Microsoft releases Security Advisory 2974294

[Brink]

Today, we released Security Advisory 2974294 to inform global customers about an update for the Microsoft Malware Protection Engine. This update addresses a privately disclosed issue and fixes a vulnerability that could allow a denial of service if the Microsoft Malware Protection Engine scans a specially crafted file.

Updates for the Microsoft Malware Protection Engine are sent through security advisories as there is typically no action required to install the update. This is due to the fact that the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. There’s no action for you to take here – the engine will do it for you. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

We appreciate the researcher reporting this to us privately via Coordinated Vulnerability Disclosure (CVD) and for allowing us to release the update before there was any impact to our global customers.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

Source: Microsoft releases Security Advisory 2974294 - MSRC - Site Home - TechNet Blogs

 

[Anak]

Thanks Shawn,

It took a bit to figure out if I was okay, the gist of it is to go to the down arrow beside the Help button in MSE, click on About and check what your Engine version is, mine's 1.1.10701.0, so according to the following info quote I'm okay.

First version of the Microsoft Malware Protection Engine with this vulnerability addressed

Version 1.1.10701.0*​

*If your version of the Microsoft Malware Protection Engine is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Source: https://technet.microsoft.com/en-us/library/security/2974294

 

[Ranger4]

Thanks Shawn & Anak. My version is the same as yours Anak, so apparently we are OK, but thanks for the way to find the information on the Engine Version.

 

[andrew129260]

Funny, my windows defender in windows 7 is not updated, including none of my vms.

Client Version: 6.1.7600.16385
Engine Version: 1.1.10600.0
Antispyware definitions: 1.175.2521.0

When I use windows update it says I am up to date, it also says I am up to date when I use windows defender to search for updates as well.

Am I missing something here?

 

[Ranger4]

Andrew, the info Anak supplied is for MSE. I don't know whether that relates directly to Windows Defender, as Defender gets disabled when MSE is installed. Whether the Engine version for MSE is the same as Defender would be a good question.
I had a big 10+Mb update on MSE this morning so I assume that included the Malware Protection Engine update, so I suppose yours may still come though if Defender needs it.

 

[andrew129260]

Andrew, the info Anak supplied is for MSE. I don't know whether that relates directly to Windows Defender, as Defender gets disabled when MSE is installed. Whether the Engine version for MSE is the same as Defender would be a good question.

Their article https://technet.microsoft.com/en-us/library/security/2974294

specified windows defender on windows 7. So that is why I am confused. I don't use MSE.

 

[Layback Bear]

I'm thinking that Panda was suppose to turn off Defender in Windows 7.
Maybe the Panda forum has thoughts on that.

 

[Ranger4]

Andrew. If you read down this MS website it mentions the Malware Engine under the Windows 8 section & it reads number above 1.1.9506.0 & referring to your number which you quoted in Post #4 as 1.1.10600.0 seems to be a much later number. Hope I am on the right track here.

https://support.microsoft.com/kb/2510781

 

[Anak]

Funny, my windows defender in windows 7 is not updated, including none of my vms.

Client Version: 6.1.7600.16385
Engine Version: 1.1.10600.0
Antispyware definitions: 1.175.2521.0

When I use windows update it says I am up to date, it also says I am up to date when I use windows defender to search for updates as well.

Am I missing something here?

Andrew,

Are you seeing any error codes when trying to update? Even if your not this could be a case that your distribution database is broken and needs to be re-created.

One area you may want to check is the last date modified of your Defender Folder/Files; Type/copy/paste Windows Defender in the Start >Search box, go to the Windows Defender Folder under Files, then right click and click on open file location then Folder to check the dates.
You can also check the Reliability and Problem History with Reliability Monitor These two ways may give you a handle on when Defender started to act up.

This link: Fix: Windows Defender will not update definitions, Will explain the error codes, offer a different automatic avenue to updating Defender, troubleshoot the problem, supplies a manual way to update, and in step #6 shows how to recreate the Distribution database.

The file (mpas-fe.exe 64bit) offered at the Windows Club link is the same as the one offered here: Get the latest definitions - Microsoft Malware Protection Center It should update the Defender application.

Both files have the same details:



The usual caveats apply as to backups and restore points.

 

[andrew129260]

I'm thinking that Panda was suppose to turn off Defender in Windows 7.
Maybe the Panda forum has thoughts on that.

No panda does not disable windows defender I can open it and it is fully functioning. It updated definitions today but no engine upgrade still. Thank you for the suggestion.

Andrew. If you read down this MS website it mentions the Malware Engine under the Windows 8 section & it reads number above 1.1.9506.0 & referring to your number which you quoted in Post #4 as 1.1.10600.0 seems to be a much later number. Hope I am on the right track here.

https://support.microsoft.com/kb/2510781

thanks for the info

@Anak

Appreciate it. No error codes, everything is successful when updating and everything looks happy ha. I will do this soon.

I am still not sure why even my vms though are not updated as well. I have 2 windows 7 in VMS and they are not updated either. I do not understand what is going on.

Is this also supposed to be released as a windows update in the future to apply the update to the malware engine?


