Weird Windows Defender behavior


  1. Carbonyl
    Posts : 76
    Windows 7 RTM
       New #1

    Weird Windows Defender behavior


    To begin with, I run Windows 7 Professional. I keep it patched up to date. I also run ESET NOD32 v4, and Windows Defender is on by default. Malwarebytes AntiMalware is run once a week on-demand.

    Today I launched Steam, connected, and found there was a patch. I downloaded the patch and let it install. After it installed, I reconnected to steam, and suddenly Windows Defender popped up.

    The popup balloon didn't say that it had found a virus, or malware. It said it flagged SteamServiceTmp.exe, and that it wanted to submit the file to Microsoft. I don't know if this means there was a virus in the file or some other malware. I think that's unlikely, considering it came directly from Valve (That's the file that launches to patch the Steam Service), but I'm not sure what that means. I can't find any record of the file being detected in the Windows Defender History, at all. Does this mean I have a virus? What is this all about?

    All I can find is this information from the Event Viewer:

    Fault bucket 864089046, type 5
    Event Name: AVSubmit
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: Windows Defender
    P2: 1.1.5302.0
    P3: unspecified
    P4: 1.71.700.0
    P5: 00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D480F
    P6:
    P7:
    P8:
    P9:
    P10:

    Attached files:
    \\?\C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{BF619DBF-AF9E-8823-3E83-12DE9B785E0B}-SteamServiceTmp.exe
    C:\Users\{Omitted}\AppData\Local\Temp\MPSampleSubmit\client_manifest.txt

    These files may be available here:
    C:\Users\{Omitted}\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_Windows Defender_aaba7e9e24b775a1b21d5c41a485d822c4ec703b_0ac496bf

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: 78cda38e-e5ff-11de-862f-001fbc01945b
    Report Status: 0

    EDIT: Upon review, here's the contents of the Report.wer file generated

    Version=1
    EventType=AVSubmit
    EventTime=129049732283935547
    Consent=2
    UploadTime=129049732284013672
    ReportIdentifier=78cda38e-e5ff-11de-862f-001fbc01945b
    Response.BucketId=864089046
    Response.BucketTable=5
    Response.type=4
    Sig[0].Name=Problem Signature 01
    Sig[0].Value=Windows Defender
    Sig[1].Name=Problem Signature 02
    Sig[1].Value=1.1.5302.0
    Sig[2].Name=Problem Signature 03
    Sig[2].Value=unspecified
    Sig[3].Name=Problem Signature 04
    Sig[3].Value=1.71.700.0
    Sig[4].Name=Problem Signature 05
    Sig[4].Value=00175e0c-0000-0000-0000-000000000000,7B6FEFA17A704B6D4A03BFABB1DBC794703D480F
    DynamicSig[1].Name=OS Version
    DynamicSig[1].Value=6.1.7600.2.0.0.256.48
    DynamicSig[2].Name=Locale ID
    DynamicSig[2].Value=1033
    State[0].Key=Transport.DoneStage1
    State[0].Value=1
    FriendlyEventName=AVSubmit
    ConsentKey=AVSubmit
    AppName=Windows Defender User Interface
    AppPath=C:\Program Files\Windows Defender\MSASCui.exe

    I uploaded the file to Virustotal, but the report has since expired. It came back with 1/41 as the result, with Panda finding the only positive (W32/Xor-encoded.A), and everything else being negative.
    Last edited by Carbonyl; 10 Dec 2009 at 23:24.
      My Computer
    Quote Quote

  3. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #2

    Prevx say it's safe
    STEAMSERVICETMP.EXE, Prevx
      My Computer
    Quote Quote

  4. Carbonyl
    Posts : 76
    Windows 7 RTM
    Thread Starter
       New #3

    It sounds like the file must be safe then. Thanks for the link!

    Windows Defender keeps doing this, though. It did it for the second time just recently. This time I caught the balloon message: "Review files that Windows Defender will Send to Microsoft (Important)". Then it asks me to submit the files when I look for more information. I can find information in the Event Viewer, but not in the Defender logs. It doesn't say "This is a piece of malware" explicitly, but the logs in the Event viewer call this an "AVsubmission". This time it did it to me for uninstall_plugin.exe after updating Flash from Adobe's website.

    Is this normal behavior for Defender? Is it saying these files are malware? Or is it just submitting them to Microsoft for some unknown reason?
      My Computer
    Quote Quote

  6. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #4

    I have Windows Defender disabled in Services. I prefer to use MalwareByte's Anti-malware.

    Defender caused problems on my Vista computer, so I just put to bed, permanently and haven't used it on any of my machines, since.
      My Computer
    Quote Quote

  7. XboxOmac
    Posts : 225
    Windows 7 Home Premium 32-bit
       New #5

    Jacee said:
    I have Windows Defender disabled in Services. I prefer to use MalwareByte's Anti-malware.

    Defender caused problems on my Vista computer, so I just put to bed, permanently and haven't used it on any of my machines, since.
    Windows Defender hasn't caused me any problems at all. (Not at least yet) I haven't even gotten one single pop-up balloon except, only when I bought the computer for the first time.
      My Computer
    Quote Quote

 

  Related Discussions
Windows Explorer weird behavior
in General Discussion

Hello, I've dealing with a weird issue, and I'm lost at this point... need some additional pair of "eyes" to find out the issue described below: Machine: HP Pro Model 3515 64 bits OS : Windows 7 Pro 64bits RAM : 4 GB Processor: AMD Antivirus: ESET NOD 32 (current/updated)
Hello everyone, These problems started happening maybe several months ago. I don't really use this laptop that often, so I have no idea what could of caused this. I'm running Windows 7 Ultimate 64 bit. Here are a list of the problems that are occuring. 1. If I press computer in the start...
I am furious at not knowing why my date/clock in Windows 7 keep changins its appearance. It is as if the files or settings for Windows change mysteriously back and forth and I don't like it one bit. The issue pertains to this clock/date shown at the bottom right corner on the screen just beside...
Hi there I have something weird going on with my network, I can surf and download whatever form servers like Rapid, Mega and all those, but I was trying to download Fedora 14 using the a torrent file, and at the beginning it started to download at the max bandwidth I got but a few seconds later...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 21:51.
Find Us