question

DenisPayne-4809 avatar image
4 Votes"
DenisPayne-4809 asked Bartek82 commented

Windows Defender creating thousands of files

Since 28/04/2021 around 22:00, thousands of files started to be created in folder C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ on one of my domain controllers.

There were over 200k files which caused that night's backup to take over 4hours rather then the normal 20minutes.
There are now well over 400k files.

Another member server is also affected by this, there are over 2million files in the same folder being:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\

Bother servers are running Windows Server 2016.
The files are 1-2KB.
Settings>Update&Security>Windows Defender settings are enabled.
Windows Defender GUI>History is empty for Quarantined, Allowed and All Detected items.
No Windows Defender scan is running.

Resource Monitor>Disk>Disk Activity shows the System process accessing these files, so I presume it is creating them.
System is also the owner of these files.

windows-serverwindows-server-2016windows-server-security
· 12
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Same here since Friday!
We have Sophos and datto RMM on the systems.
Any news now?

0 Votes 0 ·

Have the same problem. Over the weekend, 3 server(2019) hard drives filled up.

We also use Sophos Central Endpoint

0 Votes 0 ·

We are also facing this issue as well. We are on Windows Defender Engine version 1.1.18100.5 with Sophos installed. My colleague came across this Reddit thread (https://www.reddit.com/r/sysadmin/comments/n0q8pc/help_windows_defender_real_time_protection/) dealing with the same issue. Looks like an update to the engine to bring it to version 1.1.18100.6 may have resolved it for a few of those people but I don't think it's publically available yet. I've had at least 10 servers already affected by this and all of the issues started on 4/28. Hooray for Mondays!

0 Votes 0 ·

Has anyone got any resolution from Microsoft on this issue yet? If so, is there an update that's publically available?

0 Votes 0 ·

I got a response that a tech has been assigned to my case, that's it. You can temporarily disable realtime protection to stop file creation, or remove WD in Apps & Features.

0 Votes 0 ·

In WS2016 it wasn't possible to disable Windows Defender, if you did then flipped away then back to the screen it'd just be running again.
In my case something about 'Unable to disable Windows Defender if Sophos installed' so I just uninstalled Windows Defender from the 3xWS 2016 VMs that had the issue.

Supposed an update later this week will fix Windows Defender issue which is the cause.

0 Votes 0 ·
Show more comments
DavidFosbenner-1768 avatar image
0 Votes"
DavidFosbenner-1768 answered

I've seen in other threads that a fix may come Thursday. I'm not waiting around. I removed WD from my servers and it will be part of my new build checklist to remove it whenever a server has 3rd party AV. Problem solved.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.