Share via

Windows Defender Offline Scan Missing Definitions

Anonymous
2023-07-17T20:28:11+00:00

Microsoft Windows 10 Pro build 19405

When I run a Windows Defender Offline Scan, msssWrapper always shows a warning message saying definitions are missing.

How I Got Here: I was initially concerned because 1) my computer is slower than it ought to be, 2) there were two programs I didn't recall installing (WinDirStat and TreeSize Free, I may have simply forgotten about installing them since last time I used that PC), and 3) Bitdefender was unable to complete a full scan despite troubleshooting.

What I Tried: I uninstalled BitDefender and ran the Quick, Full, and Offline scans with Windows Defender. Quick and Full required some fiddling but ultimately completed and reported no threats found. I was a little worried because the quick scan only took 30 seconds, but I moved on to the Offline scan, just to be sure. The msssWrapper scan log always says "Missing definitions file in 'C:\mpam-fex64.exe'" (same for D:\ E:\ and X:)

So I installed MalwareBytes per some older advice in this forum. Threat Scan didn't find any issues. I tried a custom scan but cancelled it, because it was still going 14 hours later and I read that full disk scans aren't really what MalwareBytes is for.

I did a Windows 10 repair install. The warning still appears in Offline scan logs. It finally occurs to me that in the lines following the warning, the scan searches for and finds up-to-date signatures elsewhere.

What I Would Like To Know: Are signatures and definitions the same thing? Could you please take a look at this log and tell me if anything is amiss? Is there anything I need to worry about with regards to malware that hasn't occurred to me?

START 2023/07/17 12:53:06:019 TID:1528 PID:1496

INFO 2023/07/17 12:53:06:019 TID:1528 PID:1496

Loading offline registry library returned 0x00000000

INFO 2023/07/17 12:53:06:019 TID:1528 PID:1496

Binary architecture is amd64

INFO 2023/07/17 12:53:06:019 TID:1528 PID:1496

UtilIsFileExists(D:\WINDOWS\SysWOW64\ntdll.dll) returned 0x00000000

INFO 2023/07/17 12:53:06:019 TID:1528 PID:1496

CheckProcessorArchitecture returned 0x00000000

INFO 2023/07/17 12:53:06:019 TID:1528 PID:1496

Setting target OS key: "D:\WINDOWS"

INFO 2023/07/17 12:53:06:019 TID:1528 PID:1496

SetRecoveryEnvironmentKey returned 0x00000000

INFO 2023/07/17 12:53:06:050 TID:1528 PID:1496

Mapping target OS C drive to WinPE D drive

INFO 2023/07/17 12:53:06:066 TID:1528 PID:1496

BuildTargetOSDriveMapping returned 0x00000000

INFO 2023/07/17 12:53:06:066 TID:1528 PID:1496

Searching for signatures. Default signature path: ""

INFO 2023/07/17 12:53:06:066 TID:1528 PID:1496

Searching for signatures at root of drives...

WARNING 2023/07/17 12:53:06:066 TID:1528 PID:1496

Missing definitions file in 'C:\mpam-fex64.exe'

WARNING 2023/07/17 12:53:06:066 TID:1528 PID:1496

Missing definitions file in 'D:\mpam-fex64.exe'

WARNING 2023/07/17 12:53:06:066 TID:1528 PID:1496

Missing definitions file in 'E:\mpam-fex64.exe'

WARNING 2023/07/17 12:53:06:066 TID:1528 PID:1496

Missing definitions file in 'X:\mpam-fex64.exe'

INFO 2023/07/17 12:53:06:066 TID:1528 PID:1496

Searching for signatures from installed product on target OS

INFO 2023/07/17 12:53:06:566 TID:1528 PID:1496

Looking for Defender registry key on target OS

INFO 2023/07/17 12:53:06:566 TID:1528 PID:1496

Mapped target os path (C:\ProgramData\Microsoft\Windows Defender\Definition Updates{83806DE2-5034-499D-B7F0-0A1A29956242}) to winpe path (D:\ProgramData\Microsoft\Windows Defender\Definition Updates{83806DE2-5034-499D-B7F0-0A1A29956242})

INFO 2023/07/17 12:53:06:566 TID:1528 PID:1496

Found signatures on the target OS at D:\ProgramData\Microsoft\Windows Defender\Definition Updates{83806DE2-5034-499D-B7F0-0A1A29956242}

INFO 2023/07/17 12:53:06:628 TID:1528 PID:1496

SearchForSignatures returned 0x00000000

INFO 2023/07/17 12:53:07:128 TID:1528 PID:1496

Looking for Defender registry key on target OS

INFO 2023/07/17 12:53:07:128 TID:1528 PID:1496

Mapped target os path (C:\ProgramData\Microsoft\Windows Defender) to winpe path (D:\ProgramData\Microsoft\Windows Defender)

INFO 2023/07/17 12:53:07:207 TID:1528 PID:1496

Initializing offline environment and service...

