Windows 10 Defender disabled

[ceandra]

Hello:

I installed the 14-day trial on December 31 in order to address a potential malware issue.

When the trial ran out on the 14th, I started getting notifications that no AV program was enabled. I had been using Defender. This is on Windows 10 Home 64-bit. I followed the tests on https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start/problems-starting-windows-defender-in-windows/808253bb-db89-4db9-a4e5-1c91a86489e9, but still cannot start Defender again. It indicates the "Threat Service has stopped. Restart it Now", but after some time it comes back and says an undefined error. I tried removing MalWareBytes via the apps in setup, no better. I also tried running the MalWareBytes cleanup tool, again no improvement. I tried multiple times rebooting in between these various steps.

I also tried looking for a restore point, but found none before the 12/31 install (this is a new computer).

Are there known issues with MWB and Defender? I thought they worked OK together. How can I restore operation of Defender?

Thanks

Chuck

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[ceandra]

Logs attached

mbst-grab-results.zip

[ceandra]

PS: When I try to manually stop and restart the Security Center service, it shows as "running", but the options to stop or restart are greyed out and I cannot manually cycle the service

 

[LiquidTension]

Hi Chuck,

I see you're running an outdated version of Windows 10. Have you considered updating to the latest version?

Windows 10 Home Version 1803 17134.523

Here is the source of your issue:

Error: (01/16/2019 10:38:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MsMpEng.exe, version: 4.18.1812.3, time stamp: 0xaa8bf4c9
Faulting module name: mpengine.dll, version: 1.1.15500.2, time stamp: 0x5bff8402
Exception code: 0xc0000005
Fault offset: 0x0000000000185014
Faulting process id: 0x18d0
Faulting application start time: 0x01d4ae26dfcbc18c
Faulting application path: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1812.3-0\MsMpEng.exe
Faulting module path: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{31014893-3B92-4278-A6DC-46D6DC812EC0}\mpengine.dll
Report Id: 65675de3-e275-488f-ab22-b9472624e4d4
Faulting package full name: 
Faulting package-relative application ID:

Please do the following:

SFC /Scannow

• Please download sfc_scannow.bat using the link below.
  https://malwarebytes.box.com/s/71uel6xlgciq5fitx1lq8a6jqo3ck4mi
• Open your Downloads folder.
• Right-click sfc_scannow.bat and select Run as administrator to run the file.
• Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway.
• A black Command Prompt window will appear.
• Upon completion, a file named mb-cbs-log.txt will be created on your Desktop.
• Please attach the file in your next reply.

Also, please run the following command at the Command Prompt and provide the generated output saved to your desktop.

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s >> "%userprofile%\desktop\query.txt"

 

Edited January 17, 2019 by LiquidTension

[ceandra]

LT:

Thank you for your rapid help!

I have completed the scans you requested and results are attached. I also noted that in Windows Update, two updates were failed, as well as a defender definitions. I retired the updates multiple times,  and one took last night (I don't recall all the things I tried, one was a clean boot), but the last one will not happen successfully. I am attaching screen grabs of the failed (and successful) updates. Hoping this is the root and can be fixed!

Thanks again for your prompt attention.

Chuck

 

mb-cbs-log.txt

query.txt

[ceandra]

update 2019 01 just installed without issue today, but it never shows 2018 11 as successfully installing

Chuck

[LiquidTension]

Thanks Chuck.

Please download batch.bat using the following link: https://malwarebytes.box.com/s/jlhjsposwb7q81ihpsr6au89b7f4pd3v

Right-click the file and click Run as administrator. A file named query2.txt will be saved to your Desktop. Please attach this in a post.

Afterwards, please restart the computer (Start button > Power button > Click Restart; not Shut down). After the restart, do the following:

• Press the Windows Key + R on your keyboard at the same time. Type services.msc and click OK.
• Scroll down to Windows Defender Antivirus Service. Right-click and click Properties.
• Click Start.
• Let me know the results.

[ceandra]

LT:

Thanks again for helping out.

Results of batch file are attached. In addition, attempting to start the service results in an error (unexpected error), I captured the screen and attached as well.The Defender update still faiels to work. Windows update 2018 11 still shows failed. Virus and Threat Protection in settings still fails.

Thanks again for helping with diagnostics.

Chuck

query2.txt

[LiquidTension]

Thanks ceandra.

I recommend we proceed by getting Windows 10 version 1809 installed using the Media Creation Tool. This is typically the most effective method to get the latest version of Windows 10 installed. Please refer to the link below and use the 'Download tool now' button.

https://www.microsoft.com/en-us/software-download/windows10

Once you get version 1809 installed, check Windows Defender and let me know.

[ceandra]

LT:

I too had the same thought, but wanted to wait until I heard back from you.

I did the install, taking all defaults. This means it was set to keep all my data and apps (repair install). However, the results after this are the same, Defender will not start. I re-did most of the scans asked for above, and results attached. Before gathering the logs I re-ran MalWareBytes scan, nothing found. The Query.txt command line above does not find the registry entry it is trying to read.

Is a clean/full install next? If I do that from the same install package, what settings should I change (I presume it can be done from there, by selecting the "change what I keep" link?)?. Or should I do a factory reinstall? Would be just as happy to not have all the HP junk installed if I do clean install.

Would prefer not to do this, hoping you have something else to try.

One other note: When I go to Settings, Windows Security, Virus and Threat Protection, sometimes (first time) it pops up and says the IT department policies prevent me from going to this page, but it lets me in anyway (pop-up disappears). Since this is a home machine, there should be no IT department!

