question

ITResourcing-6032 avatar image
1 Vote"
ITResourcing-6032 asked sarfarazshaikh-7374 commented

Windows Defender issue on server - lots of files being created

We have an issue on a Windows Server 2019 Datacenter virtual machine with Windows Defender.
We are in: Settings -> Update & Security -> Windows Security -> Virus & threat protection -> Virus & threat protection settings -> Manage settings

When Real-time protection is turned on, after about 20-30 minutes it creates hundreds/thousands of files in this location:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store

Most of these files are either 1kb or 2kb. Over a 24 hour period we ended up with roughly 950,000 files and it was taking 30 GB of space. This does not appear to be normal. There is no threats detected and no actively running scan or updates. These files appear to be encrypted, or at least we can't open them in notepad and see any useful data. This is only happening on one server.

Anybody got any ideas?

windows-server
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The affected engine version is 18100.5.
The fixed engine version is 18100.6.

0 Votes 0 ·



177154-image.png



C:\Program Files\Windows Defender>MpCmdRun.exe -SignatureUpdate

0 Votes 0 ·
image.png (25.3 KiB)
Hopeless-Admin avatar image
0 Votes"
Hopeless-Admin answered

Does anyone know why this started out of the blue? It seems like a commonality between multiple different threads on the Internet regarding this is that these files started on or shortly after 4/28. We control our updates via WSUS and haven't run any updates for at least a week prior to this hitting us. I'd understand if as soon as we updated to 1.1.18100.5 that it started generating these files but that's not the case. It just seems strange that the affected servers start generating these files on 4/28 and other servers seem to be fine. I'd say there's some kind of trigger for this time bomb but it seems unlikely that the trigger was pulled for multiple but not all of the servers at the same time.

Here are some other threads talking about this issue:
https://community.spiceworks.com/topic/2316398-windows-defender-filling-disk-with-thousands-of-files?utm_campaign=item&utm_medium=rss&utm_source=global
https://docs.microsoft.com/en-us/answers/questions/378578/windows-defender-creating-thousands-of-files.html?page=2&pageSize=10&sort=oldest
https://www.reddit.com/r/sysadmin/comments/n0q8pc/help_windows_defender_real_time_protection/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulMolina-6901 avatar image
0 Votes"
PaulMolina-6901 answered AshokSavla-3252 published

Our team working off this article and seem to have it under control. Kind of. Removing Windows Defender feature (reboot required). Deleting the files. Believe there will be a fix released Thursday 5/7/2021.

https://www.reddit.com/r/sysadmin/comments/n43xk2/windows_defender_server_2016_watch_out/

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

hello

any solutons ? as we are facing same issue.
thanks

ashok@enam.com

0 Votes 0 ·
ITResourcing-6032 avatar image
0 Votes"
ITResourcing-6032 answered

Hi,
I should have posted back here (sorry). We believe we solved our issue but installing the latest "Security Intelligence Update for Microsoft Defender Antivirus"
The specific KB we installed was KB2267602 (Version 1.339.316.0)

I hope that helps.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.