INFO 2023/07/17 12:53:07:613 TID:1528 PID:1496

XCopySignatures returned hr = 0x0

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

GetTempPathW where sigs would unpack = D:\WINDOWS\Microsoft Antimalware\Tmp\

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

Signatures are already fairly recent. Skipping sig update.

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

AS Signature Version: 1.393.638.0

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

Engine Version: 1.1.23060.1005

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

Launching user interface...

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

Auto-scan mode selected...

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

Registered for notifications

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

Automatic scan started

INFO 2023/07/17 12:53:13:692 TID:1528 PID:1496

Launched Console UI, waiting...

INFO 2023/07/17 12:55:52:240 TID:1668 PID:1496

CALLBACK: Scan complete. hResult=0x0, threat count=0

INFO 2023/07/17 12:55:52:240 TID:1528 PID:1496

Wait finished (Scan signaled)

INFO 2023/07/17 12:55:52:240 TID:1528 PID:1496

Getting results from scan...

INFO 2023/07/17 12:55:52:240 TID:1528 PID:1496

Scan completed successfully, attempting to clean any active malware. Number of threats from scan: 0

INFO 2023/07/17 12:55:52:240 TID:1528 PID:1496

RunCallisto returned 0x00000000

INFO 2023/07/17 12:55:52:240 TID:1528 PID:1496

PreserveCallistoDetections returned 0x00000000

INFO 2023/07/17 12:55:55:750 TID:1528 PID:1496

Looking for Defender registry key on target OS

INFO 2023/07/17 12:55:57:212 TID:1528 PID:1496

Changes were committed to target OS hive.

INFO 2023/07/17 12:55:57:291 TID:1528 PID:1496

SetOfflineScanRunFlag returned 0x00000000

INFO 2023/07/17 12:55:57:291 TID:1528 PID:1496

Offline scan completed with 0x00000000

FINISH 2023/07/17 12:55:57:291 TID:1500 PID:1496

(In case it's relevant: I have been connected to the internet since the repair install, but I haven't gone to any website other than the default bing homepage and the official Microsoft website via Google)

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-07-19T06:57:32+00:00

    Hi Ramesh,

    Thank you so much for your help, once again. In your opinion, am I in the clear or is there a (reasonable) chance that I might I have some kind of malware that is able to hide from both the Windows Defender scans I’ve already done and any scans by Malwarebytes once I install it? I don’t have a high-security career or any tech-wizard enemies so I wouldn’t expect a targeted attack, but I’m not up to date with what malware can do nowadays.

    Thanks again!

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Ramesh 176.1K Reputation points Volunteer Moderator
    2023-07-19T07:09:41+00:00

    Hi KJ_99,

    The Defender AV configuration looks perfectly fine. You may install Malwarebytes Free and use it as a secondary (on-demand) scanner if you want. Nothing else should be necessary.

    Additional Note:

    Some miners evade detection (from Defender or 3rd party antivirus programs) by launching PowerShell or a VBScript via Task Scheduler. High CPU/RAM usage is the main symptom of a coin miner infection. On such systems, running the Farbar Scanner is recommended.

    Posting the following as an "FYI", and I don't think a Farbar scan is necessary in your case. Anyway, I'll be glad to inspect your configuration if you decide to upload the scan logs.

    Was this answer helpful?

    0 comments
  3. Ramesh 176.1K Reputation points Volunteer Moderator
    2023-07-19T05:31:51+00:00

    Hi KJ_99,

    The settings look fine, with no exclusions. And the signatures are current.

    My quick scan results.

    Quick scan on my test system (running i3) and the scan was completed in 5 minutes. 48000 files were scanned and the CPU usage during the scan was 20% (max).

    Running another quick scan, but this time I used the MpCmdRun.exe console tool. The scan was completed in 46 seconds. It appeared that CPU usage wasn't throttled during the console scan.

    So, it all looks normal.

    Was this answer helpful?

