Windows Defender creating thousands of files

Question

Since 28/04/2021 around 22:00, thousands of files started to be created in folder C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ on one of my domain controllers.

There were over 200k files which caused that night's backup to take over 4hours rather then the normal 20minutes.
There are now well over 400k files.

Another member server is also affected by this, there are over 2million files in the same folder being:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\

Bother servers are running Windows Server 2016.
The files are 1-2KB.
Settings>Update&Security>Windows Defender settings are enabled.
Windows Defender GUI>History is empty for Quarantined, Allowed and All Detected items.
No Windows Defender scan is running.

Resource Monitor>Disk>Disk Activity shows the System process accessing these files, so I presume it is creating them.
System is also the owner of these files.

Answer 1

All in 7xWS2016 servers all running Sophos were affected, across two of my clients.
Windows Defender was thus uninstalled from 3xservers with small C-Drives to prevent 0% free space issue.

Cause seems to of been a MSFT Windows Defender update for which a fix was released late last week.

Windows Defender has been re-installed on the 3xservers it was previously uninstalled from.
None of the 7xWS2016 servers are showing a repeat of the issue so assume MSFT fixed it with a Windows Defender update.

Answer 2

Good morning. Yes, I also have Sophos. I didn't get anything from MS yet, but I also opened a ticket with Sophos, asking about Defender AV and Sophos both running on the same system. It's been my experience in the past that when I install AV, it disables the native Windows AV, but not in this case. Here's what Sophos support said: (my comments in [brackets]).

"To assist you with your query Sophos can run with Windows Defender but it's advisable not to run both for we might encounter a performance issue when they run at the same time.

You can check by running command prompt as administrator, and run the fltmc command to see what drives are available on the server. [If fltmc returns "WdFilter" then Defender is running.]

Kindly try to disable the Windows Defender in Manage Roles and Features, untick the Windows Defender feature. [Reboot] and run the fltmc command again to confirm [WdFilter is removed]."

I did this on one server and confirmed Defender AV is no longer installed. It hopefully will solve the issue for me, but it doesn't explain the cause or truly "fix" what is broken. I might leave Defender on one server and work with MS to find the issue.

Answer 3

We are also having the same issue on a Server 2019 VM box running Sophos. First noticed due to a large change in back up length and time. over 1 million new and modified files created in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store.

Also noticed that CPU usage was pinned with Sophos and Windows defender both being the culprits, starting to look like updates to definitions has both bits of software fighting each other causing the creation of millions of files.

Come on MS we need a support update please.

Answer 4

While I'm curious to know what caused this, I'm not holding my breath waiting for MS. They'll probably blame Sophos. I have about a dozen servers, 4 had this issue. I uninstalled Defender from 10 servers and left it on 2 servers for testing/troubleshooting purposes. There's no need for it if the Sophos protection is there, so I don't see myself reinstalling Defender even if this issue gets fixed.

Answer 5

2021-05-03:

Problem is with the AMEngineVersion < 1.1.18100.6. New version is supposed to be deployed by Microsoft Thursday May 6th.

---

I have this issue on a Windows 2008 R2 server running SCEP and a 2016 server running Defender. Do not have Sophos on either.

Windows 2008 R2:
C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Store
Windows 2016:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store