Jump to content

Recommended Posts

Guest Andrew B. Painter
Posted

A few days ago, Win10's Defender Antivirus started "detecting" viruses in files that were actually older than the viruses detected. Those files (contained in MSIs inside ISOs) were there in the filesystem for most of the last year, so it was pretty irksome by all accounts. I reported false positives to MS and got the following reply:

 

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

 

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender

2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”

3. Run "MpCmdRun.exe -SignatureUpdate"

 

Alternatively, the latest definition is available for download here:

Latest security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence

 

Thank you for contacting Microsoft.

 

When attempting to run these, I got the following error:

 

MpCmdRun: Command Line: MpCmdRun.exe -removedefinitions -dynamicsignatures

Start Time: Sat Nov 16 2019 15:41:57

 

MpEnsureProcessMitigationPolicy: hr = 0x1

Start: MpRemoveDefinitions(0)

ERROR: MpRollbackSignature failed with hr=80070005

MpCmdRun: End Time: Sat Nov 16 2019 15:41:57

 

The other command (-SignatureUpdate) worked fine, but of course the cached detections won't go away.

 

I've tried disabling Win10 Defender Antivirus via Group Policy Editor. No joy.

 

I found an identical error code report somewhere on MS Forums that suggested running dism.exe to do a checkup (it found errors) and repair (it returned a claim that the image was successfully repaired) but I still get the same error with MpCmdRun.exe.

 

It's not system-breaking since I can just allow the detected files. It's fairly annoying to have to retain false positives in the detection history and it's even a bit dangerous considering the user of that PC is an end-user who's fairly likely to look at the history in 6-18 months and do something like Remove or Quarantine the threat, which would definitely break software they use daily.

 

More...

  • Replies 0
  • Created
  • Last Reply

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...