Microsoft Defender floods Windows system drive with files (May 2021)

Windows[German]Quick question to see if any of you are affected. Microsoft Defender, which is included by default in Windows, seems to have been running amok for a few hours now, creating and leaving thousands of files on Windows servers (and possibly Windows 10 clients). A user reached out to me on Twitter last night regarding this and left some initial clues. Here's a brief overview.


It was a short tweet that reached me around midnight – but I'm just now getting around to blocking over it. @enno0815de  asked me in this tweet if I knew anything about the issue reported.

Microsoft Defender flutet Windows-Systemlaufwerk mit Dateien

Enno0815de linked to the Microsoft Answers post Windows Defender issue on server – lots of files being created, where a user described the following observation a week ago:

We have an issue on a Windows Server 2019 Datacenter virtual machine with Windows Defender.
We are in: Settings -> Update & Security -> Windows Security -> Virus & threat protection -> Virus & threat protection settings -> Manage settings

When Real-time protection is turned on, after about 20-30 minutes it creates hundreds/thousands of files in this location:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store

Most of these files are either 1kb or 2kb. Over a 24 hour period we ended up with roughly 950,000 files and it was taking 30 GB of space. This does not appear to be normal. There is no threats detected and no actively running scan or updates. These files appear to be encrypted, or at least we can't open them in notepad and see any useful data. This is only happening on one server.

Anybody got any ideas?

Other users confirm this, and a Microsoft employee confirmed that within 24 hours around 950,000 records and 30 GB of memory are burned. Also on there is this thread about Windows Server 2016 with the same observation: 

Windows Defender Server 2016 watch out!

I think there is a big problem with Windows Defender eating up storage. This has started to happen over the past week and the folder in programData\Microsoft\Windows Defender\Scans\History\Store is gigantic! Just a heads up. I first noticed when one of the veeam backups failed due to the VSS writer. I logged into the server and the c: drive had only 0.99GB on c: That was 30gb a few days ago!

The thread is also already rather long – so there are already a lot of affected people. I've only come across Windows Server cases. Any of you tangentially affected by this? Are there also known cases on Windows 10 clients?


Addendum: Just read at the colleagues of German site that the module version 1.1.18100.5 of the scan engine is affected. A fix in the form of the module version: 1.1.18100.6 is announced for Thursday (see the comment from the MS Defender engineer). The colleagues at Bleeping Computer have published this article for English readers, dealing also with the issue.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.