none
Win10 Defender Antivirus Fail RRS feed

  • Question

  • A few days ago, Win10's Defender Antivirus started "detecting" viruses in files that were actually older than the viruses detected. Those files (contained in MSIs inside ISOs) were there in the filesystem for most of the last year, so it was pretty irksome by all accounts. I reported false positives to MS and got the following reply:

    We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

    1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
    2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
    3. Run "MpCmdRun.exe -SignatureUpdate"

    Alternatively, the latest definition is available for download here:
    https://www.microsoft.com/en-us/wdsi/definitions

    Thank you for contacting Microsoft.

    When attempting to run these, I got the following error:

    MpCmdRun: Command Line: MpCmdRun.exe -removedefinitions -dynamicsignatures
    Start Time: Sat Nov 16 2019 15:41:57

    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpRemoveDefinitions(0)
    ERROR: MpRollbackSignature failed with hr=80070005
    MpCmdRun: End Time: Sat Nov 16 2019 15:41:57

    The other command (-SignatureUpdate) worked fine, but of course the cached detections won't go away.

    I've tried disabling Win10 Defender Antivirus via Group Policy Editor. No joy.

    I found an identical error code report somewhere on MS Forums that suggested running dism.exe to do a checkup (it found errors) and repair (it returned a claim that the image was successfully repaired) but I still get the same error with MpCmdRun.exe.

    It's not system-breaking since I can just allow the detected files. It's fairly annoying to have to retain false positives in the detection history and it's even a bit dangerous considering the user of that PC is an end-user who's fairly likely to look at the history in 6-18 months and do something like Remove or Quarantine the threat, which would definitely break software they use daily.

    Sunday, November 17, 2019 6:56 PM

Answers

  • Hi Andrew, 

    I noticed error code 80070005 means access deny. 

    Please go to C:\Program Files\Windows Defender, then take owner of MpCmdRun.exe to check the issue again.

    How to take full Ownership of Files & Folders in Windows 10

    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

    Bests,


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 1, 2020 9:04 AM
    Moderator

All replies

  • Are you running the command as administrator?

    Try restart your PC and run the command again.

    Thursday, November 28, 2019 3:42 PM
  • Are you running the command as administrator?

    Try restart your PC and run the command again.

    Yes to administrator.  Did before I posted to restart PC.
    Saturday, December 14, 2019 8:26 PM
  • Hi Andrew, 

    I noticed error code 80070005 means access deny. 

    Please go to C:\Program Files\Windows Defender, then take owner of MpCmdRun.exe to check the issue again.

    How to take full Ownership of Files & Folders in Windows 10

    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

    Bests,


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 1, 2020 9:04 AM
    Moderator
  • Hi Andrew, 

    I noticed error code 80070005 means access deny. 

    Please go to C:\Program Files\Windows Defender, then take owner of MpCmdRun.exe to check the issue again.

    How to take full Ownership of Files & Folders in Windows 10

    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

    Bests,


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    It's not really relevant after all this time because the Windows Defender/Antivirus teams have fixed the mis-identification of malware, so Windows Defender no longer thinks there are viruses and therefore I no longer need to remove those bad entries.

    We have a new questionable detection in a new version of the same software currently under investigation by MS/Defender analysts so maybe we can try this if they ever get around to that.

    Thank you, Joy-Quiao.

    Saturday, February 1, 2020 7:54 PM
  • Hi Andrew, 

    Thank you for your reply. 

    If you have any other issue about system, back to TechNet at any time. 

    Bests, 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, February 2, 2020 11:03 AM
    Moderator