top of page
Search
abakirih

Big Windows Defender ATP Update Amps Up Protection



Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Make sure to update your antivirus protection, even if Microsoft Defender Antivirus is running in passive mode. There are two types of updates related to keeping Microsoft Defender Antivirus up to date:




Big Windows Defender ATP Update Amps Up Protection



Microsoft Defender Antivirus uses cloud-delivered protection (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads dynamic security intelligence updates to provide more protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602.


Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see Use Microsoft cloud-provided protection in Microsoft Defender Antivirus.


We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, Windows Server 2022, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.


  • If this event persists:Run the scan again.

  • If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.

  • Contact Microsoft Technical Support.

  • Event ID: 1120Symbolic name:MALWAREPROTECTION_THREAT_HASHMessage:Microsoft Defender Antivirus has deduced the hashes for a threat resource.Description:Microsoft Defender Antivirus client is up and running in a healthy state.Current Platform Version: Threat Resource Path: Hashes: Note: This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned. Event ID: 1121Symbolic name:(TBD)Message:Event when an attack surface reduction rule fires in block mode.Description:TBD.Current Platform Version: Threat Resource Path: Hashes: Note: whatgoeshere?: TBD. Event ID: 1127Symbolic name:MALWAREPROTECTION_FOLDER_GUARD_SECTOR_BLOCKMessage:Controlled Folder Access(CFA) blocked an untrusted process from making changes to the memory.Description:Controlled Folder Access has blocked an untrusted process from potentially modifying disk sectors. For more information about the event record, see the following:EventID: , for example: 1127Version: , for example: 0Level: , for example: win:WarningTimeCreated: , time when the event was createdEventRecordID: , index number of the event in the event logExecution ProcessID: , process that generated the eventChannel: , for example: Microsoft-Windows-Windows Defender/OperationalComputer: Security UserID: Product Name: , for example: Microsoft Defender AntivirusProduct Version: Detection Time: , time when CFA blocked an untrusted processUser: \Path: , name of the device or disk that an untrusted process accessed for modificationProcess Name: , the process path name that CFA blocked from accessing the device or disk for modificationSecurity Intelligence Version: Engine Version: User action:The user can add the blocked process to the Allowed Process list for CFA, using Powershell or Windows Security Center.Event ID: 1150Symbolic name:MALWAREPROTECTION_SERVICE_HEALTHYMessage:If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.Description:Microsoft Defender Antivirus client is up and running in a healthy state.Platform Version: Signature Version: Engine Version: User action:No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.Event ID: 1151Symbolic name:MALWAREPROTECTION_SERVICE_HEALTH_REPORTMessage:Endpoint Protection client health report (time in UTC)Description:Antivirus client health report.Platform Version: Engine Version: Network Realtime Inspection engine version: Antivirus signature version: Antispyware signature version: Network Realtime Inspection signature version: RTP state: (Enabled or Disabled)OA state: (Enabled or Disabled)IOAV state: (Enabled or Disabled)BM state: (Enabled or Disabled)Antivirus signature age: (in days)Antispyware signature age: (in days)Last quick scan age: (in days)Last full scan age: (in days)Antivirus signature creation time: ?Antispyware signature creation time: ?Last quick scan start time: ?Last quick scan end time: ?Last quick scan source: (0 = scan didn't run, 1 = user initiated, 2 = system initiated)Last full scan start time: ?Last full scan end time: ?Last full scan source: (0 = scan didn't run, 1 = user initiated, 2 = system initiated)Product status: For internal troubleshootingEvent ID: 2000Symbolic name:MALWAREPROTECTION_SIGNATURE_UPDATEDMessage:The antimalware definitions updated successfully.Description:Antivirus signature version has been updated.Current Signature Version: Previous Signature Version: Signature Type: , for example: Antivirus

