1.18100.6. Problem solved!

That was quick! Glad MS is on the ball today. Thanks to @WindowsInsider and the whole Windows Team.

Facebooklinkedin
Facebooklinkedin

Defender Update Download Circumvents Stuck 21364

It’s been a struggle to get the latest Dev Channel Insider Build updated lately. I’ve already described how KB 5001030 and KB5003397 aren’t working on my test machines. Lately, Defender has been stuck as well. That’s how I learned that a Defender update download circumvents stuck 21364.

Normally, you can simply open the Windows Security item in Settings → Windows Update. Next,  you can forcibly get Defender to update by clicking “Protection updates” under “Virus & threat protection updates.” Not this time! This mostly-infallible workaround throws an “update failed” error. It explains further it “can’t check for definition updates” (see lead-in graphic).

Shoot! I even tried the command line program MpCmdRun.exe. First, I cleared the Defender signatures (that worked). Then I tried to download a new set (that failed). This time, apparently update downloads are well and truly stuck. For the record neither the Update Troubleshooter, nor the TenForums WU Reset batch file worked, either.

Thus: Defender Update Download Circumvents Stuck 21364

Relief is available from the “Latest Security Intelligence…”  MS Security Intelligence web page for Defender. I provide its URL because it’s more informative than that title: https://www.microsoft.com/en-us/wdsi/defenderupdates. If you scroll down this page, you’ll find a section entitled “Manually Download the Update.” Follow the link that matches your Windows 10 version and you’ll download a program named mpam-fe.exe.

If you run this program it will (a) update your Defender signatures, but (b) provide no interaction or feedback. That holds, even if you run the program as administrator. The only way to tell it worked is to check the timestamp for Last Update in Windows Security → Virus & threat protection under the “Virus & threat protection settings.” After you run this program, you’ll see a timestamp that reflects a the recent past. It’s too stealthy for my sensibilities, but it does work.

I’m OK without CUs and Such, But…

When update trouble rears its head on Insider Previews, I’ve learned to cope. I’ve also learned it’s essential to be patient when MS goes into “break-fix” mode. That is, when they acknowledge something is broken and promise to fix it “soon.” And to the Insider Team’s credit most such fixes come sooner rather than later.

But I can’t accept an inability to update Defender on my test machines, where’s its my only anti-malware defense. That’s why I’m glad I’ve now learned how to manually download and install signatures to keep safe, even when updates gets stuck, as they sometime do. So while they’re still stuck for 21364, I’ll use this web page to update daily just to be safe…

Note Added 6 Hours Later

Just for grins, I tried out the old Windows Update MiniTool (WUMT) on my stuck test machines. It was happy to download and install the Defender updates for me. But it did not “see” the two problem KBs until I resumed updates in WU. Acting on advice from the Insider Team that I should be able to install the .NET update, I tried that inside WUMT on my Lenovo X220 Tablet and X380 Yoga It reported it was downloading, then installing, for each of the two problem updates. But alas while KB5003397 succeeded on the X220 Tablet, it failed on the X380 Yoga. And KB5001030 worked on neither machine, even using WUMT. Go figure!

Facebooklinkedin
Facebooklinkedin

Using Microsoft Safety Scanner MSERT.exe

With each Patch Tuesday, MS releases a new version of the Malicious Software Removal Tool (MSRT). Just yesterday, I learned about a similar but different tool named Microsoft Safety Scanner (MSERT.exe). At first, I did a double-take to make sure it wasn’t a typo. It’s not, as the Safety Scanner Docs page attests. (Here are live links to the 32-bit and 64-bit downloads mentioned in the lead-in graphic.) Here, I’ll explore what’s involved in using Microsoft Safety Scanner, aka MSERT.exe.

Explanation Precedes Using Microsoft Safety Scanner

MS explains the tool thusly “a scan tool designed to find and remove malware from Windows computers.”  It goes on to says “Simply download it and run a scan to find malware and try to reverse changes made by identified threats.” Like the MSRT, the MS Safety Scanner gets updates and new signatures all the time, so MS recommends that you always download a fresh copy any time you’d like to use it. They also observe that it’s only worth using for 10 days, after which one MUST download a new version.

