Share via

Windows Defender Identifies The SAME PUP As A Threat Repeatedly

Anonymous
2020-06-16T21:00:07+00:00

Since the implementation of W10 V2004, Windows Defender has now been defaulted to identify

PUPS as a threat.  As a result, many are now made aware of their presence.  And they are "remediated",

on the spot, to prevent them from causing any mischief.

The problem occurs on the subsequent scans with Windows Defender. It identifies the same PUP again,

and again. It has been determined that this is caused by the presence of the PUP in Protection History.

It appears that the default remediation that Windows Defender applies to PUPs is to Block them,

then leave them in Protection History .

EDIT:  It has been found that malware other than PUPS, can require this same procedure.

           Some have discovered, that even Trojans exhibit this same characteristic, when remediated by

          Windows Defender in W10 v2004.

If you have any malware, remediated by Windows Defender, that alerts repeatedly, this procedure applies to

it as well. In order to cleanup the malware completely, find the file in the "container file" in the Protection

History record, and delete the file that is described. If you can't find or access the file, run the Microsoft

Safety Scanner. It uses the same definitions as Windows Defender, and should remediate  the file.

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download 

Then proceed to delete the Protection History info.

END EDIT.

Windows Defender is defaulted to scan its own "Scans/History". Resulting in the discovery of the malware over

and over again.  Even though, other scanners see no evidence of the malware on the PC.       It doesn't exist!

Until Microsoft sees fit to fix this problem,  you can prevent the repeating error indication, by deleting the

items that are described in Windows Defender Protection History. You can delete them by accessing their files,

that are located in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service.

In the "Service" folder, find and delete "Detection History"

Note:  ProgramData is a hidden file. In order to access it, the "Hidden Items" option in "File Explorer" must be

checked.  Find the "Hidden Items" check box under the "View Tab".

And, the first time that you access "Scans", you must select "continue", to obtain the permission.

Restart and try another scan.    Notifications for the current malware should stop.  

However, this program miscue will probably reoccur, when the next PUP / Malware is encountered.  

Glen

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

188 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. bhringer-9380 4,350 Reputation points Volunteer Moderator
    2020-11-05T03:45:51+00:00

    Hi Glen, thank you for your instructions! However, I have a quick question. I went to "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" as instructed, and found three folders, named 00, 01 and 02. I noticed that the dates/times on the folders matched the three times I was notified by Windows Defender about the same problem, so I just assumed a folder was created for each alert. I just deleted all of the folders without much thinking, and I only now started to wonder if I've done something stupid. Do you know if it was okay to just delete the numbered folders inside Service-folder, or have I f-ed up, and need to reinstall Windows, download a patch etc., or am I okay?

    Waiska

    You did fine, no need to worry.

    ~bhringer

    7 people found this answer helpful.
    0 comments
  2. Anonymous
    2020-08-05T14:35:27+00:00

    hey thanks a lot i've been searching whole day try other anti virus. didn't work only this. thankssss u save my life. i can sleep now and have a peace of mind :))

    7 people found this answer helpful.
    0 comments
  3. Anonymous
    2020-07-13T17:30:24+00:00

    Glen, thank you, im afraid these pups have gotten into my mainframe and have scrambled my hard drive. What vicious pups that run lose

    7 people found this answer helpful.
    0 comments
  4. Anonymous
    2021-07-10T08:23:35+00:00

    Hi Rob,

    Thanks for the input. Of course the "compatible" MalwareBytes has been involved in many

    problems associated with Defender. The "Always Register" case, for one.

    I can't say whether any of the Defender false positives were caused by conflict between

    Defender and MalwareBytes or not. But that is an interesting hypothesis. In the beginning

    it only involved PUAs. And I believed that was caused by the remediation for them, that was

    just to block them. And a fault in Defender allowed it to "detect" the blocked item in Protection

    History. Microsoft has had more than ample time to correct that situation though.

    Then it appeared, that the same "repeat" detection was occurring with other malware, as well.

    That which was not just blocked. However, removing these items from the History would

    also eliminate the alerts. I suppose that these problems might be brought on by conflict.

    But probably not one that I will have the chance to investigate. There are so many "advisors"

    now days, who have discovered that Repair Upgrade will fix almost anything, and get them

    an "Answered", that it is difficult to to have a chance to "diagnose" any problem. Even though

    their approach can be compared to driving a thumb tack with a sledge hammer, it resonates

    with many who post in the Community. I have reduced my participation, somewhat.

    EDIT: Rob, my response to a post by Kaanozeer, is what you responded to in this thread.

          I had some difficulty in finding this, or I would have included it in my response above.

     It turns out that Kaanozeer located a solution to his Defender problem, which did involve

     a conflicting application. *Intel Driver & Support Assistant / Intel Computing Improvement*

     *Program*.  See this link... (it will not insert)  **HTTPS://www.reddit.com/r/antivirus/comments/**

    ndrjw0/Windows_Defender_states_it_took_action_against/?utm_source=share&utm_medium=

    web2x&context=3

        ****        This may be fuel to accommodate your hypothesis.                  ****

    Best of luck to you, Glen

    6 people found this answer helpful.
    0 comments
  5. Anonymous
    2020-07-13T03:49:17+00:00

    Hi qweasds,

    There is no reason for you to reset your PC!

    What you have is a program problem in W10 v2004. When Windows Defender remediates

    a PUP (PUA), it blocks it, but leaves a copy of it in Windows Defender Protection History.

    The other scanners cannot locate the PUP, because it only exists in Protection History.

    The copy in Protection History, is what WD keeps detecting over and over again!

    The procedure for deleting the PUP (PUA) from Protection History is described on the first

    page of this thread. All that you need to know about that procedure, is explained there.

    Re-examine the page, and if you still have any questions, please reply.

    Good luck,  Glen

    6 people found this answer helpful.
    0 comments