{"id":6052,"date":"2018-06-29T22:58:45","date_gmt":"2018-06-29T20:58:45","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=6052"},"modified":"2018-07-02T18:49:48","modified_gmt":"2018-07-02T16:49:48","slug":"windows-defender-wont-receive-updates-june-2018","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/06\/29\/windows-defender-wont-receive-updates-june-2018\/","title":{"rendered":"Windows 7 Defender won’t receive updates (June 2018)"},"content":{"rendered":"

\"Windows[German<\/a>]Just a brief note: It seems, that Windows Defender won't receive automatic updates since a few days (June 18th 2018). But there are defender updates available, as a search for updates confirms. Here are a few details what I've found out so far.<\/p>\n

<\/p>\n

Some error description<\/h2>\n

\"\"After I posted the blog post Windows Defender meldet f\u00e4lschlich Trojaner<\/a> (English version here<\/a>), a German blog reader mentioned an observation<\/a>. Here is his comment, which I've translated:<\/p>\n

A little off topic, but I've noticed under Windows 7 since days that Windows Update doesn't report Defender updates anymore, because it doesn't find any via Windows Update. I just started an extra Windows update manually again, although it already ran automatically 3 hours ago, and again nothing.<\/p>\n

The strange thing is that every Friday I have the Defender do a quick check and have it set up so that it checks for updates and installs them right away.<\/p>\n

Now I started the Defender once and the last version of the definitions was 1.269.1075.0 from June 11, 2018, 16:50 o'clock (German time). After clicking on \"Check for updates now\" 1.271.193.0 from June 28, 2018 was installed at 21:10.<\/p>\n

Very strange! Has anyone else observed this problem?<\/p><\/blockquote>\n

Shortly later I received confirmation from other users. They observed a similar behavior \u2013 Windows Defender didn't receive updates automatically. And I found a few minutes ago this forum<\/a> post at askwoody.com (which triggered my decision, to write this blog post).<\/p>\n

In normal cases Windows Defender is disabled<\/h2>\n

I tried to check this issue on my Windows 7 machine, where also Microsoft Security Essentials is installed. Calling Windows Defender via start menu's search box ends here with the following message box.<\/p>\n

\"Windows<\/p>\n

The German text says, that Windows Defender is deactivated (disabled). There is a link to enable Defender. But I doesn't see a necessity for that. Depending on the installed third party anti virus software, this situation may be different und Windows Defender is enabled. I receive the feedback from my German blog readers, that Malwarebytes antivirus and some other antivirus vendors allows Windows Defender running in parallel.<\/p>\n

Nailing it down to the root cause?<\/h2>\n

Searching the web I didn't found other posts or an explanation at first. But gladly my German blog readers helped to nail it down. German blog reader Ralf Lindemann posted a comment with a strong hint:<\/p>\n

I'll follow up with a little thesis: On my computer, the Windows 7 Defender runs parallel to a \"full-fledged\" AV product. The Windows 7 Defender was and is activated and was regularly supplied with current definition updates via Windows Update until June 18.<\/p>\n

What happened on 18\/06? – On 18\/06 I started installing the updates from June patchday (a little late) on my private Win 7 computer. Immediately before installing KB4284867 (Security Only) Windows Defender received his last definition update. Since the installation of KB4284867 no updates for Windows Defender are detected. Collateral damage? Or deliberately switched off by Microsoft, so 'by design'?<\/p>\n

But [if that's true] why can definition updates be obtained via the separate updater in Defender? You don't know. But it's not really a problem \u2026<\/p><\/blockquote>\n

Ralf informed me later, that the update log just contained an entry claiming, that Windows Defender searched successful for update, but found no new updates:<\/p>\n

\u201e2018-06-29 10:23:19:454+0200 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 Windows Defender Success Software Synchronization Windows Update Client successfully detected 0 updates<\/p><\/blockquote>\n

Then blog reader Martin also confirmed, that he also checked the Windows 7 update history. He found out, that Windows Defender receiving automatically updates stalled after installing the June 12 2018 rollup update. Seems reasonable, but unfortunately, it's not true – see below.<\/p>\n

The theory, that Microsoft disabled that auto-update thing by intention isn't logical to me. During writing my blog post I stumbled upon my older blog post Windows 7\/8.1 receiving Windows Defender ATP support<\/a>. If Microsoft intends to add some functionality, it doesn't make sense, to stop updates now. So I guess, it's just a collateral damage \u2013 or something else has changed on Microsoft's update servers.<\/p><\/blockquote>\n

Addendum: Just another theory \u2013 servers-side issues<\/h2>\n

Just after I published this article, user Imacri left this comment<\/a> at askwoody.com for me. He pointed out, that Windows Defender in Windows Vista also stopped receiving updates at the same time as Windows 7. A discussion may be found here<\/a>. Here is the relevant observation (in Windows 7):<\/p>\n

One thing all three machines have in common is I am using WxFC as discussed elsewhere by Noel Carboni. I am using a similar approach to what he is, in that I only allow a few very specific update servers and only allow this when I am actively manually checking for updates.<\/p>\n

I noticed this time that both the Defender user interface and the svchost.exe are trying to get to both go.microsoft.com and http:\/\/www.microsoft.com. The former is using port 80, the latter both 80 and 443. Normally I have both of those blocked for all programs and svchost.exe (not specifically, but by exclusion). I noticed I was also getting requests (which I blocked) to go out to watson.microsoft.com, which I see when there is some type of issue and they want it reported to Microsoft.<\/p>\n

I also noticed something new. Using the Defender user interface once it finished the 'searching' phase it popped up a line that says 'Definition updates were found on the Microsoft Security Portal.' In the past when definitions were available I have never seen this appear. After this point I then would get error 0x80072efd and 'A connection with the server could not be established'.<\/p>\n

I then allowed a connection to go.microsoft.com for both the interface and the svchost.exe, but still no go. One time it downloaded the definitions file (or so it said) and my bandwidth monitor confirmed it was downloading. It said it installed it and it did not take, it was right back where I started. Next I also allowed http:\/\/www.microsoft.com for the user interface. No go. I then also allowed http:\/\/www.microsoft.com for the svchost.exe and everything proceeded as normal and the updated definitions were installed and it showed the latest version. Further checks seemed to connect with no issue.<\/p>\n

So, it seems they changed servers for doing Defender definitions updates? I strongly dislike the idea of allowing svchost.exe to go to a generic Microsoft address, because it seems to me that it could be doing just about anything, or more likely it could be than when going to a specific update server. I thought I had seen things in the past about not allowing go.microsoft.com, but I can't find any notes on it. I use a block all, allow a few specific things at specific times approach, so I have no need to specifically block this address. For me, I think I would rather not update Defender than allow this, but even if Defender isn't something I see a lot of value in, it has had critical exploitable flaws in the past requiring updates.<\/p><\/blockquote>\n

So my guess, that something may also be broken on Microsoft's update servers seems not to be too wrong.<\/p>\n

After I published the blog post in English, @VessOnSecurity confirmed that the theory of 'broken update server' is probably the most likely cause. In a reply<\/a> to my post he wrote.<\/p>\n

\n

I can confirm that on Win7 machines, Windows Defender updates via WU no longer occur (since June 11).<\/p>\n

However, this happens even if the June roll-up is NOT installed.<\/p>\n

It's not some update that has screwed things up; Microsoft has changed something server-side.<\/p>\n

\u2014 Vess (@VessOnSecurity) 29. Juni 2018<\/a><\/p><\/blockquote>\n