This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
After spending all day on this (literally) my patience has worn out.
I have been using Windows Defender for many years on many different computers, they've done their job and never given me grief-until now.
I've been able to download several tools/programs without issue and have done so for years. I'd download, scan then run the program once they show up clean. Windows Defender (WD) never gave me any grief with any of these, until I tried to download a specific file from a forum. I know for an absolute fact that this file is safe, but when I first tried downloading it, it appeared as:
Backdoor:Win32/Bladabinda!ml
I did various checks online with well trusted antivirus browsers and the fact that thousands upon thousands of individuals have used this program/tool hassle-free, further proving the program is safe. With this being a false-positive, I figured I could just whitelist the program, but this is where the loop happens. The moment I try to download it, WD immediately deletes it. If I go into Exclusions, it asks for a specific file to whitelist.
Do you see the issue here? With this bug causing an infinite loop of frustration, I went to switch WD off while I did my work, but soon discovered that you actually cannot turn Windows Defender off. There's online remedies for editing the registry on your computer and doing other workarounds however absolutely none of these worked. So now I cannot download a needed program and Windows Defender has now refused to turn off. After trying to download the exact same file, the following false-positive triggered:
Trojan:Script/Oneeva.a!ml
I then tried Microsoft Support, who recommended the exactly guides I'd followed earlier, so because of this, it tells me that Windows Defender is a very slack program that it not monitored or updated. It frequently puts out false positives, cannot be turned off and terminates programs willy-willy.
This is a severe oversight and a major bug. You should not have something so important create a loop and require such extreme methods to switch off. This is an official Microsoft AntiVirus but comes across as a shady program. Please fix this so I can carry on with my tasks. I prefer being able to whitelist a program but the fact you cannot turn the program off is a pretty bad look.
Short version:
-Windows Defender has a whitelist bug. You're required to have the program you want to whitelist already on your computer, but if you try to download it, Windows Defender immediately terminates it.
-Windows Defender cannot be switched off. There are guides to do so, but those require going to extreme methods when the option should be within the program itself.
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
Windows defender April-29-2021 messed up again from latest updates. False positives again. This very same thing happened several years back.
They patched it shortly.
Look for MSERT.exe virus scanner from Microsoft and run it if your unsure.
Hard to trust Microsoft with every bad patch that messes things up.
Hi Crafty,
Defender has been able to Detect and Remove this malware for quite a while. It probably has
remediated these already. But due to a problem in Defender, it is now presenting a False positive.
Defender is seeing the malware in its Protection History, and reporting it as a new detection.
You can verify if that is your case, by downloading a fresh copy of the Microsoft Safety Scanner.
Run a full scan on you PC. If the Safety Scanner does not detect the malware, but Defender still
does, it is a False positive from Defender. Both Defender and the Scanner use the same definitions.
You can eliminate the False positive, by deleting the Detection History folder from Protection History. Not to worry, Windows rebuilds the folder when it needs it. Instructions for deleting the
Detection History folder can be found in this link.
Disregard the reference to PUPs. This situation can occur for other malware as well.
Good luck, Glen
Hello, I am Sai, a Microsoft Community Independent Advisor. Whitelisting is an additional step used to whitelist entire folders from being checked. Instead, when you download the file and Windows Defender deletes it, you can go into the Windows Security app and open the "Virus and Threat Protection" menu. From there, click "Protection history". There, you will be able to see the file that Windows Defender blocked and you will be able to allow the file on your device. This will restore the file to its original location. Also, there are options to turn off Windows Defender, but if you have a work or school device, these options may be disabled intentionally to prevent malware from being installed. Under "Virus and threat protection settings", you can toggle all of the options to the off settings. Now, keep in mind that your browser may have an additional antivirus screening that may be interfering with the download.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 69%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
It's not clear from your description exactly when this detection is occurring, so it's also possible that Windows Defender itself isn't the issue here and the file is instead being blocked by Microsoft SmartScreen, which due to its integration with Defender can appear at times as if the action is occurring elsewhere.
Since SmartScreen actually gains control of a file before the operating system or even Defender, this can potentially bypass the exclusion features, but still make it appear as if it's Defender that's making the detection.
To determine whether SmartScreen is involved, in Microsoft Security Center under the App and browser control section, set the Check apps and files selection to Off rather than the default Warn. If you're using the Microsoft Edge browser then change that SmartScreen setting to Off as well.
If SmartScreen still isn't the true issue, then likely there's something else going on here we can't see from your description, so it's best to provide both snapshots and a step-by-step of what's actually happening, since we're all really just guessing as you have been without a clear picture of precisely when or with which browser or other actions the issue is occurring.
Rob
Hi Sai,
I originally tried this, however the original file is not restored when I click on 'Allow' as this was one of the first things I tried when trying to stop Windows Defender from deleting said file. Also, as I have already said, this is my personal work computer and not associated with a network. No one touches this PC aside from myself and after trying every single recommended action (including everything you have listed) it still does not turn off Windows Defender.
This is a severe bug/flaw that needs to be addressed immediately.
