none
Windows Defender executables: Publisher - (Not Verified) Microsoft Corporation RRS feed

  • Question

  • Task Scheduler:

    \Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance	Microsoft Malware Protection Command Line Utility	(Not verified) Microsoft Corporation	c:\programdata\microsoft\windows defender\platform\4.18.1905.4-0\mpcmdrun.exe	01.03.1913 21:46	0/74

    HKLM\System\CurrentControlSet\Services:

    WdNisSvc	Windows Defender Antivirus Network Inspection Service: Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols	(Not verified) Microsoft Corporation	c:\programdata\microsoft\windows defender\platform\4.18.1905.4-0\nissrv.exe	24.09.1902 21:05	0/74
    WinDefend	Windows Defender Antivirus Service: Helps protect users from malware and other potentially unwanted software	(Not verified) Microsoft Corporation	c:\programdata\microsoft\windows defender\platform\4.18.1905.4-0\msmpeng.exe	31.01.1954 6:02	0/72

    The signature of the file seems to be valid:



    For other Microsoft files, there is no such problem.

    AutoRuns v13.95
    Windows 10 (amd64) v 1809 (build 17763.529)

    Wednesday, June 12, 2019 10:30 AM

All replies

  • I see it too, the certificate expired at the end of May 2019 it seems...
    Thursday, June 20, 2019 3:24 AM
  • I am also seeing the same executable as unverified on a clean installation of Windows 10 v1903

    Autoruns v13.96

    Virustotal did not detect anything.

    Should I be concerned ?

    Thursday, July 11, 2019 12:03 PM
  • You should not be worried in my opinion, but there is something strange in Autoruns..

    Also the timestamp column seems wrong..

    SIgnCheck correctly report the file as verified..

    sigcheck64.exe -a "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1907.4-0\MpCmdRun.exe"

    Sigcheck v2.72 - File version and signature viewer
    Copyright (C) 2004-2019 Mark Russinovich
    Sysinternals - www.sysinternals.com

    c:\programdata\microsoft\windows defender\platform\4.18.1907.4-0\MpCmdRun.exe:
            Verified:       Signed
            Signing date:   01:22 10/07/2019
            Publisher:      Microsoft Windows Publisher
            Company:        Microsoft Corporation
            Description:    Microsoft Malware Protection Command Line Utility
            Product:        Microsoft« Windows« Operating System
            Prod version:   4.18.1907.4
            File version:   4.18.1907.4 (GitEnlistment(winpbld).190709-1605)
            MachineType:    64-bit
            Binary Version: 4.18.1907.4
            Original Name:  MpCmdRun.exe
            Internal Name:  MpCmdRun
            Copyright:      ® Microsoft Corporation. All rights reserved.
            Comments:       n/a
            Entropy:        5.9

    And Explorer report that everything is valid..

    there may be a problem in Autoruns...

    Thanks
    -mario

    Thursday, July 11, 2019 1:15 PM
  • Indeed. Something doesn't look right here. I have added it to our Autoruns backlog and will try to take a look at it as soon as I can

    MarkC (MSFT)

    Thursday, July 11, 2019 1:55 PM
  • Any update regarding this case? It's already August and in 1809 it is still considered as "not verified".
    Saturday, August 10, 2019 3:24 PM
  • Hi Edgar

    I traced this to an issue with the way that autoruns handles protected folders. For Microsoft published binaries we have an additional validation step that confirms whether or not the binary is in a protected system folder. For ProgramData this is not the case.

    The Windows Defender folder however IS locked down so I'm just waiting for confirmation from Mark R. that it's OK to add this and I'll get the fix updated.

    MarkC(MSFT)

    Tuesday, August 13, 2019 1:19 PM