Remove From My Forums

Windows Defender executables: Publisher - (Not Verified) Microsoft Corporation

Question

Task Scheduler:

\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance	Microsoft Malware Protection Command Line Utility	(Not verified) Microsoft Corporation	c:\programdata\microsoft\windows defender\platform\4.18.1905.4-0\mpcmdrun.exe	01.03.1913 21:46	0/74

HKLM\System\CurrentControlSet\Services:

WdNisSvc	Windows Defender Antivirus Network Inspection Service: Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols	(Not verified) Microsoft Corporation	c:\programdata\microsoft\windows defender\platform\4.18.1905.4-0\nissrv.exe	24.09.1902 21:05	0/74
WinDefend	Windows Defender Antivirus Service: Helps protect users from malware and other potentially unwanted software	(Not verified) Microsoft Corporation	c:\programdata\microsoft\windows defender\platform\4.18.1905.4-0\msmpeng.exe	31.01.1954 6:02	0/72

The signature of the file seems to be valid:

For other Microsoft files, there is no such problem.

AutoRuns v13.95
Windows 10 (amd64) v 1809 (build 17763.529)

Wednesday, June 12, 2019 10:30 AM

All replies

0

Sign in to vote

I see it too, the certificate expired at the end of May 2019 it seems...

Thursday, June 20, 2019 3:24 AM

Reply

|

Quote
0

Sign in to vote

I am also seeing the same executable as unverified on a clean installation of Windows 10 v1903

Autoruns v13.96

Virustotal did not detect anything.

Should I be concerned ?

Thursday, July 11, 2019 12:03 PM

Reply

|

Quote
0

Sign in to vote

You should not be worried in my opinion, but there is something strange in Autoruns..

Also the timestamp column seems wrong..

SIgnCheck correctly report the file as verified..
sigcheck64.exe -a "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1907.4-0\MpCmdRun.exe"

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\programdata\microsoft\windows defender\platform\4.18.1907.4-0\MpCmdRun.exe:
Verified: Signed
Signing date: 01:22 10/07/2019
Publisher: Microsoft Windows Publisher
Company: Microsoft Corporation
Description: Microsoft Malware Protection Command Line Utility
Product: Microsoft« Windows« Operating System
Prod version: 4.18.1907.4
File version: 4.18.1907.4 (GitEnlistment(winpbld).190709-1605)
MachineType: 64-bit
Binary Version: 4.18.1907.4
Original Name: MpCmdRun.exe
Internal Name: MpCmdRun
Copyright: ® Microsoft Corporation. All rights reserved.
Comments: n/a
Entropy: 5.9

And Explorer report that everything is valid..

there may be a problem in Autoruns...

Thanks
-mario

Thursday, July 11, 2019 1:15 PM

Reply

|

Quote
0

Sign in to vote

Indeed. Something doesn't look right here. I have added it to our Autoruns backlog and will try to take a look at it as soon as I can

MarkC (MSFT)

Thursday, July 11, 2019 1:55 PM

Reply

|

Quote
0

Sign in to vote

Any update regarding this case? It's already August and in 1809 it is still considered as "not verified".

Saturday, August 10, 2019 3:24 PM

Reply

|

Quote
1

Sign in to vote

Hi Edgar

I traced this to an issue with the way that autoruns handles protected folders. For Microsoft published binaries we have an additional validation step that confirms whether or not the binary is in a protected system folder. For ProgramData this is not the case.

The Windows Defender folder however IS locked down so I'm just waiting for confirmation from Mark R. that it's OK to add this and I'll get the fix updated.

MarkC(MSFT)

Tuesday, August 13, 2019 1:19 PM

Reply

|

Quote
1

Sign in to vote

I'm still seeing this - using latest download from Sysinternals site. It's almost Feb 2020...is this actually going to be fixed? Thanks

Friday, January 24, 2020 7:09 PM

Reply

|

Quote
0

Sign in to vote

I see this too. Would like to be sure as windows defender just flagged up as trapping a trojan!

Monday, January 27, 2020 4:19 PM

Reply

|

Quote
0

Sign in to vote

This process was flagged as a trojan??? Does it specify a type of trojan, or is it heuristic detection???

If it's heuristics, it may be detecting the anomalies we're discussing,or even just the way the program functions.

Saturday, February 1, 2020 11:22 PM

Reply

|

Quote
0

Sign in to vote

I have somewhat same issue. Whats the solution?

Monday, March 16, 2020 3:04 PM

Reply

|

Quote
0

Sign in to vote

Please, wait for the next version to be published..

Thanks
-mario

Monday, March 16, 2020 3:22 PM

Reply

|

Quote
0

Sign in to vote

Still nothing? It's almost May

I guess not a big deal but it looks weird, kinda concerning. my MsMpEng.exe is consistently the highest processes on the list (in procexp) when sorting by CPU Time, with only Interrupts above it (which I suspect are being caused by something in the Defender antimalware process anyway?)

Monday, April 20, 2020 10:32 AM

Reply

|

Quote
0

Sign in to vote

Sorry folks. I resolved this back in August last year but we haven't done a publish of autoruns since then.

I will speak to Mark Russinovich to see when we can publish this but in the interim if anybody wants a copy ping me at syssite@microsoft.com and I will make it available to you.

Markc(MSFT)

Monday, April 27, 2020 2:23 PM

Reply

|

Quote
0

Sign in to vote
Wow, this is crazy! Timestamp certificate chain extends the signature for 5-10 years! The bug now also shows itself with Google Drive application and Adobe Creative Cloud!
- Edited by ZBalling Friday, July 17, 2020 3:10 PM
Friday, July 17, 2020 3:10 PM

Reply

|

Quote

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

Windows Defender executables: Publisher - (Not Verified) Microsoft Corporation

Question

All replies