[German]Just a brief note: It seems, that Windows Defender won't receive automatic updates since a few days (June 18th 2018). But there are defender updates available, as a search for updates confirms. Here are a few details what I've found out so far.
Advertising
Some error description
After I posted the blog post Windows Defender meldet fälschlich Trojaner (English version here), a German blog reader mentioned an observation. Here is his comment, which I've translated:
A little off topic, but I've noticed under Windows 7 since days that Windows Update doesn't report Defender updates anymore, because it doesn't find any via Windows Update. I just started an extra Windows update manually again, although it already ran automatically 3 hours ago, and again nothing.
The strange thing is that every Friday I have the Defender do a quick check and have it set up so that it checks for updates and installs them right away.
Now I started the Defender once and the last version of the definitions was 1.269.1075.0 from June 11, 2018, 16:50 o'clock (German time). After clicking on "Check for updates now" 1.271.193.0 from June 28, 2018 was installed at 21:10.
Very strange! Has anyone else observed this problem?
Shortly later I received confirmation from other users. They observed a similar behavior – Windows Defender didn't receive updates automatically. And I found a few minutes ago this forum post at askwoody.com (which triggered my decision, to write this blog post).
In normal cases Windows Defender is disabled
I tried to check this issue on my Windows 7 machine, where also Microsoft Security Essentials is installed. Calling Windows Defender via start menu's search box ends here with the following message box.
The German text says, that Windows Defender is deactivated (disabled). There is a link to enable Defender. But I doesn't see a necessity for that. Depending on the installed third party anti virus software, this situation may be different und Windows Defender is enabled. I receive the feedback from my German blog readers, that Malwarebytes antivirus and some other antivirus vendors allows Windows Defender running in parallel.
Advertising
Nailing it down to the root cause?
Searching the web I didn't found other posts or an explanation at first. But gladly my German blog readers helped to nail it down. German blog reader Ralf Lindemann posted a comment with a strong hint:
I'll follow up with a little thesis: On my computer, the Windows 7 Defender runs parallel to a "full-fledged" AV product. The Windows 7 Defender was and is activated and was regularly supplied with current definition updates via Windows Update until June 18.
What happened on 18/06? – On 18/06 I started installing the updates from June patchday (a little late) on my private Win 7 computer. Immediately before installing KB4284867 (Security Only) Windows Defender received his last definition update. Since the installation of KB4284867 no updates for Windows Defender are detected. Collateral damage? Or deliberately switched off by Microsoft, so 'by design'?
But [if that's true] why can definition updates be obtained via the separate updater in Defender? You don't know. But it's not really a problem …
Ralf informed me later, that the update log just contained an entry claiming, that Windows Defender searched successful for update, but found no new updates:
„2018-06-29 10:23:19:454+0200 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 Windows Defender Success Software Synchronization Windows Update Client successfully detected 0 updates
Then blog reader Martin also confirmed, that he also checked the Windows 7 update history. He found out, that Windows Defender receiving automatically updates stalled after installing the June 12 2018 rollup update. Seems reasonable, but unfortunately, it's not true – see below.
The theory, that Microsoft disabled that auto-update thing by intention isn't logical to me. During writing my blog post I stumbled upon my older blog post Windows 7/8.1 receiving Windows Defender ATP support. If Microsoft intends to add some functionality, it doesn't make sense, to stop updates now. So I guess, it's just a collateral damage – or something else has changed on Microsoft's update servers.
Addendum: Just another theory – servers-side issues
Just after I published this article, user Imacri left this comment at askwoody.com for me. He pointed out, that Windows Defender in Windows Vista also stopped receiving updates at the same time as Windows 7. A discussion may be found here. Here is the relevant observation (in Windows 7):
One thing all three machines have in common is I am using WxFC as discussed elsewhere by Noel Carboni. I am using a similar approach to what he is, in that I only allow a few very specific update servers and only allow this when I am actively manually checking for updates.
I noticed this time that both the Defender user interface and the svchost.exe are trying to get to both go.microsoft.com and http://www.microsoft.com. The former is using port 80, the latter both 80 and 443. Normally I have both of those blocked for all programs and svchost.exe (not specifically, but by exclusion). I noticed I was also getting requests (which I blocked) to go out to watson.microsoft.com, which I see when there is some type of issue and they want it reported to Microsoft.
I also noticed something new. Using the Defender user interface once it finished the 'searching' phase it popped up a line that says 'Definition updates were found on the Microsoft Security Portal.' In the past when definitions were available I have never seen this appear. After this point I then would get error 0x80072efd and 'A connection with the server could not be established'.
