diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 9714c77347..0e0d0232d6 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -82,9 +82,15 @@ ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) -### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md) -### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus\windows-defender-antivirus-compatibility.md) + +### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md) + +### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md) + + ### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md) + + ### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md) #### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) ##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) @@ -95,6 +101,8 @@ ##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md) ##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md) ##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md) + + ### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md) #### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md) ##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md) @@ -109,6 +117,8 @@ ##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md) ##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md) ##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md) + + ### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md) #### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md) ##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md) @@ -120,24 +130,28 @@ #### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md) #### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md) #### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md) + + ### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md) + + + ### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md) #### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md) #### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md) #### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md) #### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) #### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) + ## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md) ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md) ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md) + ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md) -#### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) -##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) -##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) -#### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) -##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) -##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) +#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) +##### [Deploy your Windows Information Protection (WIP) policy](windows-information-protection\deploy-wip-policy-using-intune.md) +##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md) @@ -150,10 +164,13 @@ #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md) #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) + ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) + ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) -## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) -## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md) + ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) + ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Change history for Threat Protection](change-history-for-threat-protection.md) \ No newline at end of file + +## [Change history for Threat Protection](change-history-for-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index db1498b7bd..eaaccf94c2 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -10,14 +10,17 @@ ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 06/13/2017 --- -# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans +# Configure and validate exclusions for Windows Defender AV scans (client) **Applies to:** - Windows 10 +- Windows Server 2016 **Audience** @@ -39,6 +42,8 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defen Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. +Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions. + >[!WARNING] >Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 3d78deccde..193a5043bf 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 06/13/2017 --- # Configure and validate exclusions based on file extension and folder location @@ -18,6 +20,7 @@ author: iaanw **Applies to:** - Windows 10 +- Windows Server 2016 **Audience** diff --git a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 50dbbe12a6..7e45146ca4 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 06/13/2017 --- # Configure exclusions for files opened by processes @@ -17,6 +19,7 @@ author: iaanw **Applies to:** - Windows 10 +- Windows Server 2016 **Audience** diff --git a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index c293dd3358..6302c7bd01 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -10,9 +10,11 @@ ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 06/13/2017 --- -# Configure exclusions in Windows Defender AV on Windows Server 2016 +# Configure exclusions in Windows Defender AV on Windows Server **Applies to:** @@ -30,14 +32,28 @@ author: iaanw - PowerShell - Windows Management Instrumentation (WMI) -If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role. +If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions). These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). -You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics: +You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics: - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +Custom exclusions take precedence over the automatic exclusions. + +> [!TIP] +> Custom and duplicate exclusions do not conflict with automatic exclusions. + +Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer. + + +## Opt out of automatic exclusions + +In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates. + +> [!WARNING] +> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles. You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI. @@ -58,7 +74,7 @@ You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, Use the following cmdlets: ```PowerShell -Set-MpPreference -DisableAutoExclusions +Set-MpPreference -DisableAutoExclusions $true ``` See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. @@ -75,9 +91,312 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + + +## List of automatic exclusions +The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types. + +### Default exclusions for all roles +This section lists the default exclusions for all Windows Server 2016 roles. + +- Windows "temp.edb" files: + + - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb + + - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log + +- Windows Update files or Automatic Update files: + + - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb + + - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk + + - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log + + - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs + + - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log + +- Windows Security files: + + - *%windir%*\Security\database\\*.chk + + - *%windir%*\Security\database\\*.edb + + - *%windir%*\Security\database\\*.jrs + + - *%windir%*\Security\database\\*.log + + - *%windir%*\Security\database\\*.sdb + +- Group Policy files: + + - *%allusersprofile%*\NTUser.pol + + - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol + + - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol + +- WINS files: + + - *%systemroot%*\System32\Wins\\*\\\*.chk + + - *%systemroot%*\System32\Wins\\*\\\*.log + + - *%systemroot%*\System32\Wins\\*\\\*.mdb + + - *%systemroot%*\System32\LogFiles\ + + - *%systemroot%*\SysWow64\LogFiles\ + +- File Replication Service (FRS) exclusions: + + - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` + + - *%windir%*\Ntfrs\jet\sys\\*\edb.chk + + - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb + + - *%windir%*\Ntfrs\jet\log\\*\\\*.log + + - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory` + + - *%windir%*\Ntfrs\\*\Edb\*.log + + - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` + + - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\ + + - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` + + - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\ + + - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` + + - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$ + + - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_* + + - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_* + + - *%systemdrive%*\System Volume Information\DFSR\\*.XML + + - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$ + + - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$ + + - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$ + + - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db + + - *%systemdrive%*\System Volume Information\DFSR\\*.frx + + - *%systemdrive%*\System Volume Information\DFSR\\*.log + + - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs + + - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb + +- Process exclusions + + - *%systemroot%*\System32\dfsr.exe + + - *%systemroot%*\System32\dfsrs.exe + +- Hyper-V exclusions: + + - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role + + - File type exclusions: + + - *.vhd + + - *.vhdx + + - *.avhd + + - *.avhdx + + - *.vsv + + - *.iso + + - *.rct + + - *.vmcx + + - *.vmrs + + - Folder exclusions: + + - *%ProgramData%*\Microsoft\Windows\Hyper-V + + - *%ProgramFiles%*\Hyper-V + + - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots + + - *%Public%*\Documents\Hyper-V\Virtual Hard Disks + + - Process exclusions: + + - *%systemroot%*\System32\Vmms.exe + + - *%systemroot%*\System32\Vmwp.exe + +- SYSVOL files: + + - *%systemroot%*\Sysvol\Domain\\*.adm + + - *%systemroot%*\Sysvol\Domain\\*.admx + + - *%systemroot%*\Sysvol\Domain\\*.adml + + - *%systemroot%*\Sysvol\Domain\Registry.pol + + - *%systemroot%*\Sysvol\Domain\\*.aas + + - *%systemroot%*\Sysvol\Domain\\*.inf + + - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini + + - *%systemroot%*\Sysvol\Domain\\*.ins + + - *%systemroot%*\Sysvol\Domain\Oscfilter.ini + +### Active Directory exclusions +This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services. + +- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` + + - %windir%\Ntds\ntds.dit + + - %windir%\Ntds\ntds.pat + +- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files` + + - %windir%\Ntds\EDB*.log + + - %windir%\Ntds\Res*.log + + - %windir%\Ntds\Edb*.jrs + + - %windir%\Ntds\Ntds*.pat + + - %windir%\Ntds\EDB*.log + + - %windir%\Ntds\TEMP.edb + +- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` + + - %windir%\Ntds\Temp.edb + + - %windir%\Ntds\Edb.chk + +- Process exclusions for AD DS and AD DS-related support files: + + - %systemroot%\System32\ntfrs.exe + + - %systemroot%\System32\lsass.exe + +### DHCP Server exclusions +This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` + +- *%systemroot%*\System32\DHCP\\*\\\*.mdb + +- *%systemroot%*\System32\DHCP\\*\\\*.pat + +- *%systemroot%*\System32\DHCP\\*\\\*.log + +- *%systemroot%*\System32\DHCP\\*\\\*.chk + +- *%systemroot%*\System32\DHCP\\*\\\*.edb + +### DNS Server exclusions +This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role. + +- File and folder exclusions for the DNS Server role: + + - *%systemroot%*\System32\Dns\\*\\\*.log + + - *%systemroot%*\System32\Dns\\*\\\*.dns + + - *%systemroot%*\System32\Dns\\*\\\*.scc + + - *%systemroot%*\System32\Dns\\*\BOOT + +- Process exclusions for the DNS Server role: + + - *%systemroot%*\System32\dns.exe + + + +### File and Storage Services exclusions +This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. + +- *%SystemDrive%*\ClusterStorage + +- *%clusterserviceaccount%*\Local Settings\Temp + +- *%SystemDrive%*\mscs + +### Print Server exclusions +This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role. + +- File type exclusions: + + - *.shd + + - *.spl + +- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory` + + - *%system32%*\spool\printers\\* + +- Process exclusions: + + - spoolsv.exe + +### Web Server exclusions +This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role. + +- Folder exclusions: + + - *%SystemRoot%*\IIS Temporary Compressed Files + + - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files + + - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates + + - *%systemDrive%*\inetpub\logs + + - *%systemDrive%*\inetpub\wwwroot + +- Process exclusions: + + - *%SystemRoot%*\system32\inetsrv\w3wp.exe + + - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe + + - *%SystemDrive%*\PHP5433\php-cgi.exe + +### Windows Server Update Services exclusions +This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` + +- *%systemroot%*\WSUS\WSUSContent + +- *%systemroot%*\WSUS\UpdateServicesDBFiles + +- *%systemroot%*\SoftwareDistribution\Datastore + +- *%systemroot%*\SoftwareDistribution\Download + + + + ## Related topics -- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) - [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index 4e7c275117..ed872bc01d 100644 --- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 06/13/2017 --- # Review event logs and error codes to troubleshoot issues with Windows Defender AV @@ -17,6 +19,7 @@ author: iaanw **Applies to** - Windows 10 +- Windows Server 2016 **Audience** @@ -27,55 +30,58 @@ If you encounter a problem with Windows Defender Antivirus, you can search the t The tables list: -- [Windows Defender AV client event IDs](#windows-defender-av-ids) +- [Windows Defender AV event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016) - [Windows Defender AV client error codes](#error-codes) - [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes) -## Windows Defender AV client event IDs +## Windows Defender AV event IDs Windows Defender AV records event IDs in the Windows event log. You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. -The table in this section lists the main Windows Defender Antivirus client event IDs and, where possible, provides suggested solutions to fix or resolve the error. +The table in this section lists the main Windows Defender AV event IDs and, where possible, provides suggested solutions to fix or resolve the error. -**To view a Windows Defender client event** +**To view a Windows Defender AV event** 1. Open **Event Viewer**. -2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**. +2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**. 3. Double-click on **Operational**. 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. - + + +
+ + + - - - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - + + - - - - - - + + - - -
Event ID: 1000
Event ID: 1000 -