Here’s how MS describes the MSRT on its download page:

Windows Malicious Software Removal Tool (MSRT) helps keep Windows computers free from prevalent malware. MSRT finds and removes threats and reverses the changes made by these threats. MSRT is generally released monthly as part of Windows Update or as a standalone tool available here for download.

I’ll be darned if I can tell much difference between them. Nor do I see much distinction in third-party coverage. That said, Explorer sees big differences in size between the two, to wit:

Using Microsoft Safety Scanner.sizesNotice that MSERT.exe shows up as itself, while MSRT shows up as KB890830, version 5.87. Because MSRT is released monthly through WU, it apparently keeps the same KB number, but gets a new version number with each release. MSERT is not so readily obliging but does show that information on its Properties/Details page. That’s where I learned that MSERT stands for “Microsoft Support Emergency Response Tool.”

Using Microsoft Safety Scanner.details

Full name plus file version info readily available here.
[Click image for full-sized view.]

Let’s just say this is another tool from MS you can run at your own discretion to check a Windows PC for malware, and attempt cleanup. All this makes me curious to understand why we have access to not one, but two, such tools. Even the best of third-party explanations/explorations tend to be a bit shaky, like this Tom’s Hardware Forums item. Even my home forums community at TenForums is pretty much mum on differences, to my consternation and regret.

Using Microsoft Safety Scanner

The .exe file is portable and runs from anywhere (including the Downloads folder). The Docs don’t say one should run the program as administrator, but I did so anyway. It presents a EULA to which you must agree before it does its thing. Next you get a welcome/disclosure screen:

Click Next, and you get your choice of scan types (quick, full, or customized).

Then, it scans your “most likely compromised” files under quick scan.

On my production PC, the whole process took about 3:00 and produced the following results.

Nothing to see here folks, please move along. A clean bill of health, in other words.

Upon completion,  the log file (named msert.log) shows nothing informative about cleanup or actions taken (probably because it found nothing to clean up). Here’s a NotePad++ view of its contents (click to view full-sized, as it’s a little hard to read in native WordPress resolution):

I’m still not sure if you and I really need this tool or not, but it’s nice to know it’s available on demand should you wish to make a malware scan and clean-up pass over your Windows PC. The whole thing still has me wondering…

 

Facebooklinkedin
Facebooklinkedin

Multiple Methods Clear Defender Threat History

First, an admission. I do occasionally use the CCleaner and the MiniTool Partition Wizard (MTPW) installers. Yes, I know they include “bundleware” elements that Defender flags as “potentially unwanted programs” (PUPs). In fact, until you clear the threat history and exclude that history from future scans, Defender keeps reporting them ad infinitum. Sigh. As I worked my way through a UGetFix.com article yesterday on my Lenovo X390 Yoga I learned multiple methods clear Defender threat history. In fact, when none of the article’s methods worked for me, a spin on one of them did the trick.

[Note] The lead-in graphic for this story shows a Defender warning for a “potentially unwanted application” (PUA) from another bundleware instance. That one comes from the Unlocker program (it’s always been a little dicey, which is why I provide a MajorGeeks download link). Use at your own risk.

Enumerating Multiple Methods Clear Defender Threat History

The UGetFix.com article is entitled “Windows Defender identifies the same threat repeatedly — how to fix?” It works readers through three separate methods:

  1. Delete the Service folder within the following Windows folder:
    C:\ProgramData\Microsoft\Windows Defender\Scans\History. This is where Defender keeps its logs and threat history info. There’s an alternate method based on Event Viewer described in the article as well to clear the history log.
  2. Prevent Defender from scanning the history file. This occurs in Manage Settings inside Virus & Threat Protection in Defender, under the Exclusions heading. By excluding the preceding folder specification, you stop Defender from repeating warnings based on its own history files.
  3. Clear Browser Caches: YMMV on this one, depending on the browsers you use. I’ll let you puzzle these efforts out for yourselves, from the help systems built into each browser.