  • Antispyware

  • Antimalware

  • Network Inspection System

  • Update Type: , either Full or Delta.User: \Current Engine Version: Previous Engine Version: User action:No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated.Event ID: 2001Symbolic name:MALWAREPROTECTION_SIGNATURE_UPDATE_FAILEDMessage:The security intelligence update failed.Description:Microsoft Defender Antivirus has encountered an error trying to update signatures.New security intelligence version: Previous security intelligence version: Update Source: , for example:Security intelligence update folder

  • Internal security intelligence update server

  • Microsoft Update Server

  • File share

  • Microsoft Malware Protection Center (MMPC)

  • Update Stage: , for example:Search

  • Download

  • Install

  • Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.Signature Type: , for example: Antivirus

  • Antispyware

  • Antimalware

  • Network Inspection System

  • Update Type: , either Full or Delta.User: \Current Engine Version: Previous Engine Version: Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error. User action:This error occurs when there is a problem updating definitions.To troubleshoot this event:Update definitions and force a rescan directly on the endpoint.

  • Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.

  • Contact Microsoft Technical Support.

  • Event ID: 2002Symbolic name:MALWAREPROTECTION_ENGINE_UPDATEDMessage:The antimalware engine updated successfully.Description:Microsoft Defender Antivirus engine version has been updated.Current Engine Version: Previous Engine Version: Engine Type: , either antimalware engine or Network Inspection System engine.User: \User action:No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.Event ID: 2003Symbolic name:MALWAREPROTECTION_ENGINE_UPDATE_FAILEDMessage:The antimalware engine update failed.Description:Microsoft Defender Antivirus has encountered an error trying to update the engine.New Engine Version:Previous Engine Version: Engine Type: , either antimalware engine or Network Inspection System engine.User: \Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error. User action:The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.To troubleshoot this event:Update definitions and force a rescan directly on the endpoint.

  • Contact Microsoft Technical Support.

  • Event ID: 2004Symbolic name:MALWAREPROTECTION_SIGNATURE_REVERSIONMessage:There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.Description:Microsoft Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.Signatures Attempted:Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error. Signature Version: Engine Version: User action:The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus will attempt to revert back to a known-good set of definitions.To troubleshoot this event:Restart the computer and try again.

  • Download the latest definitions from the Microsoft Security Intelligence site.Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.

  • Contact Microsoft Technical Support.

  • Event ID: 2005Symbolic name:MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATEMessage:The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.Description:Microsoft Defender Antivirus could not load antimalware engine because current platform version is not supported. Microsoft Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.Current Platform Version: Event ID: 2006Symbolic name:MALWAREPROTECTION_PLATFORM_UPDATE_FAILEDMessage:The platform update failed.Description:Microsoft Defender Antivirus has encountered an error trying to update the platform.Current Platform Version: Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error. Event ID: 2007Symbolic name:MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATEMessage:The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.Description:Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.Current Platform Version: Event ID: 2010Symbolic name:MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATEDMessage:The antimalware engine used the Dynamic Signature Service to get additional definitions.Description:Microsoft Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.Current Signature Version: Signature Type: , for example: Antivirus

  • Antispyware

  • Antimalware

  • Network Inspection System

  • Current Engine Version: Dynamic Signature Type: , for example:Version

  • Timestamp

  • No limit

  • Duration

  • Persistence Path: Dynamic Signature Version: Dynamic Signature Compilation Timestamp: Persistence Limit Type: , for example:VDM version

  • Timestamp

  • No limit

  • Persistence Limit: Persistence limit of the fastpath signature.Event ID: 2011Symbolic name:MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETEDMessage:The Dynamic Signature Service deleted the out-of-date dynamic definitions.Change to default behavior:Change to dynamic signature event reporting default behaviorWhen a dynamic signature is received by MDE, a 2010 event is reported. However, when the dynamic signature expires or is manually deleted a 2011 event is reported. In some cases, when a new signature is delivered to MDE sometimes hundreds of dynamic signatures will expire at the same time; therefore hundreds of 2011 events are reported. The generation of so many 2011 events can cause a Security information and event management (SIEM) server to become flooded.To avoid the above situation - starting with platform version 4.18.2207.7 - by default, MDE will now not report 2011 events:This new default behavior is controlled by registry entry: HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\EnableDynamicSignatureDroppedEventReporting.