Symbolic name:

+Symbolic name: 		-

MALWAREPROTECTION_SCAN_STARTED

+		 +MALWAREPROTECTION_SCAN_STARTED
-

Message:

+Message: 		-

An antimalware scan started. -

+		 +An antimalware scan started. +
-

Description:

+		 +Description: -

+
Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example:
    @@ -93,32 +99,31 @@ The table in this section lists the main Windows Defender Antivirus client event
    Scan Resources: <Resources (such as files/directories/BHO) that were scanned.>
    User: <Domain>\\<User>
-
Event ID: 1001 -

Symbolic name:

+		Event ID: 1001
+Symbolic name: -

MALWAREPROTECTION_SCAN_COMPLETED

+		 +MALWAREPROTECTION_SCAN_COMPLETED
-

Message:

+Message: 		-

An antimalware scan finished.

+		 +An antimalware scan finished.
-

Description:

+Description: 		-

+
Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example:
    @@ -136,34 +141,33 @@ The table in this section lists the main Windows Defender Antivirus client event
    User: <Domain>\\<User>
    Scan Time: <The duration of a scan.>
-
Event ID: 1002 -

Symbolic name:

+		Event ID: 1002
+Symbolic name: -

MALWAREPROTECTION_SCAN_CANCELLED -

+		 +MALWAREPROTECTION_SCAN_CANCELLED +
-

Message:

+Message: 		-

An antimalware scan was stopped before it finished. -

+		 +An antimalware scan was stopped before it finished. +
-

Description:

