none
Win10 Defender Antivirus Fail RRS feed

  • Question

  • A few days ago, Win10's Defender Antivirus started "detecting" viruses in files that were actually older than the viruses detected. Those files (contained in MSIs inside ISOs) were there in the filesystem for most of the last year, so it was pretty irksome by all accounts. I reported false positives to MS and got the following reply:

    We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

    1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
    2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
    3. Run "MpCmdRun.exe -SignatureUpdate"

    Alternatively, the latest definition is available for download here:
    https://www.microsoft.com/en-us/wdsi/definitions

    Thank you for contacting Microsoft.

    When attempting to run these, I got the following error:

    MpCmdRun: Command Line: MpCmdRun.exe -removedefinitions -dynamicsignatures
    Start Time: Sat Nov 16 2019 15:41:57

    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpRemoveDefinitions(0)
    ERROR: MpRollbackSignature failed with hr=80070005
    MpCmdRun: End Time: Sat Nov 16 2019 15:41:57

    The other command (-SignatureUpdate) worked fine, but of course the cached detections won't go away.

    I've tried disabling Win10 Defender Antivirus via Group Policy Editor. No joy.

    I found an identical error code report somewhere on MS Forums that suggested running dism.exe to do a checkup (it found errors) and repair (it returned a claim that the image was successfully repaired) but I still get the same error with MpCmdRun.exe.

    It's not system-breaking since I can just allow the detected files. It's fairly annoying to have to retain false positives in the detection history and it's even a bit dangerous considering the user of that PC is an end-user who's fairly likely to look at the history in 6-18 months and do something like Remove or Quarantine the threat, which would definitely break software they use daily.

    Sunday, November 17, 2019 6:56 PM

All replies

  • Are you running the command as administrator?

    Try restart your PC and run the command again.

    Thursday, November 28, 2019 3:42 PM