I have never once had a problem with updates or anything of the sort. So I do not understand what is going on...

Maybe the update is only for windows 8 and mse and the article is wrong....idk

 

[andrew129260]

@Anak

Windows update troubleshooters found no issues, which is what I suspected. I have always gotten updates fine.

I downloaded the update manually from microsoft with your link above with the latest definitions and now it is up to date. (The engine) Very strange. Definitions were already up to date.

Client Version: 6.1.7600.16385
Engine Version: 1.1.10701.0
Antispyware definitions: 1.177.229.0

Thank you.

 

[Anak]

It's good that Defender allowed itself to be updated, that should indicate that there is nothing wrong with the application. You don't mention it, but did your VMs update also?

Without knowing how many times Defender updates itself, I would check up on it at least daily, bi-weekly? to see if the versions are progressing. If it continues to update good. If not there are a few areas to check.

• Make sure Defender's services including dependencies are set to auto, auto (delayed start), and are started and running.

• Check to see if Defender's Task policy is set correctly in Windows Task Scheduler (TS): Use the link to find how to get there, then when open click on arrow to left of TS Library >Then arrow left of Microsoft >Then Windows Defender. If you see settings check over them, if no settings or blank, you will have to create running and updating tasks for Defender. Observe new behavior.

• Make sure auto update within the app is turned on.

• You may have to re-register certain .dlls or check to see if you have an inconsistent WMI repository

• You may have to rebuild the SoftwareDistribution Folder as noted in step #6 from one of my earlier links.

• When was the last time you ran an elevated SFC /scannow? If you see it trying to repair MSASCui.exe (Defender's User Interface) or MpRtMon.dll (Defender's Real-Time Monitor) that would be cause for concern. Fix: Windows Defender Error MSASCui.exe Unable To Locate Component. There are only two ways to fix this if you see them because Defender is integrated into the OS. They are; Copying new files into the C:\windows\winsxs\x86_security-malware-windows-defender Folder or a reinstall of the OS.

• If during the SFC scan you see any reference to Defender's Service Dependencies it would indicate corruption in those dependency's also. If this is the case a reinstall may be the least painful solution.

I am working at a disadvantage here because I have no C:\windows\winsxs\x86_security-malware-windows-defender Folder, I do have C:\windows\winsxs\x86_security-malware-windows-filehascode_. The only reason I can think of is because I switched over to MSE a few years ago and it shut off Defender. And with the intervening updates Defender has been put on the back-burner on my system.


There may be more in these search links that I may have missed, but I would lean towards file corruption causing the update problem if it persists.

Windows 7 Forums - Search Results for win 7 defender

The Windows Club - Search Results for win 7 defender

 

[ThrashZone]

My 32 bit system had a 98mg win update,
My 64 bit system had a very small kb definitions update,
No telling why the versions weren't updated the same or why the versions were different ?

 

[andrew129260]

@Anak

Thank you.

I had ran a sfc /scannow when I noticed this stuff happening No integrity violations, neither on host or vms. I also forgot to mention I had to apply the update on both my windows 7 vms. Very weird. I don't even have the same software/antivirus etc on them. Nothing obvious that would cause the issue.

I checked yesterday and windows defender on my host and vms are getting definition updates like always, just for some reason that engine update was not there. Very odd. So it is updating like it is supposed to, just did not do the engine for some reason. *shrug*

I will look into all the things you suggested, many thanks. I believe most of them I have done, but I will recheck to make sure.

 

[Anak]

My 32 bit system had a 98mg win update,
My 64 bit system had a very small kb definitions update,
No telling why the versions weren't updated the same or why the versions were different ?

A semi-educated guess would be the different bit-ages.

@Anak

Thank you.

I had ran a sfc /scannow when I noticed this stuff happening No integrity violations, neither on host or vms. I also forgot to mention I had to apply the update on both my windows 7 vms. Very weird. I don't even have the same software/antivirus etc on them. Nothing obvious that would cause the issue.

I checked yesterday and windows defender on my host and vms are getting definition updates like always, just for some reason that engine update was not there. Very odd. So it is updating like it is supposed to, just did not do the engine for some reason. *shrug*

I will look into all the things you suggested, many thanks. I believe most of them I have done, but I will recheck to make sure.

Your welcome.

Programs go bonkers at times, I have to look into why my Intel(R) 5 Series/3400 Series Chipset Family USB Enhanced Host Controller - 3B34 went south on me. \Performance Information and Advanced Tools\ is telling me it's interfering with the Sleep function.

It started after April or May's patch Tuesdays, and mysteriously improved somewhat after June's.
I'll have to check if any Windows Updates are responsible.

 

[mcwindebank]

I am having problems finding an actual download file for this update. I am unable to update defender from the update date tab since we have a group of workstations that are unable to connect to the internet by design. Does anyone know where I can find an actual file to download and apply to my workstations? I have scoured the net and haven't been lucky enough to find it. Thanks!

 

[Anak]

Hi mcwindebank, welcome to 7F!

Is this what you're looking for? https://How to manually download the latest definition updates for Windows Defender | support.microsoft.com/kb923159