Thanks

Chuck

mbst-grab-results.zip

query2.txt

mb-cbs-log.txt

[Porthos]

@ceandra I had the same issue about a year ago. After a couple of repair installs and several fixes that were supposed to fix the issue, I finally did a clean install. No issues since.

 

[ceandra]

I'll wait and see if LT has any more suggestions. Looks like a truly clean installation, without HP Bloatware, is possible through the "fresh start" option on the Settings pages. Will have to re-install all software, but since this is fairly new computer, that won't be too hard.

Chuck

[ceandra]

I tried the fresh start. It got 90% done, then reported "There was a problem resetting your PC. No changes were made"

Downloading iso to a DVD to try other routes. Probably will have to do entirely clean install. What a Pain.

Chuck

[ceandra]

In the end, I did a full install of windows 10 using latest install media, and then restoring my documents and re-installing all software. Painful, but it fixed the issue, and removed the bloatware that came with the computer.

Thanks for trying to diagnose. Cannot be sure MWB was the cause of the issue, no way to know going forward. But I appreciate the efforts you put in to trying to solve.

Chuck

[Porthos]

1 hour ago, ceandra said:

Painful, but it fixed the issue, and removed the bloatware that came with the computer.

Now I suggest you(if you do not already have one) Invest in an external drive and make regular images with Macrium Reflect Free. So you will never have to start from scratch again.

https://www.macrium.com/reflectfree

[ceandra]

I normally do use Windows Image Backup. I had not yet on this, because it was a new computer, Defender went bad while still in the setup process.

Once I have the rest of my software loaded (I had not finished) I will do an image as a new starting point.

I did have the image from prior computer, as well as an image I took before re-installing Windows (though it was already having issues, so no sense in restoring that image)

Chuck

[Porthos]

1 hour ago, ceandra said:

Windows Image Backup.

Don't use that. Even Microsoft recommends a 3rd program now. MS is slowly depreciating that built-in program.

https://answers.microsoft.com/en-us/windows/forum/windows_10-update/is-windows10-really-phasing-out-backupfile/8d46c7b8-6bb7-4532-8d3d-ecc387656194?auth=1

Edited January 25, 2019 by Porthos

[sadfghgshfdg]

So the end result I gather from this is that MBAM has gotten so bad, it itself has become ransom ware.

Disabling Windows Defender, and even preventing Windows Updates and Virus definition downloads for Defender, requiring either paying for a subscription access and disable the grayed out features that "Let Malwarebytes apply the best Windows Action Center settings based on your system (recommended)", or a full reinstall of Windows to fix the issue.

This is just ridiculous...

To fix the issue, I used the link below. After I uninstalled Malwarebytes I had to do a regedit to re-enable Windows Defender.

Solved: Windows Defender Is Turned off and is Currently Managed by Your Systems Administrator

[exile360]

Actually, Malwarebytes doesn't touch Windows Defender at all.  This behavior is actually due to the way that Microsoft designed Defender so that whenever another security program registers as AV protection under Action Center/Security Center, Windows Defender automatically turns itself off to prevent any potential conflicts.  That said, by default whenever Malwarebytes is being installed, if Windows Defender (or Microsoft Security Essentials on Windows 7/Vista/XP for that matter) is detected as being enabled, Malwarebytes will default to not registering with the Windows Action Center/Security Center so that Windows Defender will remain active, even alongside the Premium version of Malwarebytes 3.

However, some users are experiencing an issue where, for some unknown reason, Malwarebytes is still registering itself with the Windows Action Center even when Defender is active on the system, causing Defender to disable itself as Microsoft designed it to.  That is what's causing this issue and to my knowledge the team still doesn't know why, but they are investigating it.

In the meantime, if you do experience this issue then you should be able to resolve it simply by opening Malwarebytes and navigating to Settings>Application and selecting the option Never register Malwarebytes in the Windows Action Center under the Windows Action Center section then restarting your system.  That should cause Defender to detect that no other program is registered with the Action Center so that it re-enables itself automatically (again, this is how Microsoft designed it so that when users removed their third party AVs they would not be left without any active protection on their systems).

I have seen one instance reported so far where a registry policy was configured to disable Defender, however Malwarebytes does not toggle that setting, even when registering itself with the Windows Action Center, so how that setting/policy got modified I do not know, but it is possible that either Defender did so itself or a past or present PUP or malware threat did so.

[ceandra]

My issue was coincident with MWB, but I cannot definitively say MWB caused it. I am thankful to the assistance received in trying to recover.

In my case, once MWB trial ended, I stated getting notifications that no AV was active. The notification took me to the Defender setup, but I could not restart defender, either here or in Services, even after reboots.

It is certainly possible that the malicious code that I received, for which I installed MWB to remove, caused all of the issues.

Without certainty as to whether MWB caused the problem, the support staff still worked with me to try to re-enable Defender. Kudos.

Chuck

[exile360]

Yes, that's definitely a possibility as it is very common for threats these days to disable Defender (including many PUPs, not just actual malware).

That said, I do believe there is a known issue which was mentioned earlier which may occur if Malwarebytes is running in free trial mode and configured to register itself with the Windows Action Center and once the free trial expires, it stays registered with the Windows Action Center and you cannot change the option because it is only configurable when running in Premium/trial mode (not free mode), however even in those cases that should not impact Windows Defender in that way so I'm definitely thinking some other factor was at play in your case, and I'm glad to see that it got resolved.