  • The default value for EnableDynamicSignatureDroppedEventReporting is false, which means 2011 events are not reported. If it's set to true, 2011 events are reported.

  • Because 2010 signature events are timely distributed sporadically - and will not cause a spike - 2010 signature event behavior is unchanged.Description:Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.Current Signature Version: Signature Type: , for example: Antivirus

  • Antispyware

  • Antimalware

  • Network Inspection System

  • Current Engine Version: Dynamic Signature Type: , for example:Version

  • Timestamp

  • No limit

  • Duration

  • Persistence Path: Dynamic Signature Version: Dynamic Signature Compilation Timestamp: Removal Reason:Persistence Limit Type: , for example:VDM version

  • Timestamp

  • No limit

  • Persistence Limit: Persistence limit of the fastpath signature.User action:No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.Event ID: 2012Symbolic name:MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILEDMessage:The antimalware engine encountered an error when trying to use the Dynamic Signature Service.Description:Microsoft Defender Antivirus has encountered an error trying to use Dynamic Signature Service.Current Signature Version: Signature Type: , for example: Antivirus

  • Antispyware

  • Antimalware

  • Network Inspection System

  • Current Engine Version: Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error. Dynamic Signature Type: , for example:Version

  • Timestamp

  • No limit

  • Duration

  • Persistence Path: Dynamic Signature Version: Dynamic Signature Compilation Timestamp: Persistence Limit Type: , for example:VDM version

  • Timestamp

  • No limit

  • Persistence Limit: Persistence limit of the fastpath signature.User action:Check your Internet connectivity settings.Event ID: 2013Symbolic name:MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALLMessage:The Dynamic Signature Service deleted all dynamic definitions.Description:Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.Current Signature Version: Event ID: 2020Symbolic name:MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADEDMessage:The antimalware engine downloaded a clean file.Description:Microsoft Defender Antivirus downloaded a clean file.Filename: Name of the file.Current Signature Version: Current Engine Version: Event ID: 2021Symbolic name:MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILEDMessage:The antimalware engine failed to download a clean file.Description:Microsoft Defender Antivirus has encountered an error trying to download a clean file.Filename: Name of the file.Current Signature Version: Current Engine Version: Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error. User action:Check your Internet connectivity settings.The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.Event ID: 2030Symbolic name:MALWAREPROTECTION_OFFLINE_SCAN_INSTALLEDMessage:The antimalware engine was downloaded and is configured to run offline on the next system restart.Description:Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.Event ID: 2031Symbolic name:MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILEDMessage:The antimalware engine was unable to download and configure an offline scan.Description:Microsoft Defender Antivirus has encountered an error trying to download and configure offline antivirus.Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error. Event ID: 2040Symbolic name:MALWAREPROTECTION_OS_EXPIRINGMessage:Antimalware support for this operating system version will soon end.Description:The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.Event ID: 2041Symbolic name:MALWAREPROTECTION_OS_EOLMessage:Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.Description:The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.Event ID: 2042Symbolic name:MALWAREPROTECTION_PROTECTION_EOLMessage:The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.Description:The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.Event ID: 3002Symbolic name:MALWAREPROTECTION_RTP_FEATURE_FAILUREMessage:Real-time protection encountered an error and failed.Description:Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.Feature: , for example:On Access

  • Internet Explorer downloads and Microsoft Outlook Express attachments

  • Behavior monitoring

  • Network Inspection System

  • Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error. Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.User action:You should restart the system then run a full scan because it's possible the system was not protected for some time.The Microsoft Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start.If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.Event ID: 3007Symbolic name:MALWAREPROTECTION_RTP_FEATURE_RECOVEREDMessage:Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.Description:Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.Feature: , for example:On Access

