locked
Windows defender trouble - blank icon & error messages - stopping file downloads from internet RRS feed

  • Question

  • Hi,

    We have had a problem with a few of our PC's - they stopped being able to download email attachments.

    the "virus scan failed" error was reported and the file didn't download. this was the same for files from the internet.

    This happens for any user and on any web browser platform (IE, Chrome, Firefox etc)

    After running several virus & Malware scans I finally traced the problem to Windows Defender. We use Sophos AV across all our PC's and Windows Defender is turned off by  Group policy and isn't used.

    If I try to start Windows Defender on any working PC I get the message 

    "This program is turned off. If you are using another program that checks for harmful or unwanted software, use the Action Center to check that programs status"

    But on looking in the control panel of an affected PC I could see the Windows Defender icon was just a white box.

    When I try to run it it says 


    "The version of this file is not compatible with the version of Windows you're running. Check your computer's system information to see whether you need an x86 or x64 version of the program ."

    When I looked at the MSASCui.exe file - that too was just a std exe icon and not the usual castle pic I would expect to see.

     on comparing the properties of the MSASCui.exe file on working and non working PC's the modified date and file size were identical, however all other property details were blank on the problem PC.

    Copying over a 'good' file instantly cured the problem.

    My question is what could have happened to the defender exe file to cause this?

    the modified date hasn't changed, the size is the same?  

    There is no sign of any virus infection or Malware. (I have run several scans using Sophos VA, Sophos clean & malware bytes)

    but User's PC's have been reporting this issue over the last 10 days (we are up to 6 users affected)

    I can't find anything common between them!

    Many Thanks in advance for any ideas on what could cause this.

    Gav

    Thursday, May 18, 2017 7:38 AM

All replies

  • Thanks Gav, 

    I have notified the Defender AV team of this post so they will have a look. In recent releases of Windows, Defender AV comes as part of the operating system (which accounts for while it is always on the box even when it is not the primary AV). Defender AV is "aware" of Sophos registered as the primary AV and therefore is in a dormant state - which accounts for why when you tried to run it you got this message "This program is turned off. If you are using another program that checks for harmful or unwanted software, use the Action Center to check that programs status". 

    When a file is being downloaded via the browser, upon saving it to disk, the browser will call a special API in the operating system to ask the active AV (Sophos) to scan the file before it is made available to the user to run. In your case, Sophos are the AV on the receiving end of this call and should have picked up the file, scanned it, returned an answer to the browser to get it "released". Sounds like this is not happening.

    I good place to start this investigation would be to open a ticket with Sophos as your current AV provider to check why the scan-during-download process is not working. A test you may run to see who the culprit is would be to remote Sophos from one of these boxes, this should cause Defender AV to turn itself on (to ensure the machine never stays in a non-protected state) and then see if the problem is resolved. If it is, then surely something in the Sophos configuration is to blame.

    Friday, May 26, 2017 6:17 PM