![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Users sometimes get these repeated detections because Windows Defender Antivirus still doesn’t have an error handler for remediation failures. So instead of telling you that you need to manually remove a threat, or use a third-party malware-removal app for that purpose, Defender will just keep on detecting the same threat over and over again.
People tried to explain this to a Microsoft developer in this thread:
When a threat detection starts recycling like this, you don’t want to turn off notifications; you want to take some action to remove the threat, since it might not have been blocked. The first thing you should do is check the detection path for the threat, to see if it’s in a location where it can be deleted with Disk Cleanup or by clearing your browser cache. The detection path is listed in the Full History page under “Affected items”.
Windows Defender Security Center > Virus & threat protection > Scan history> See full history > down arrow > See details
More detailed information is available if you right-click on the Start button; select Windows PowerShell; and then copy, paste, and enter these commands:
Get-MpThreatDetection
Get-MpThreat -ThreatID [ID]
Pay particular attention to the fields that report the location and status of the threat, and also to the Action Success and Additional Actions Bitmask fields. If Windows Defender Antivirus actually has the ability to report remediation failures, then this is where we would expect to find it:
None (0)
FullScanRequired (4)
RebootRequired (8)
FullScanAndRebootRequired (12)
ManualStepsRequired (16)
FullScanAndManualStepsRequired (20)
RebootAndManualStepsRequired (24)
FullScanAndRebootAndManualStepsRequired (28)
OfflineScanRequired (32768)
FullScanAndOfflineScanRequired (32772)
RebootAndOfflineScanRequired (32776)
FullScanAndRebootAndOfflineScanRequired (32780)
ManualStepsAndOfflineScanRequired (32784)
FullScanAndManualStepsAndOfflineScanRequired (32788)
RebootAndManualStepsAndOfflineScanRequired (32792)
FullScanAndRebootAndManualStepsAndOfflineScanRequired (32796 )
https://msdn.microsoft.com/en-us/library/windows/desktop/dn439471(v=vs.85).aspx
Of course the problem with this is that the manual steps required for the removal aren’t specified. If the Learn more link in the Full History details is functional, then there might be some manual steps provided in the threat catalog. But what I’m seeing with the eicar.com test file is a dysfunctional link in the Windows Defender Security Center app, although the link in the classic Windows Defender UI is working fine. But for the most part, if the threat isn’t located in a folder that can be cleared manually with Disk Cleanup, or by clearing the browser cache, then you should run some of these trusted third-party malware-removal apps:
Kaspersky Virus Removal Tool:
http://support.kaspersky.com/viruses/kvrt2015
Emsisoft Emergency Kit:
http://www.emsisoft.com/en/software/eek/
Malwarebytes Anti-Malware (free version only):
https://www.malwarebytes.org/antimalware/
Eset Online Scanner:
http://www.eset.com/us/online-scanner/
Some other trusted third-party malware-removal apps are listed here:
GreginMich
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)