  • IE downloads and Outlook Express attachments

  • Behavior monitoring

  • Network Inspection System

  • Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.User action:The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support.Event ID: 5000Symbolic name:MALWAREPROTECTION_RTP_ENABLEDMessage:Real-time protection is enabled.Description:Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.Event ID: 5001Symbolic name:MALWAREPROTECTION_RTP_DISABLEDMessage:Real-time protection is disabled.Description:Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.Event ID: 5004Symbolic name:MALWAREPROTECTION_RTP_FEATURE_CONFIGUREDMessage:The real-time protection configuration changed.Description:Microsoft Defender Antivirus real-time protection feature configuration has changed.Feature: , for example:On Access

  • IE downloads and Outlook Express attachments

  • Behavior monitoring

  • Network Inspection System

  • Configuration: Event ID: 5007Symbolic name:MALWAREPROTECTION_CONFIG_CHANGEDMessage:The antimalware platform configuration changed.Description:Microsoft Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.Old value: Old antivirus configuration value.New value: New antivirus configuration value.Event ID: 5008Symbolic name:MALWAREPROTECTION_ENGINE_FAILUREMessage:The antimalware engine encountered an error and failed.Description:Microsoft Defender Antivirus engine has been terminated due to an unexpected error.Failure Type: , for example:Crashor HangException Code: Resource: User action:To troubleshoot this event:Try to restart the service.For antimalware, antivirus and spyware, at an elevated command prompt, type net stop msmpsvc, and then type net start msmpsvc to restart the antimalware engine.

  • For the Network Inspection System, at an elevated command prompt, type net start nissrv, and then type net start nissrv to restart the Network Inspection System engine by using the NiSSRV.exe file.

  • If it fails in the same way, look up the error code by accessing the Microsoft Support Site and entering the error number in the Search box, and contact Microsoft Technical Support.

  • User action:The Microsoft Defender Antivirus client engine stopped due to an unexpected error.To troubleshoot this event:Run the scan again.

  • If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.

  • Contact Microsoft Technical Support.

Event ID: 5009Symbolic name:MALWAREPROTECTION_ANTISPYWARE_ENABLEDMessage:Scanning for malware and other potentially unwanted software is enabled.Description:Microsoft Defender Antivirus scanning for malware and other potentially unwanted software has been enabled.Event ID: 5010Symbolic name:MALWAREPROTECTION_ANTISPYWARE_DISABLEDMessage:Scanning for malware and other potentially unwanted software is disabled.Description:Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled.Event ID: 5011Symbolic name:MALWAREPROTECTION_ANTIVIRUS_ENABLEDMessage:Scanning for viruses is enabled.Description:Microsoft Defender Antivirus scanning for viruses has been enabled.Event ID: 5012Symbolic name:MALWAREPROTECTION_ANTIVIRUS_DISABLEDMessage:Scanning for viruses is disabled.Description:Microsoft Defender Antivirus scanning for viruses is disabled.Event ID: 5013Symbolic name:Message:Tamper protection blocked a change to Microsoft Defender Antivirus.Description:If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.Event ID: 5100Symbolic name:MALWAREPROTECTION_EXPIRATION_WARNING_STATEMessage:The antimalware platform will expire soon.Description:Microsoft Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.Expiration Reason: The reason Microsoft Defender Antivirus will expire.Expiration Date: The date Microsoft Defender Antivirus will expire.Event ID: 5101Symbolic name:MALWAREPROTECTION_DISABLED_EXPIRED_STATEMessage:The antimalware platform is expired.Description:Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.Expiration Reason:Expiration Date: Error Code: Result code associated with threat status. Standard HRESULT values.Error Description: Description of the error.


2ff7e9595c


0 views0 comments

Recent Posts

See All

Brick game apk pro

Brick Game Pro: um jogo de arcade nostálgico para Android Você sente falta dos jogos simples e viciantes dos anos 90? Você quer...

Comments


bottom of page