[German]Microsoft has released Defender Antimalware version 4.18.1908.7 (on Sept. 13, 2019). This update should also fix the error when executing the command sfc /scannow. Here is some information about this topic, which has not been documented by Microsoft and is quite confusing.
The colleagues at German site deskmodder.de recently reported that there is an update to the Defender anti-malware engine to version 4.18.1908.7. After I published the German edition of this article two days ago, I received confirmation from my German blog readers, that their machines also got this update. This update should also provide a fix for the problem of not being able to run a system file check for corrupted files will be fixed for all versions of Windows 10..
The sfc bug explanined
In Windows, you can use an administrative prompt to have the system check for corrupted files with the following command.
If the command finds corrupted files, the System File Checker (sfc) should be able to repair them. However, it happens again and again that this repair cannot be carried out.
Since July 2019 this did not work under Windows anymore, the command finds broken files but cannot repair them anymore. Analyses showed that a defective Defender signature file was responsible for the failed system file check. I had reported about it within the blog post Windows: July 9, 2019 Updates breaks sfc. Later Microsoft admitted a problem with sfc (see Microsoft confirms July 9, 2019 Updates breaks sfc in Windows).
In KB4513240 (System File Checker (SFC) incorrectly flags Windows Defender PowerShell module files as corrupted) Microsoft writes:
The System File Checker (SFC) tool marks files in %windir%\System32\WindowsPowerShell\v1.0\Modules\Defender as corrupted or damaged. You will receive error messages such as the following:
Hashes for file member do not match.
This is a known issue in Windows 10, version 1607 and later, and Windows Defender version 4.18.1906.3 and later. The files for the Windows Defender PowerShell module, which are found in
are delivered as part of the Windows image. These files are catalogued. However, the Windows Defender management component has a new out-of-band update channel. This channel replaces the original files with updated versions that are signed with a Microsoft certificate that the Windows operating system trusts. Due to this change, SFC marks the updated files as “Hashes for file member do not match”. The repair process then ends with ‘corrupted files found’, without a
Fix already announced in mid-August
I had reported in the middle of August in the article Microsoft fixes the Windows Defender sfc bug (August 2019) that Microsoft wants to fix this issue by updating Windows Defender to version 4.18.1908. At that time I assumed that this update would be rolled out promptly (the colleague from deskmodder.de left a comment, that the Defender update had not yet been shipped at that time). rolled out.
But now: Update to version 4.18.1908.7
The support article KB4513240, last updated on August 2019, states that ‘future versions of Windows will use the updated files in the Windows image’. After that, SFC should no longer marks the files as buggy.
Now the colleagues at deskmodder.de noticed that there was an update to version 4.18.1908.7. But it was a bit confusing, some Windows Insider on Windows 10 19H2 and 20H1 got this update, while user on Windows 10 production version didn’t get it at the time of publishing the deskmodder.de article. I tested it on Sept. 16, 2019 – after several update searches my test machine with Windows 10 version 1903 (in the Windows Insider Release Preview Ring) also got this version. Later German blog readers confirmed, that their production machines got the update on Sept. 17,2019.
How do I determine the anti-malware version?
Finally an information on how to check, which module version of the anti-malware engine is installed on a system. The Windows as a service implementation forced me to search for some time until I found the information.
1. Open the settings page and go to Windows Security. Select the Open the settings page and go to Windows Security. Select the Open Windows Security button. button.
2. Click the Settings icon at the bottom of the left column of the Windows Security window. Then click in the right pane under ‘Settings’ on the hyperlink Info.
While most of the hyperlinks open the Edge, which then searches a branch on meaningless Microsoft help pages, the following display appears at Hyperlink Info.
In fact, version 4.18.1908.7 is displayed there. It remains to be seen whether this really fixes the problem in the signature file check for all systems. On my test system sfc /scannow ran last. But I got feedback from German readers, that the sfc issue still continue. One reader wrote:
If you still get errors, just delete all log files under %windir%\logs\cbs, then sfc finally worked for. In an old log file (approx. 200MB) there were still those Defender entries from previous scans.
BTW: Microsoft’s support article 4052623 describes some details, but the last update of this article was on January 28, 2019.