As I said, none of the methods worked for me. What did work, was a variation on Item number 1 above. I was unable to delete the Service folder. It came back as “locked by Windows Defender.” What I was able to do, however, was to navigate within the Service folder and edit the history.log file using NotePad++ to delete its contents. I also found a series of two-digit-numbered folders with various history files inside (named 01, 02 and so forth) that I was able to delete (and did so).

After that maneuver, the annoying multiple repetitions of PUP warnings for the CCleaner (version 5.77) and MTPW (version 12.03) installers disappeared. I used Everything to check my systems and make sure the offending files were no longer present, too. It’s only the installers that include bundleware. Once deleted and flushed, they no longer pose any threat.

Concluding Unscientific Rantlet

It’s weird that Defender triggers PUA/PUP warnings from the contents of its own history file. Even when the files that legitimately trigger an alert on a Windows 10 PC are no longer present, the same alerts still trigger — repeatedly! My plea to the Defender development team is that they automatically exclude the history file from scans by default so as to further insulate users from this small but vexing gotcha.

Facebooklinkedin
Facebooklinkedin

Simple Command Craters Windows10 PCs Immediately

It’s not often you see a warning like the one in the lead-in graphic for this story. Indeed, executing a certain string at the command line will immediately crash a Windows 10 PC and render it unbootable. Before I go into details, I’m concerned that a simple command craters Windows10 PCs immediately. (Windows 8, 8.1, and XP are also reportedly affected, but not Windows 7.) Opportunities for malicious use are mind-boggling.

[Note: the lead-in graphic comes courtesy of Sergey Tkachenko at WinAero,com. He posted the story in which it appears Friday, January 15.]

It gets worse. That same string also corrupts any targeted NTFS volume in a URL (just a portion of that string in the address bar will do it). Furthermore, it works from inside a ZIP archive, an ISO, VHD, or VHDX file, too. I’m stunned!

I actually debated myself for days on whether or not to share this info. I finally concluded that the Windows community needs to know. It might arm bad actors with new ammunition. Hopefully, that danger is offset by the increased care it should cultivate in everyone else who learns about it.

What Simple Command Craters Windows10 PCs Immediately?

The command can occur in a file reference at the command line or in PowerShell. The simplest invocation is:

cd c:\:$i30:$bitmap

That’s it. Doesn’t look like much, does it? It can address other drive letters (in which case, it will corrupt them instead). C: is particularly dangerous because it’s the default volume where Windows and all of its necessary pieces and parts reside. Once the string is entered, an error message appears. It informs you that “The file or directory is corrupted and unreadable.” Windows will attempt repairs via Chkdsk upon restart, but it will not succeed.

According to Tkachenko:

…users have figured that it is enough to paste the above ‘:$i30’ string into the browser address bar.

to crater the C: drive. Not good!

Holy Moly! How does THIS work?

This exploit is based on the NTFS $i30 index attribute, which ties into filesystem directories and contains a list of its files and subfolders, and may include deleted items as well as active ones. If you search on “$i30 index attribute” or “NTFS $i30 attribute” you’ll see it’s well-known to computer forensics professionals. It’s also a critical part of the MFT (Master File Table) structures for NTFS. Nobody yet knows or understands why referencing it in a command, URL, or archived file structure is damaging.

According to Tkachenko, the security researcher who found this gotcha says:

I have no idea why it corrupts stuff and it would be a lot of work to find out because the reg key that should BSOD on corruption does not work. So, I’ll leave it to the people with the source code…

MS knows about this now and is reportedly working on a fix. This one should be a doozy, and should get fixed as quickly as they can manage it. In the meantime, watch out!

Do NOT try this at home (or at work, or anywhere else, either). If you simply have to try it, do it in a throwaway VM. Otherwise, cleanup will take time and effort, even if it’s just to restore a backup. As the man said “You have been warned.”

 

Facebooklinkedin
Facebooklinkedin