+Description: 		-

+
Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example:
    @@ -181,34 +185,33 @@ The table in this section lists the main Windows Defender Antivirus client event
    User: <Domain>\<User>
    Scan Time: <The duration of a scan.>
-
Event ID: 1003 -

Symbolic name:

+		Event ID: 1003
+Symbolic name: -

MALWAREPROTECTION_SCAN_PAUSED -

+		 +MALWAREPROTECTION_SCAN_PAUSED +
-

Message:

+Message: 		-

An antimalware scan was paused. -

+		 +An antimalware scan was paused. +
-

Description:

+Description: 		-

+
Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example:
    @@ -225,34 +228,33 @@ The table in this section lists the main Windows Defender Antivirus client event
User: <Domain>\\<User>
-
Event ID: 1004 -

Symbolic name:

+		Event ID: 1004
+Symbolic name: -

MALWAREPROTECTION_SCAN_RESUMED -

+		 +MALWAREPROTECTION_SCAN_RESUMED +
-

Message:

+Message: 		-

An antimalware scan was resumed. -

+		 +An antimalware scan was resumed. +
-

Description:

+Description: 		-

+
Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example:
    @@ -269,34 +271,33 @@ The table in this section lists the main Windows Defender Antivirus client event
User: <Domain>\\<User>
-
Event ID: 1005 -

Symbolic name:

+		Event ID: 1005
+Symbolic name: -

MALWAREPROTECTION_SCAN_FAILED -

+		 +MALWAREPROTECTION_SCAN_FAILED +
-

Message:

+Message: 		-

An antimalware scan failed. -

+		 +An antimalware scan failed. +
-

Description:

+Description: 		-

+
Scan ID: <ID number of the relevant scan.>
Scan Type: <Scan type>, for example:
    @@ -317,52 +318,49 @@ Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
-
-

User action:

+User action: 		-

The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. -

-

To troubleshoot this event: +

 +The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. +To troubleshoot this event:
  1. Run the scan again.
  2. If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
  3. Contact Microsoft Technical Support.
-
Event ID: 1006 -

Symbolic name:

+		Event ID: 1006
+Symbolic name: -

MALWAREPROTECTION_MALWARE_DETECTED -

+		 +MALWAREPROTECTION_MALWARE_DETECTED +
-

Message:

+Message: 		-

The antimalware engine found malware or other potentially unwanted software. -

+		 +The antimalware engine found malware or other potentially unwanted software. +
-

Description:

+Description: 		-

-

For more information please see the following:

+		 +For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -408,35 +406,34 @@ UAC
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-
Event ID: 1007 -

Symbolic name:

+		Event ID: 1007
+Symbolic name: -

MALWAREPROTECTION_MALWARE_ACTION_TAKEN -

+		 +MALWAREPROTECTION_MALWARE_ACTION_TAKEN +
-

Message:

+Message: 		-

The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. -

+		 +The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. +
-

Description:

+Description: 		-

-

Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:

+		 +Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
User: <Domain>\\<User>
Name: <Threat name>
@@ -463,33 +460,32 @@ UAC
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-
Event ID: 1008 -

Symbolic name:

+		Event ID: 1008
+Symbolic name: -

MALWAREPROTECTION_MALWARE_ACTION_FAILED

+		 +MALWAREPROTECTION_MALWARE_ACTION_FAILED
-

Message:

+Message: 		-

The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

+		 +The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
-

Description:

+Description: 		-

-

Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:

+		 +Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
User: <Domain>\\<User>
Name: <Threat name>
@@ -521,35 +517,34 @@ Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-
Event ID: 1009 -

Symbolic name:

+		Event ID: 1009
+Symbolic name: -

MALWAREPROTECTION_QUARANTINE_RESTORE -

+		 +MALWAREPROTECTION_QUARANTINE_RESTORE +
-

Message:

+Message: 		-

The antimalware platform restored an item from quarantine. -

+		 +The antimalware platform restored an item from quarantine. +
-

Description:

+Description: 		-

-

Windows Defender has restored an item from quarantine. For more information please see the following:

+		 +Windows Defender has restored an item from quarantine. For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -566,35 +561,34 @@ Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-
Event ID: 1010 -

Symbolic name:

+		Event ID: 1010
+Symbolic name: -

MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED -

+		 +MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED +
-

Message:

+Message: 		-

The antimalware platform could not restore an item from quarantine. -

+		 +The antimalware platform could not restore an item from quarantine. +
-

Description:

+Description: 		-

-

Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:

+		 +Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -615,35 +609,34 @@ Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-
Event ID: 1011 -

Symbolic name:

+		Event ID: 1011
+Symbolic name: -

MALWAREPROTECTION_QUARANTINE_DELETE

+		 +MALWAREPROTECTION_QUARANTINE_DELETE
-

Message:

+Message: 		-

The antimalware platform deleted an item from quarantine. -

+		 +The antimalware platform deleted an item from quarantine. +
-

Description:

+Description: 		-

-

Windows Defender has deleted an item from quarantine. -For more information please see the following:

+		 +Windows Defender has deleted an item from quarantine. +For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -660,35 +653,34 @@ For more information please see the following:

Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-
Event ID: 1012 -

Symbolic name:

+		Event ID: 1012
+Symbolic name: -

MALWAREPROTECTION_QUARANTINE_DELETE_FAILED -

+		 +MALWAREPROTECTION_QUARANTINE_DELETE_FAILED +
-

Message:

+Message: 		-

The antimalware platform could not delete an item from quarantine.

+		 +The antimalware platform could not delete an item from quarantine.
-

Description:

+Description: 		-

-

Windows Defender has encountered an error trying to delete an item from quarantine. -For more information please see the following:

+		 +Windows Defender has encountered an error trying to delete an item from quarantine. +For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -709,66 +701,64 @@ Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-
Event ID: 1013 -

Symbolic name:

+		Event ID: 1013
+Symbolic name: -

MALWAREPROTECTION_MALWARE_HISTORY_DELETE -

+		 +MALWAREPROTECTION_MALWARE_HISTORY_DELETE +
-

Message:

+Message: 		-

The antimalware platform deleted history of malware and other potentially unwanted software.

+		 +The antimalware platform deleted history of malware and other potentially unwanted software.
-

Description:

+Description: 		-

-

Windows Defender has removed history of malware and other potentially unwanted software.

+		 +Windows Defender has removed history of malware and other potentially unwanted software.
Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
User: <Domain>\\<User>
-
Event ID: 1014 -

Symbolic name:

+		Event ID: 1014
+Symbolic name: -

MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED -

+		 +MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED +
-

Message:

+Message: 		-

The antimalware platform could not delete history of malware and other potentially unwanted software.

+		 +The antimalware platform could not delete history of malware and other potentially unwanted software.
-

Description:

+Description: 		-

-

Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.

+		 +Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
User: <Domain>\\<User>
@@ -777,35 +767,34 @@ Result code associated with threat status. Standard HRESULT values.
Error Description: <Error description> Description of the error.
-
Event ID: 1015 -

Symbolic name:

+		Event ID: 1015
+Symbolic name: -

MALWAREPROTECTION_BEHAVIOR_DETECTED -

+		 +MALWAREPROTECTION_BEHAVIOR_DETECTED +
-

Message:

+Message: 		-

The antimalware platform detected suspicious behavior.

+		 +The antimalware platform detected suspicious behavior.
-

Description:

+Description: 		-

-

Windows Defender has detected a suspicious behavior. -For more information please see the following:

+		 +Windows Defender has detected a suspicious behavior. +For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -856,35 +845,34 @@ UAC
Target File Name: <File name> Name of the file.
-
Event ID: 1116 -

Symbolic name:

+		Event ID: 1116
+Symbolic name: -

MALWAREPROTECTION_STATE_MALWARE_DETECTED

+		 +MALWAREPROTECTION_STATE_MALWARE_DETECTED
-

Message:

+Message: 		-

The antimalware platform detected malware or other potentially unwanted software. -

+		 +The antimalware platform detected malware or other potentially unwanted software. +
-

Description:

+Description: 		-

-

Windows Defender has detected malware or other potentially unwanted software. -For more information please see the following:

+		 +Windows Defender has detected malware or other potentially unwanted software. +For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -930,44 +918,43 @@ UAC
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-
-

User action:

+User action: 		-

No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer.

+		 +No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer.
Event ID: 1117 -

Symbolic name:

+		Event ID: 1117
+Symbolic name: -

MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN -

+		 +MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN +
-

Message:

+Message: 		-

The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. -

+		 +The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. +
-

Description:

+Description: 		-

-

Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. -For more information please see the following:

+		 +Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. +For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -1027,8 +1014,8 @@ Result code associated with threat status. Standard HRESULT values. Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-

NOTE: -

Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:

    +NOTE: +Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
    • Default Internet Explorer or Microsoft Edge setting
    • User Access Control settings
    • Chrome settings
      • @@ -1044,59 +1031,58 @@ The above context applies to the following client and server versions:
-

Client Operating System

+Client Operating System 		-

Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later

+Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later
-

Server Operating System

+Server Operating System 		-

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016

+Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016
-

-

User action:

+User action: - -

No action is necessary. Windows Defender removed or quarantined a threat.

+ +No action is necessary. Windows Defender removed or quarantined a threat. -Event ID: 1118 - -

Symbolic name:

+Event ID: 1118 + + +Symbolic name: - -

MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED

+ +MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED -

Message:

+Message: - -

The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. -

+ +The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. + -

Description:

+Description: - -

-

Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software. -For more information please see the following:

+ +Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software. +For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -1157,43 +1143,42 @@ Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-

-

User action:

+User action: - -

No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.

+ +No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure. -Event ID: 1119 - -

Symbolic name:

+Event ID: 1119 + + +Symbolic name: - -

MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED -

+ +MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED + -

Message:

+Message: - -

The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.

+ +The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message. -

Description:

+Description: - -

-

Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software. -For more information please see the following:

+ +Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software. +For more information please see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -1254,15 +1239,14 @@ Description of the error.
Signature Version: <Definition version>
Engine Version: <Antimalware Engine version>
-

-

User action:

+User action: - -

The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.

+ +The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below. @@ -1270,153 +1254,150 @@ Description of the error.
Action
-

Remove

+Remove 		-

Update the definitions then verify that the removal was successful.

+Update the definitions then verify that the removal was successful.
-

Clean

+Clean 		-

Update the definitions then verify that the remediation was successful.

+Update the definitions then verify that the remediation was successful.
-

Quarantine

+Quarantine 		-

Update the definitions and verify that the user has permission to access the necessary resources.

+Update the definitions and verify that the user has permission to access the necessary resources.
-

Allow

+Allow 		-

Verify that the user has permission to access the necessary resources.

+Verify that the user has permission to access the necessary resources.
-

-

If this event persists:

    + +If this event persists:
    1. Run the scan again.
    2. If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
    3. Contact Microsoft Technical Support.
    -

    -Event ID: 1120 - -

    Symbolic name:

    +Event ID: 1120 + + +Symbolic name: - -

    MALWAREPROTECTION_THREAT_HASH

    + +MALWAREPROTECTION_THREAT_HASH -

    Message:

    +Message: - -

    Windows Defender has deduced the hashes for a threat resource.

    + +Windows Defender has deduced the hashes for a threat resource. -

    Description:

    +Description: - -

    -

    Windows Defender client is up and running in a healthy state.

