Windows Defender issue on server - lots of files being created

IT Resourcing 6

We have an issue on a Windows Server 2019 Datacenter virtual machine with Windows Defender.
We are in: Settings -> Update & Security -> Windows Security -> Virus & threat protection -> Virus & threat protection settings -> Manage settings

When Real-time protection is turned on, after about 20-30 minutes it creates hundreds/thousands of files in this location:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store

Most of these files are either 1kb or 2kb. Over a 24 hour period we ended up with roughly 950,000 files and it was taking 30 GB of space. This does not appear to be normal. There is no threats detected and no actively running scan or updates. These files appear to be encrypted, or at least we can't open them in notepad and see any useful data. This is only happening on one server.

Anybody got any ideas?

Tom Ding (Shanghai Wicresoft Co,.Ltd.) 1 Reputation point Microsoft Employee

2021-05-04T06:19:57.507+00:00

The affected engine version is 18100.5.
The fixed engine version is 18100.6.
sarfaraz shaikh 6 Reputation points

2022-02-23T09:12:09.017+00:00

C:\Program Files\Windows Defender>MpCmdRun.exe -SignatureUpdate

13 answers

Mike Miller 11 Reputation points

2021-05-04T12:33:13.773+00:00

Does anyone know why this started out of the blue? It seems like a commonality between multiple different threads on the Internet regarding this is that these files started on or shortly after 4/28. We control our updates via WSUS and haven't run any updates for at least a week prior to this hitting us. I'd understand if as soon as we updated to 1.1.18100.5 that it started generating these files but that's not the case. It just seems strange that the affected servers start generating these files on 4/28 and other servers seem to be fine. I'd say there's some kind of trigger for this time bomb but it seems unlikely that the trigger was pulled for multiple but not all of the servers at the same time.

Here are some other threads talking about this issue:
https://community.spiceworks.com/topic/2316398-windows-defender-filling-disk-with-thousands-of-files?utm_campaign=item&utm_medium=rss&utm_source=global
https://learn.microsoft.com/en-us/answers/questions/378578/windows-defender-creating-thousands-of-files.html?page=2&pageSize=10&sort=oldest
https://www.reddit.com/r/sysadmin/comments/n0q8pc/help_windows_defender_real_time_protection/
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Paul Molina 6 Reputation points

2021-05-04T13:14:12.637+00:00

Our team working off this article and seem to have it under control. Kind of. Removing Windows Defender feature (reboot required). Deleting the files. Believe there will be a fix released Thursday 5/7/2021.

https://www.reddit.com/r/sysadmin/comments/n43xk2/windows_defender_server_2016_watch_out/
Please sign in to rate this answer.
Ashok Savla 1 Reputation point

2021-07-14T10:44:52.73+00:00

hello

any solutons ? as we are facing same issue.
thanks

ashok@enam.com
Sign in to comment
IT Resourcing 6 Reputation points

2021-07-15T05:00:34.64+00:00

Hi,
I should have posted back here (sorry). We believe we solved our issue but installing the latest "Security Intelligence Update for Microsoft Defender Antivirus"
The specific KB we installed was KB2267602 (Version 1.339.316.0)

I hope that helps.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment