question

FilthyPierre-9294 avatar image
0 Votes"
FilthyPierre-9294 asked saldana-msft edited

Defender bug with 1.1.18100.5 - Please clarify how 1.1.18100.6 is distributed

We deploy Microsoft patches to our Window servers and workstations using Configuration Manager.

Recently Microsoft released a buggy Defender engine (version 1.1.18100.5) that generated millions of files and filled-up hard drives & slowed-down our computers. I manually downloaded the fixed/updated Defender engine version 1.1.18100.6 and started deploying it to workstations as a package on Friday using ConfigMgr.

Since then I can see that many of our workstations have already updated their Defender engine version. Many of these are systems that I did not target with the update package that I created.

How are systems that I am not targeting getting the updated engine version? I did not run our ADR so I don't think it is being deployed by ConfigMgr since the update would not be in our repository. I know that AV definition updates will fall-back to Windows Update after X days to keep AV definitions up to date even without access to a Distribution Point. Is the same true for the Defender engine versions? If so, how often will a managed computer go out and check for Engine updates on the web?

If someone can point me to documentation that explains this I would appreciate it.

Also, I downloaded the workstation update from this link https://www.microsoft.com/en-us/wdsi/defenderupdates It lists the update for Windows 8 and Windows 10. No server OS are listed. Where can I obtain the source for different server OS versions?

Thanks

windows-servermem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered FilthyPierre-9294 commented

Hi,

Thanks for posting in Microsoft MECM Q&A forum.

Please help check if you have disabled dual-scan. Please refer to:
Using ConfigMgr With Windows 10 WUfB Deferral Policies
Windows 10 automatically upgrading to new feature updates

Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have no deferral policies created for Windows 10, I believe that means dual scan is not enabled. I didn't do anything else to enable dual scan.

Also, we have different server OS that have updated their Defender engine without being targeted, so Windows 10 servicing policies wouldn't be the cause of Servers receiving the engine update via dual scan.

Do Defender updates come down automatically from "MS Malware Protection Center" like definition updates do?

0 Votes 0 ·
SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered SimonRenMSFT-3639 edited

Hi,

Thanks for your reply.

1.May we know how do you configure the definition update sources to use for each antimalware policy? There are five locations where we can specify where an endpoint should obtain updates in Configuration Manager:
Microsoft Update
Windows Server Update Service
Microsoft Endpoint Configuration Manager
Network file share
Microsoft Security intelligence updates (also known as Microsoft Malware Protection Center)

If you have set Microsoft Security intelligence page updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is seven consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).

2.Please also check if you have used Group Policy to manage the update location under Computer configuration\Administrative templates\Windows components\Windows Defender\Signature updates\Define the order of sources for downloading definition updates.

95867-endpoint.png

For more information, please refer to:
Manage the sources for Microsoft Defender Antivirus protection updates
Configure definition updates for Endpoint Protection

Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html


endpoint.png (90.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Elroy-1144 avatar image
0 Votes"
Elroy-1144 answered

Thanks for your reply and the screenshot. We do have security intelligence updates configured. However, that tab says that only definition updates respect the list. That is exactly what I am trying to figure out. I know that our definition updates come from sources other than SCCM or WSUS, but these are ENGINE updates. Can they also come from these alternate sources listed in "security intelligence updates"?

96445-defender.jpg



defender.jpg (46.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered SimonRenMSFT-3639 edited

Hi,

Thanks for your reply.

==>I know that AV definition updates will fall-back to Windows Update after X days to keep AV definitions up to date even without access to a Distribution Point. Is the same true for the Defender engine versions? If so, how often will a managed computer go out and check for Engine updates on the web?

Yes, we can specify the number of days after which Microsoft Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Microsoft Defender Antivirus to attempt to download an update from other sources (based on the defined fallback source order), such as when using Microsoft Malware Protection Center as a secondary source after setting WSUS or Microsoft Update as the first source.

==>Can they also come from these alternate sources listed in "security intelligence updates"?
Yes, we configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on the network configuration. Updates are obtained from sources in the order we specify. If a source is not available, the next source in the list is used immediately.

For more details, please refer to the official article:
Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date

96683-date.png
96701-alt.png

Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html



date.png (55.9 KiB)
alt.png (39.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.