Superfish: Windows Defender fails to clean properly

[German edition]Today I like to bring your attention to a nasty part of the Lenovo Superfish issue. Currently many media reflecting Ed Bott's ZDNet article, that Windows Defender will detect Superfish and removes it with the Superfish Inc. Root certificates. But that's only half of the truth – in some scenarios Windows Defender (and I guess many other tools) fails to remove the root certificates.


I was alarmed by a user comment within my Germany blog. This user informed me, that he has found the "Crapware" a few months ago on a new notebook. He decided to uninstall the crapware. After the Lenovo case was spreading, he read my German blog post about the Windows Defender ability to remove Superfish and it's certificate. But he found out, that Windows Defender did not alarm the Superfish infection (which was estimated). But Defender also did not remove the bad root-certificate.

I wrote a German blog post about that issue (and other findings). But I havn't had Superfish for test. So I send a mail to my MVP collegue Ed Bott:

Hello Ed,

Within your ZDNet article about Defender / Superfish you wrote, that Windows Defender can remove Superfish and the Certificate.

Unfortunately I haven't access to an extracted Superfish installer. Today I got a comment within my blog from a user reporting, that Windows Defender won't remove the Certificate, if Superfish was removed previously.

Could you please confirm, that Defender removes the superfish inc. certificate, if no superfish adware is detected? A feedback will be appreciated.

Ed answered my e-mail within a few hours, after he has tested this behavior. Here is, what Ed answered so far:

Hello Günter,

Happy to help. I have a system where I just tested that exact scenario, removing the Superfish add-in with Norton (leaving the certificate behind) and then setting Windows Defender as the default AV program.

In that scenario, Windows Defender did not identify the self-signed root certificate. I suspect that the detection depends on having found the Lenovo program files. So yes, in that case you need to run the Lenovo removal tool or manually remove the certificate. …


First of all, I have to thank Ed Bott for his confirmation. Secondly, my suspicions become true – Windows Defender update was a "quick & dirty" solution, that won't restore computer security in all cases. The only thing users can do:

  • Use the uninstall instructions published here at Arstechnica and here at Lenovo
  • Head over to this web site and test in Internet Explorer or Google Chrome) whether your system is affected by Superfish and its root certificate.

I'm not sure, whether Lenovo's removal tool will do the job (as Ed Bott suggested above) – have to run further tests. Hope, it helps a bit.

Cookies helps to fund this blog: Cookie settings

This entry was posted in computer, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *