Jump to content

VirTool:Win32/DefenderTamperingRestore question


Go to solution Solved by AdvancedSetup,

Recommended Posts

First of all, apologies if this is the wrong section, this is more a question rather than a Malware case (I think), so if needed please move the topic to the corresponding section.

Okay, so, I was doing a montly checkup on my PC. Malwarebytes and McAffee didn't find anything strange. But when I ran Microsoft Safety Scanner it found the VirTool:Win32/DefenderTamperingRestore trojan, which it also mentioned that it removed. After that I made a full scan with Malwarebytes (rootkit option enabled), McAfee, Windows Defender and Safety Scanner again and everything was alright. Also my PC never had any strange behaviour or anything odd.

Now I tried looking around what this could be about and found all sort of stuff, from people saying it was a deadly doomsday virus to others saying it's a simple false positive that happens when one of my own antivirus disables Windows Defender (an actual microsoft page says this even). While I had disabled the Malwarebytes option that "overrides" Defender time ago I noticed that I indeed had Defender disabled the Periodic Scanning as McAfee was being treated as my main Antivirus. Dunno if I disabled it myself, but I enabled it again before doing the second round of scans I mentioned above and there doesn't seem to be anything strange, all results were clean.

Still wanted to ask about Defender Tampering Restore to be sure what it was about. I am aware that many sites, especially where regular users try to take action can have a lot of misinformation.

Link to post
Share on other sites

Hello @Dis-ApplePear and welcome back:

Regardless of where you have started your topic, it would be best if a timely set of good logs is made available.

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file in your next reply to this topic.

Thank you.

Edited by 1PW
  • Thanks 1
Link to post
Share on other sites

  • Root Admin

Hello @Dis-ApplePear

The Microsoft Windows Defender Tamper setting is normal and should be enabled. The logs don't seem to indicate any obvious infection at the moment.

Please temporarily disable your McAfee antivirus real-time protection and run the following scan from Microsoft

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

Link to post
Share on other sites

Gotcha, followed your instructions regarding the folders and left the Microsoft Safety Scanner doing a full scan one more time. As you mentioned it takes a few hours to finish, once it's finished I'll upload the log file.

Thanks for all the help 1PW and AdvancedSetup. 

Link to post
Share on other sites

Alright, did it properly this time. Sorry for the delay. (It says that everything is fine again)

So...  the whole VirTool:Win32/DefenderTamperingRestore that the Security Scanner identified as a Trojan at first, what was it exactly? You mentioned that the setting was normal and should be enabled, I get that, but what was it? 

And, oh yeah, nothing's gonna happen for having had my antivirus disabled during the couple of hours the Security Scanner was working correct (that included the Firewall)? I didn't use the PC and just let the scanner work and disconnected it from the internet in the meantime.

 

 

msert.log

Link to post
Share on other sites

  • Root Admin

Microsoft added the Tamper Protection service to one of the newer updates to Windows 10 a while back. It is designed to help keep malware or other security products from disabling Windows Defender without properly doing so.

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Alright, here it is. I didn't have any problems installing or running the program, Smartscreen didn't say anything.

I noticed that the SecurityCheck says that "McAfee Firewall Core Service (mfefire) - The service has stopped" but the Firewall option of McAfee is On and currently working.

SecurityCheck.txt

Edited by Dis-ApplePear
A bit of additonal info.
Link to post
Share on other sites

  • Root Admin

I wouldn't be too worried about the report. It is not always 100% accurate.

Please uninstall, update, or otherwise address the following as appropriate for your system.

 

Adobe Acrobat Reader DC - Español v.20.013.20064 Warning! Download Update | ^Please run Acrobat Reader DC and go Help - Check for updates...^
Adobe Creative Cloud v.5.4.1.534 Warning! Download Update
Discord v.0.0.310 Warning! Download Update
WinRAR 5.91 (64-bit) v.5.91.0 Warning! Download Update
Zoom v.5.11.1 (6602) Warning! Download Update
iTunes v.12.12.4.1 Warning! Download Update | ^Please use Apple Software Update tool.^


---------------------------- [ UnwantedApps ] -----------------------------
Bonjour v.3.1.0.1

 

 

Then restart the computer and check for Windows Updates and install any security updates found.

 

Let me know how the computer is running after all of this and if there are still any signs of infection or other issues.

 

 

  • Thanks 1
Link to post
Share on other sites

Okay, updated the programs. Adobe was a nightmare (Reader sneak installed two McAfee programs that were a pain to uninstall) and got rid of Bonjour.

My PC is working well, nothing strange. To be fair, it never showed any strange behaviour nor issues aside detecting the Defender Tampering Restore the first time around which never did again (decided to run Safety Scanner one more time and everything is clean).

From what I am getting, the Defender Tampering Restore was added in the Windows Update at some point and is normal, but it was mistakenly identified as a Trojan by Security Scanner, correct?

I'll attach the latest Security Check log as well.

SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Yes, Microsoft did add the Tamper setting in a newer version of Windows via Updates. From my understanding both malware and in some cases even legit security programs change that setting and disable it. Microsoft re-enables the Tamper Protection

The log looks good. There are still some McAfee elements on the system but you may have wanted or installed those on purpose. If not I can help you to remove those too, let me know.

 

Link to post
Share on other sites

Okay, so, my PC is clean according to all the reports, correct? There has never been weird behaviour or anything and now it's cleared up that the "virus" that was found was essentially a false positive. But just want to make sure.

Regarding McAfee, yeah, would be good to do a final cleanup if necessary. My main antivirus is McAfee Livesafe so most elements must be from that, and I'd rather to leave those, but if there are some remaining that snuck in or still remain after Adobe installed stuff without permission. IIRC, the ones that snuck in with Adobe were McAfee Safe Connect and McAfee Security Scan Plus both which I managed to remove from my PC (I think no trace remains).

BTW, man, thanks a lot for all your patience and help here.

Edited by Dis-ApplePear
Link to post
Share on other sites

  • Root Admin
  • Solution

Nope, if you're running McAfee as your main antivirus then all is good. Just the Tamper reset which I wouldn't say is a false positive but no issue either.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

  • Thanks 1
Link to post
Share on other sites

Alright, did so- KpRm essentially cleans the logs and removes all the programs I used during this process to scan and clean my PC correct? Smartscreen was actually wary of this one, this time around. I actually did it twice, once following the procedure we were doing so far and later once again after trying Safety Scanner one more time for what I describe below:

Before using KpRm for the second time, I made a test of sorts on my end. I manually disabled Defender and ran the Microsoft Safety Scanner to see if anything happened and yup, it actually detected the VirTool:Win32/DefenderTamperingRestore as a Trojan again. Defender was disabled the first time this detection happened (the instance that prompted me to make this thread). My take here is that any time Defender is disabled for one or another reason, Tampering Restore will kick in to try to enable it and Safety Scanner will detect it as a Trojan. Though I still don't quite get why. I mean,  if Tampering Restore is officially part of an update and Safety Scanner being a Microsoft product, shouldn't Safety Scanner recognize it (I did download the newest version of the page, so I don't think it was because Safety Scanner wasn't updated). Another thing that I am wondering about is that Tampering doesn't reactivate Defender, if Windows Defender is disabled I have to manually enable it myself.

Sorry for keep dragging this, but I simply want to know. It was the reason I made this topic after all. Though I really appreciate all the help to ensure my PC is clean.

Here are the logs of the KpRm (before and after this last Safety Scanner) as requested and the last Safety Scanner, just in case.

And, really man, thanks for all your help and patience.

msert.log kprm-20230121205933.txt kprm-20230122114935.txt

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.