I then allowed a connection to go.microsoft.com for both the interface and the svchost.exe, but still no go. One time it downloaded the definitions file (or so it said) and my bandwidth monitor confirmed it was downloading. It said it installed it and it did not take, it was right back where I started. Next I also allowed http://www.microsoft.com for the user interface. No go. I then also allowed http://www.microsoft.com for the svchost.exe and everything proceeded as normal and the updated definitions were installed and it showed the latest version. Further checks seemed to connect with no issue.
So, it seems they changed servers for doing Defender definitions updates? I strongly dislike the idea of allowing svchost.exe to go to a generic Microsoft address, because it seems to me that it could be doing just about anything, or more likely it could be than when going to a specific update server. I thought I had seen things in the past about not allowing go.microsoft.com, but I can't find any notes on it. I use a block all, allow a few specific things at specific times approach, so I have no need to specifically block this address. For me, I think I would rather not update Defender than allow this, but even if Defender isn't something I see a lot of value in, it has had critical exploitable flaws in the past requiring updates.
So my guess, that something may also be broken on Microsoft's update servers seems not to be too wrong.
After I published the blog post in English, @VessOnSecurity confirmed that the theory of 'broken update server' is probably the most likely cause. In a reply to my post he wrote.
I can confirm that on Win7 machines, Windows Defender updates via WU no longer occur (since June 11).
However, this happens even if the June roll-up is NOT installed.
It's not some update that has screwed things up; Microsoft has changed something server-side.
— Vess (@VessOnSecurity) 29. Juni 2018
An idea for a possible workaround
Well, personally I think, Windows 7 Defender is a kind of 'blue pill', especially, if a third party antivirus software protects the system. But in case you are intend to use Windows Defender to scan your system, blog reader Martin had a proposal, that might work.
He intend to set up a new task in task planner, that invokes Windows Defender cyclically and let the program search manually for updates. The command line parameters for Windows Defender has been documented here by Microsoft. Maybe it helps.
Addendum: Defender killed by a module update
A German reader of my blog has nailed it (probably) finally down. The guess that an update killed the automatic update seems to be true – but it's not a Windows update, instead it's a Defender module update. The German reader wrote within this lengthy comment:
[The] support [for Windows Defender updates] via Windows Update has been terminated since 06/11/2018 (temporarily?). Update search in Windows Defender works with module version 1.1.14901.4 – but not with the new modul version 1.1.15000.2 (deployed via auto update). It seems that Microsoft has deactivated Windows 7 Defender.
Similar articles:
Windows Defender reports Trojans as false positives
Windows Defender extension for Google Chrome
Temporary profile in Windows caused by Windows Defender?
Windows Defender ATP detects Finfisher spyware
Windows 7/8.1 receiving Windows Defender ATP support
Windows 10 V 1703: How to disable Windows Defender in Security Center
Advertising
On W 8.1 and 10, I have Tasks that run the CMD every hour for Updates and every four hours for quick scan. I have done this for years, ever since they removed the Auto update & scan possibility. It sounds like that is now coming to W 7.
It maybe that Microsoft is preparing W 7 for the Grand W 7 & W 8/8.1 Summer *UPGRADE* planned for this summer. Apparently, the last I read, there is going to be some paid component involved. By the looks of it it would involve turning on some enterprise features found currently in W 10. Over all this will make all versions of Windows have a same/similar Windows Defender. I believe I read some where, where "Essentials" as a package is to be depreciated or is no longer available, but I can't remember where???
Here it is, the latest, but there are others older: "Onboard previous versions of Windows"
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection
I've read most of this post and I concur on the "not able to update" on Windows 7. I even tried creating another account to update. To my surprise it worked. Trying it again didn't offer me the same results. I wish I'd known this issue was reoccurring. I would have deleted, reinstalled, or changed software/programs when I had the opportunity. Please send me the fix to this issue. Much appreciated.
oh well, I can still download updates manually by just downloading the latest mpas-fe.exe file & running it to update Defender on my Win7 machines on certain occasions.
hope Microsoft does not abruptly stop MSE updates for Win7 before January 2020.
As far as I have seen within the comments from my German readers, MS issued an Update that has fixed this bug. Here are some details:
04. July 2018, 00:00 Uhr, Windows Update searched for updates and found update KB915597 (Definition 1.271.420.0). After installing this update, the module version remains on 1.1.15000.2, but the definition is from July 3, 2018 14:42)