    0 comments
  4. Anonymous
    2023-07-19T04:57:06+00:00

    Thank you for your help! Here are the logs you requested. I removed my computer ID because I'm not tech savvy enough to know what (if anything) a person could do with that.

    PS C:\WINDOWS\system32> get-mpPreference

    AllowDatagramProcessingOnWinServer : False

    AllowNetworkProtectionDownLevel : False

    AllowNetworkProtectionOnWinServer : False

    AllowSwitchToAsyncInspection : False

    AttackSurfaceReductionOnlyExclusions :

    AttackSurfaceReductionRules_Actions :

    AttackSurfaceReductionRules_Ids :

    AttackSurfaceReductionRules_RuleSpecificExclusions :

    AttackSurfaceReductionRules_RuleSpecificExclusions_Id :

    CheckForSignaturesBeforeRunningScan : False

    CloudBlockLevel : 0

    CloudExtendedTimeout : 0

    ComputerID : [removed]

    ControlledFolderAccessAllowedApplications :

    ControlledFolderAccessProtectedFolders :

    DefinitionUpdatesChannel : 0

    DisableArchiveScanning : False

    DisableAutoExclusions : False

    DisableBehaviorMonitoring : False

    DisableBlockAtFirstSeen : False

    DisableCacheMaintenance : False

    DisableCatchupFullScan : True

    DisableCatchupQuickScan : True

    DisableCpuThrottleOnIdleScans : True

    DisableDatagramProcessing : False

    DisableDnsOverTcpParsing : False

    DisableDnsParsing : False

    DisableEmailScanning : True

    DisableFtpParsing : False

    DisableGradualRelease : False

    DisableHttpParsing : False

    DisableInboundConnectionFiltering : False

    DisableIOAVProtection : False

    DisableNetworkProtectionPerfTelemetry : False

    DisablePrivacyMode : False

    DisableRdpParsing : False

    DisableRealtimeMonitoring : False

    DisableRemovableDriveScanning : True

    DisableRestorePoint : True

    DisableScanningMappedNetworkDrivesForFullScan : True

    DisableScanningNetworkFiles : False

    DisableScriptScanning : False

    DisableSmtpParsing : False

    DisableSshParsing : False

    DisableTlsParsing : False

    EnableControlledFolderAccess : 0

    EnableDnsSinkhole : True

    EnableFileHashComputation : False

    EnableFullScanOnBatteryPower : False

    EnableLowCpuPriority : False

    EnableNetworkProtection : 0

    EngineUpdatesChannel : 0

    ExclusionExtension :

    ExclusionIpAddress :

    ExclusionPath :

    ExclusionProcess :

    ForceUseProxyOnly : False

    HighThreatDefaultAction : 0

    IntelTDTEnabled :

    LowThreatDefaultAction : 0

    MAPSReporting : 2

    MeteredConnectionUpdates : False

    ModerateThreatDefaultAction : 0

    OobeEnableRtpAndSigUpdate : False

    PlatformUpdatesChannel : 0

    ProxyBypass :

    ProxyPacUrl :

    ProxyServer :

    PUAProtection : 0

    QuarantinePurgeItemsAfterDelay : 90

    RandomizeScheduleTaskTimes : True

    RealTimeScanDirection : 0

    RemediationScheduleDay : 0

    RemediationScheduleTime : 02:00:00

    ReportDynamicSignatureDroppedEvent : False

    ReportingAdditionalActionTimeOut : 10080

    ReportingCriticalFailureTimeOut : 10080

    ReportingNonCriticalTimeOut : 1440

    ScanAvgCPULoadFactor : 50

    ScanOnlyIfIdleEnabled : True

    ScanParameters : 1

    ScanPurgeItemsAfterDelay : 15

    ScanScheduleDay : 0

    ScanScheduleOffset : 120

    ScanScheduleQuickScanTime : 00:00:00

    ScanScheduleTime : 02:00:00

    SchedulerRandomizationTime : 4

    ServiceHealthReportInterval : 60

    SevereThreatDefaultAction : 0

    SharedSignaturesPath :

    SignatureAuGracePeriod : 0

    SignatureBlobFileSharesSources :

    SignatureBlobUpdateInterval : 60

    SignatureDefinitionUpdateFileSharesSources :

