Windows Defender creating thousands of files

Denis Payne 156

Since 28/04/2021 around 22:00, thousands of files started to be created in folder C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ on one of my domain controllers.

There were over 200k files which caused that night's backup to take over 4hours rather then the normal 20minutes.
There are now well over 400k files.

Another member server is also affected by this, there are over 2million files in the same folder being:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\

Bother servers are running Windows Server 2016.
The files are 1-2KB.
Settings>Update&Security>Windows Defender settings are enabled.
Windows Defender GUI>History is empty for Quarantined, Allowed and All Detected items.
No Windows Defender scan is running.

Resource Monitor>Disk>Disk Activity shows the System process accessing these files, so I presume it is creating them.
System is also the owner of these files.

Andreas Schweizer (diverto gmbh) 16 Reputation points

2021-05-02T09:23:43.223+00:00

Same here since Friday!
We have Sophos and datto RMM on the systems.
Any news now?
Bartek82 6 Reputation points

2021-05-03T14:14:58.977+00:00

Have the same problem. Over the weekend, 3 server(2019) hard drives filled up.

We also use Sophos Central Endpoint
Justin Whitstine 6 Reputation points

2021-05-03T14:39:16.563+00:00

Same issue here
Mike Miller 11 Reputation points

2021-05-03T15:17:21.877+00:00

We are also facing this issue as well. We are on Windows Defender Engine version 1.1.18100.5 with Sophos installed. My colleague came across this Reddit thread (https://www.reddit.com/r/sysadmin/comments/n0q8pc/help_windows_defender_real_time_protection/) dealing with the same issue. Looks like an update to the engine to bring it to version 1.1.18100.6 may have resolved it for a few of those people but I don't think it's publically available yet. I've had at least 10 servers already affected by this and all of the issues started on 4/28. Hooray for Mondays!
Mike Miller 11 Reputation points

2021-05-03T20:06:24.117+00:00

Has anyone got any resolution from Microsoft on this issue yet? If so, is there an update that's publically available?
David Fosbenner 21 Reputation points

2021-05-03T21:51:36.583+00:00

I got a response that a tech has been assigned to my case, that's it. You can temporarily disable realtime protection to stop file creation, or remove WD in Apps & Features.
Denis Payne 156 Reputation points

2021-05-04T10:18:31.483+00:00

In WS2016 it wasn't possible to disable Windows Defender, if you did then flipped away then back to the screen it'd just be running again.
In my case something about 'Unable to disable Windows Defender if Sophos installed' so I just uninstalled Windows Defender from the 3xWS 2016 VMs that had the issue.

Supposed an update later this week will fix Windows Defender issue which is the cause.
Fazal Khan 1 Reputation point

2021-05-04T15:26:27.91+00:00

Is there any solution to this issue. We are encountering the same issue on windows Server 2k12r2 machines. There are number of files getting created under C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Store.

Any suggestions or solutions plz?

Regards,
Fazal
David Fosbenner 21 Reputation points

2021-05-04T15:35:35.17+00:00

For now, turn off Defender's Realtime Protection and it will stop creating the files.
Fazal Khan 1 Reputation point

2021-05-04T15:42:18.473+00:00

We have already turned off real time protection and scheduled scan through SCCM antimalware policy and still no use. Everything is disabled for Defender.

Regards,
Fazal
LeeW 6 Reputation points

2021-05-06T08:07:43.69+00:00

Turning off Defender is the first step, that will stop more files being created.

You need to delete the files that have been created, unfortunately part of the issue is that the folder structure is locked so you can't get in to browse, this also presumably stop Defender from updating.

The fix I have been using is, once Defender is disabled, open an elevated command prompt, cd "c:\programdata\microsoft\windows defender\scans\history\store" , you can run a dir which will show thousands of files. In this directory run del . and accept the prompt with y . That will start deleting but it's a slow process. Once of my servers took more than a day to delete all the files.

I am running Sophos with Defender but I think it's a Defender issue.
´óúåð¶ÖäÎð¸àì 1 Reputation point

2021-05-07T06:36:40.447+00:00

Same problem in non-server scenario.

Windows 10 Pro 1909

updated from 1.1.18100.5 to 1.1.18100.6 and the files are still there...

Accepted answer

Denis Payne 156 Reputation points

2021-05-10T10:58:39.867+00:00

All in 7xWS2016 servers all running Sophos were affected, across two of my clients.
Windows Defender was thus uninstalled from 3xservers with small C-Drives to prevent 0% free space issue.

Cause seems to of been a MSFT Windows Defender update for which a fix was released late last week.

Windows Defender has been re-installed on the 3xservers it was previously uninstalled from.
None of the 7xWS2016 servers are showing a repeat of the issue so assume MSFT fixed it with a Windows Defender update.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

10 additional answers

Yuhan Deng 3,761 Reputation points Microsoft Vendor

2021-05-03T07:00:55.837+00:00

Hi,
Based on your description, I did some research but got nothing. To resolve this issue, I would suggest that you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below.
Global Customer Service phone numbers:
https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

Thanks for your time.
Best regards,
Danny

-----------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
David Fosbenner 21 Reputation points

2021-05-05T16:48:08.343+00:00

I've seen in other threads that a fix may come Thursday. I'm not waiting around. I removed WD from my servers and it will be part of my new build checklist to remove it whenever a server has 3rd party AV. Problem solved.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment