[German]An update, which may contain a broken signature file, has bricked all Microsoft virus scanners (Windows Defender, Microsoft Security Essential, and System Center Endpoint Protection (SCEP)) since April 16, 2020. The service for performing the virus scan simply crashes. A new signature file with a fix has been released.
All Microsoft Antivirus scan engines bricked
The problem described one year ago in the blog post SCEP/MSE/Defender failed worldwide for hours due to a bad signatur file v1.289.1521.0 (03/19/2019), that a signature update bricked all Microsoft virus scanners, is back since April 16, 2020. I've been contacted an April 16, 2020 at 09:17 a.m. (CET) by German blog reader Michael, reporting issues with System Center Endpoint Protection (SCEP):
Good morning.
MS has just distributed (08:39 in our case) updates for SCEP.
Here is an update : KB2461484 (Version 1.313.1638.0)
As soon as a scan of any action is executed the Endpoint Protection crashes.
At that time I couldn't find other hits searching the Internet. Shortly after, Michael told me, that he has 400 systems with SCEP, that was affected. Later I received two comments to my blog post SCEP/MSE/Defender failed worldwide for hours due to a bad signatur file v1.289.1521.0 (03/19/2019), reporting the same issues for Windows Server 2012 R2 and Windows 7.
Windows Defender and MSE also affected
At the same time I received a similar comment from German blog reader Dekre, reporting, that Windows Defender stalls under Windows 10 Version 1909. Dekre reportet the following versions that causes issues:
Antimalware version: 4.18.2003.8
Module: 1.1.6900.4
AV-Version: 1.313.1666.0
Antispyware-Version 1.313.1666.0
Dekre pointet also to the German Microsoft Answers forum with this thread dealing with the same effect. A user wrote:
Windows Defender Antivirus does not start
Hello, when I start my PC, the message always comes: "The virus protection is disabled. Tap or click here to turn on Windows Defender Antivirus."
When I click on it, it says: "Page not available. Your administrator has restricted access to some areas of this app. The resource you're trying to access is unavailable. Contact the helpdesk for more information:"
It is specified that the Security Intelligence Update for Windows Defender Antivirus – KB2267602 (version 1.313.1594.0) contains the error 0x80070643.
Within this comment another German blog reader reported issues with a stalling Defender service (see the German screenshot above). Other readers has contacted my via e-mail reporting the same, and the editors of German IT site heise has send me similar reader feedback.
I just checked the Microsoft Security Essentials (MSE) on my Windows 7. The MSE reported that the last scan was a long time ago. When I started a quick scan, everything looked fine. But a short time later I got the following message that the service was stopped.
And next to the notification area of the taskbar the following toast notification of the MSE was displayed.
The virus protection of the Microsoft Security Essentials (MSE) are therefore also completely paralysed. In the meantime, I have also read such a message at askwoody.com.
A Fix for the issue
The reason for the scan engine crashes is a bug that takes effect when a file has two dots before the file name extension (e.g. Test..exe, see also this reddit.com thread). Lawrence Abrams did an analysis at Bleeping Computer in this article. My German MVP colleague Ingo Böttcher has written this forum post in Microsoft Answers:
The problem was fixed with the signature update 1.313.1687.0. Via Windows Update or the update search of Defender itself this signature version is distributed since tonight.
You can manually check for updates. In Windows 10, open the Windows Security window, go to Virus & threat protection and select the Check for Updates hyperlink under Virus & Threat Protection Updates. Then the new signature file should be installed by update. For MSE, you should have Windows Update check for updates. After a long search I was offered update KB2310138 with the above signature. After installing this update the error in the MSE seems to be fixed.
Addendum: On April 17, 2020, Microsoft published another signature update to version 1.313.1721.0. My editor from news magazine heise told me that everything is working again on her Windows 10 computer. Interesting observation from her was that the above approach via the Security Center did not work for her because the hyperlink Check for Updates was missing. The reason might be that the threat protection service could not be restarted on her computer. She then manually triggered the Windows Update search, which resulted in the signature update. Even without a subsequent restart, the threat protection service was then up and running again.