[German]Quick question to see if any of you are affected. Microsoft Defender, which is included by default in Windows, seems to have been running amok for a few hours now, creating and leaving thousands of files on Windows servers (and possibly Windows 10 clients). A user reached out to me on Twitter last night regarding this and left some initial clues. Here's a brief overview.
Enno0815de linked to the Microsoft Answers post Windows Defender issue on server – lots of files being created, where a user described the following observation a week ago:
We have an issue on a Windows Server 2019 Datacenter virtual machine with Windows Defender.
We are in: Settings -> Update & Security -> Windows Security -> Virus & threat protection -> Virus & threat protection settings -> Manage settings
When Real-time protection is turned on, after about 20-30 minutes it creates hundreds/thousands of files in this location:
Most of these files are either 1kb or 2kb. Over a 24 hour period we ended up with roughly 950,000 files and it was taking 30 GB of space. This does not appear to be normal. There is no threats detected and no actively running scan or updates. These files appear to be encrypted, or at least we can't open them in notepad and see any useful data. This is only happening on one server.
Anybody got any ideas?
Other users confirm this, and a Microsoft employee confirmed that within 24 hours around 950,000 records and 30 GB of memory are burned. Also on reddit.com there is this thread about Windows Server 2016 with the same observation:
Windows Defender Server 2016 watch out!
I think there is a big problem with Windows Defender eating up storage. This has started to happen over the past week and the folder in programData\Microsoft\Windows Defender\Scans\History\Store is gigantic! Just a heads up. I first noticed when one of the veeam backups failed due to the VSS writer. I logged into the server and the c: drive had only 0.99GB on c: That was 30gb a few days ago!
The thread is also already rather long – so there are already a lot of affected people. I've only come across Windows Server cases. Any of you tangentially affected by this? Are there also known cases on Windows 10 clients?
Addendum: Just read at the colleagues of German site deskmodder.de that the module version 1.1.18100.5 of the scan engine is affected. A fix in the form of the module version: 1.1.18100.6 is announced for Thursday (see the comment from the MS Defender engineer). The colleagues at Bleeping Computer have published this article for English readers, dealing also with the issue.
Cookies helps to fund this blog: Cookie settings