    SignatureDisableUpdateOnStartupWithoutEngine : False

    SignatureFallbackOrder : MicrosoftUpdateServer|MMPC

    SignatureFirstAuGracePeriod : 120

    SignatureScheduleDay : 8

    SignatureScheduleTime : 01:45:00

    SignatureUpdateCatchupInterval : 1

    SignatureUpdateInterval : 0

    SubmitSamplesConsent : 1

    ThreatIDDefaultAction_Actions :

    ThreatIDDefaultAction_Ids :

    ThrottleForScheduledScanOnly : True

    TrustLabelProtectionStatus : 0

    UILockdown : False

    UnknownThreatDefaultAction : 0

    PSComputerName :

    PS C:\WINDOWS\system32> get-MpComputerStatus

    AMEngineVersion : 1.1.23060.1005

    AMProductVersion : 4.18.23050.5

    AMRunningMode : Normal

    AMServiceEnabled : True

    AMServiceVersion : 4.18.23050.5

    AntispywareEnabled : True

    AntispywareSignatureAge : 0

    AntispywareSignatureLastUpdated : 7/18/2023 2:50:38 PM

    AntispywareSignatureVersion : 1.393.757.0

    AntivirusEnabled : True

    AntivirusSignatureAge : 0

    AntivirusSignatureLastUpdated : 7/18/2023 2:50:38 PM

    AntivirusSignatureVersion : 1.393.757.0

    BehaviorMonitorEnabled : True

    ComputerID : [removed]

    ComputerState : 0

    DefenderSignaturesOutOfDate : False

    DeviceControlDefaultEnforcement : Default Allow

    DeviceControlPoliciesLastUpdated : 12/31/1600 4:00:00 PM

    DeviceControlState : Disabled

    FullScanAge : 0

    FullScanEndTime : 7/17/2023 11:57:47 PM

    FullScanOverdue : False

    FullScanRequired : False

    FullScanSignatureVersion : 1.393.679.0

    FullScanStartTime : 7/17/2023 11:20:10 PM

    IoavProtectionEnabled : True

    IsTamperProtected : True

    IsVirtualMachine : False

    LastFullScanSource : 1

    LastQuickScanSource : 2

    NISEnabled : True

    NISEngineVersion : 1.1.23060.1005

    NISSignatureAge : 0

    NISSignatureLastUpdated : 7/18/2023 2:50:38 PM

    NISSignatureVersion : 1.393.757.0

    OnAccessProtectionEnabled : True

    ProductStatus : 524288

    QuickScanAge : 0

    QuickScanEndTime : 7/18/2023 1:57:51 AM

    QuickScanOverdue : False

    QuickScanSignatureVersion : 1.393.694.0

    QuickScanStartTime : 7/18/2023 1:56:57 AM

    RealTimeProtectionEnabled : True

    RealTimeScanDirection : 0

    RebootRequired : False

    SmartAppControlExpiration :

    SmartAppControlState : Off

    TamperProtectionSource : Signatures

    TDTMode : N/A

    TDTSiloType : N/A

    TDTStatus : N/A

    TDTTelemetry : N/A

    TroubleShootingDailyMaxQuota :

    TroubleShootingDailyQuotaLeft :

    TroubleShootingEndTime :

    TroubleShootingExpirationLeft :

    TroubleShootingMode :

    TroubleShootingModeSource :

    TroubleShootingQuotaResetTime :

    TroubleShootingStartTime :

    PSComputerName :

    I do have to disclose that I was foolish and installed my third party antivirus between posting this question and receiving your response. I removed it and restarted before running these commands.

    In case it matters, the 30 second quick scan scans about 30,000 files.

    Was this answer helpful?

    0 comments
  5. Ramesh 176.1K Reputation points Volunteer Moderator
    2023-07-18T04:08:50+00:00

    Hi KJ_99,

    It's normal to see the "Missing definitions file in 'mpam-fex64.exe'" entry in the offline log. It tries to use the definitions installer file if found in the root of each drive/volume. If it's missing, WDO uses the definitions folder in your Windows partition.

    Signatures and definitions mean the same.

    If the quick scan was completed in 30 seconds, the problem could be one of the following things.

    1. Definitions are completely missing.
    2. Incorrect exclusions configuration. For example, malware may have added the entire C:\ drive to the exclusions.

    You may download and latest mpam-fex64.exe file from this Microsoft link, place it in the C:\ root and try an offline scan and see if that helps.

    To check your Defender configuration, please run these two commands from admin PowerShell and post the output here.

    • Get-MpPreference
    • Get-MpComputerStatus

    Was this answer helpful?

    0 comments