question

ITResourcing-6032 avatar image
1 Vote"
ITResourcing-6032 asked ·

Windows Defender issue on server - lots of files being created

We have an issue on a Windows Server 2019 Datacenter virtual machine with Windows Defender.
We are in: Settings -> Update & Security -> Windows Security -> Virus & threat protection -> Virus & threat protection settings -> Manage settings

When Real-time protection is turned on, after about 20-30 minutes it creates hundreds/thousands of files in this location:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store

Most of these files are either 1kb or 2kb. Over a 24 hour period we ended up with roughly 950,000 files and it was taking 30 GB of space. This does not appear to be normal. There is no threats detected and no actively running scan or updates. These files appear to be encrypted, or at least we can't open them in notepad and see any useful data. This is only happening on one server.

Anybody got any ideas?

windows-server
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The affected engine version is 18100.5.
The fixed engine version is 18100.6.

0 Votes 0 ·
TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered ·

Over a 24 hour period we ended up with roughly 950,000 files and it was taking 30 GB of space.

It is an abnormal phenomenon, please execute a full scan with Windows Defender, then delete the Scans History Files.

Don’t worry, I ever deleted all files in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store on my windows 10 to see what would happen, defender still appears to be working fine.

Windows defender files will appear in disk clean up if you click the clean up system files


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Issue is happening on a 2nd WS 2016 VM, can anyone advise on how to diagnose this?

0 Votes 0 ·

You can safely delete the history folder.

----Issue----
Large files generated inside the folder c:/programdata/microsoft/windowsdefender/scan/history

----Clarification----

This issue is current a known issue and the fix will be hit all release ring in this Thursday. The RCA is Engineer of MsMpEng.dll has some issue and causing lots of files in this folder. The affected engine version is 18100.5.

The update will take the normal release cycle and will hit mainstream this Thursday.


Release schedule:

R1: Friday (4/30)
R2: Monday (5/3)
R3: Tuesday (5/4)
Release: Thursday (5/6)

You can update the engine version by installing the signature update using your regular method(SCCM, WSUS...) or the offline update package(Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence).

0 Votes 0 ·
DenisPayne-4809 avatar image DenisPayne-4809 TomDingShanghaiWicresoftCoLtd-3099 ·

Will running update from Windows Defender once the fix is out not resolve the issue?

How about using Windows Updates?

We don't use SCCM nor WSUS.

0 Votes 0 ·
DenisPayne-4809 avatar image
1 Vote"
DenisPayne-4809 answered ·

We started having this same problem on our WS 2016 Domain Controller.

It normally takes 20minutes to backup this server, but last night it hit runtime limit of 4hours and the cause was tracked down to be over 200k new files in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store.

It looks to be the system process that is creating these random 1KB to 2KB files in said locate, this is an assumption as the owner of the files is System and in Ressource Monitor>Disk I can see the System process accessing said folder location.

Since 22:11 last night it has been creating hundreds of thousands of these files and it continues to do so after a reboot.

Windows Defender GUI isn't running a scan, doesn't show anything in History.

Windows Defender Operations log in EventViewer does indicate why these random files are being created.

What is the C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ folder for?
How do I determine what is constantly creating these files?

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

----Issue----
Large files generated inside the folder c:/programdata/microsoft/windowsdefender/scan/history

----Clarification----

This issue is current a known issue and the fix will be hit all release ring in this Thursday. The RCA is Engineer of MsMpEng.dll has some issue and causing lots of files in this folder. The affected engine version is 18100.5.

The update will take the normal release cycle and will hit mainstream this Thursday.


Release schedule:

R1: Friday (4/30)
R2: Monday (5/3)
R3: Tuesday (5/4)
Release: Thursday (5/6)

You can update the engine version by installing the signature update using your regular method(SCCM, WSUS...) or the offline update package(Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence).

0 Votes 0 ·
AndreasSchweizerdivertogmbh-8979 avatar image
1 Vote"
AndreasSchweizerdivertogmbh-8979 answered ·

We have the same Problem on different Servers with 2016! Any News?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AxeliusCarl-3418 avatar image
1 Vote"
AxeliusCarl-3418 answered ·

One of my Windows 2019 std Server is having the same symptom.
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ contains several millions 1-2kb files and the MsMpEng.exe process is running at 60%-90% all the time.
Not sure if I can delete the "Store" folder or not?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HaggertyJohn-9822 avatar image
3 Votes"
HaggertyJohn-9822 answered ·

Seeing this issue on our 2012R2 file servers.
C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Store has millions of these 1-2kb files.
We had to delete the entire Store folder and haven't seen any issues thus far.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulMolina-6901 avatar image
1 Vote"
PaulMolina-6901 answered ·

We're seeing this too, it's a thing.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MWheeler-9259 avatar image
1 Vote"
MWheeler-9259 answered ·

We've begun to see this pop up more and more this past week without explanation. Even after uninistalling WD, the files still exist. We've had to take ownership of C:\ProgramData\Microsoft\Windows Defender\Scans which (depending on the size) may take hours. Then we delete the C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store folder to recover space. All servers so far have been 2016, though we're not ruling out 2019, as well. This appears to be a WD issue rather than an OS issue.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can confirm it's happening on 2019 with 3rd party AV installed.

0 Votes 0 ·
dubsdj-1606 avatar image
1 Vote"
dubsdj-1606 answered ·

I'm having the same issue on our file server. Trying to delete the store folder but its taking "forever" even when using powershell!

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We had 12 million files in C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Store.
Weirdly when we did a Remove-item it did not work and just sat for hours but when doing a "shift + delete" on the folder it worked after an hour or so. It is saying it will take more than a day to delete....

1 Vote 1 ·
dubsdj-1606 avatar image
0 Votes"
dubsdj-1606 answered ·

I have heard that this issue is caused if you have more than one AV running on the server. Disabling Windows Defender fixes it (if you have another AV installed)

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TomDingShanghaiWicresoftCoLtd-3099 avatar image
0 Votes"
TomDingShanghaiWicresoftCoLtd-3099 answered ·

Windows Defender Engineer.


----Issue----
Large files generated inside the folder c:/programdata/microsoft/windowsdefender/scan/history

----Clarification----

This issue is current a known issue and the fix will be hit all release ring in this Thursday. The RCA is Engineer of MsMpEng.dll has some issue and causing lots of files in this folder. The affected engine version is 18100.5.

The update will take the normal release cycle and will hit mainstream this Thursday.


Release schedule:

R1: Friday (4/30)
R2: Monday (5/3)
R3: Tuesday (5/4)
Release: Thursday (5/6)

You can update the engine version by installing the signature update using your regular method(SCCM, WSUS...) or the offline update package(Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence).

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TomDingShanghaiWicresoftCoLtd-3099 what is the version number of the fixed engine? This would help us to identify the fixed installation

0 Votes 0 ·