    + +Windows Defender client is up and running in a healthy state.
    Current Platform Version: <Current platform version>
    Threat Resource Path: <Path>
    Hashes: <Hashes>
    -

    - +
    Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
    -Event ID: 1150 - -

    Symbolic name:

    +Event ID: 1150 + + +Symbolic name: - -

    MALWAREPROTECTION_SERVICE_HEALTHY

    + +MALWAREPROTECTION_SERVICE_HEALTHY -

    Message:

    +Message: - -

    If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state. -

    + +If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state. + -

    Description:

    +Description: - -

    -

    Windows Defender client is up and running in a healthy state.

    + +Windows Defender client is up and running in a healthy state.
    Platform Version: <Current platform version>
    Signature Version: <Definition version>
    Engine Version: <Antimalware Engine version>
    -

    -

    User action:

    +User action: - -

    No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.

    + +No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis. -Event ID: 2000 - -

    Symbolic name:

    +Event ID: 2000 + + +Symbolic name: - -

    MALWAREPROTECTION_SIGNATURE_UPDATED -

    + +MALWAREPROTECTION_SIGNATURE_UPDATED + -

    Message:

    +Message: - -

    The antimalware definitions updated successfully. -

    + +The antimalware definitions updated successfully. + -

    Description:

    +Description: - -

    -

    Windows Defender signature version has been updated.

    + +Windows Defender signature version has been updated.
    Current Signature Version: <Current signature version>
    Previous Signature Version: <Previous signature version>
    @@ -1432,42 +1413,41 @@ Description of the error.
    Current Engine Version: <Current engine version>
    Previous Engine Version: <Previous engine version>
    -

    -

    User action:

    +User action: - -

    No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.

    + +No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated. -Event ID: 2001 - -

    Symbolic name:

    +Event ID: 2001 + + +Symbolic name: - -

    MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED

    + +MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED -

    Message:

    +Message: - -

    The antimalware definition update failed. -

    + +The antimalware definition update failed. + -

    Description:

    +Description: - -

    -

    Windows Defender has encountered an error trying to update signatures.

    + +Windows Defender has encountered an error trying to update signatures.
    New Signature Version: <New version number>
    Previous Signature Version: <Previous signature version>
    @@ -1504,99 +1484,89 @@ Result code associated with threat status. Standard HRESULT values.
    Error Description: <Error description> Description of the error.
    -

    -

    User action:

    +User action: - -

    This error occurs when there is a problem updating definitions.

    -

    To troubleshoot this event: + +This error occurs when there is a problem updating definitions. +To troubleshoot this event:

      -
    1. Update the definitions. Either:
        -
      1. Click the Update definitions button on the Update tab in Windows Defender. Update definitions in Windows Defender

        Or,

        -
        2. -
      2. Download the latest definitions from the Microsoft Malware Protection Center. -

        Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.

        -
        3. -
      -
      2. +
    2. [Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
    3. Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.
    4. Contact Microsoft Technical Support.
    -

    -Event ID: 2002 - -

    Symbolic name:

    +Event ID: 2002 + + +Symbolic name: - -

    MALWAREPROTECTION_ENGINE_UPDATED

    + +MALWAREPROTECTION_ENGINE_UPDATED -

    Message:

    +Message: - -

    The antimalware engine updated successfully. -

    + +The antimalware engine updated successfully. + -

    Description:

    +Description: - -

    -

    Windows Defender engine version has been updated.

    + +Windows Defender engine version has been updated.
    Current Engine Version: <Current engine version>
    Previous Engine Version: <Previous engine version>
    Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
    User: <Domain>\\<User>
    -

    -

    User action:

    +User action: - -

    No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.

    + +No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated. -Event ID: 2003 - -

    Symbolic name:

    +Event ID: 2003 + + +Symbolic name: - -

    MALWAREPROTECTION_ENGINE_UPDATE_FAILED

    + +MALWAREPROTECTION_ENGINE_UPDATE_FAILED -

    Message:

    +Message: - -

    The antimalware engine update failed. -

    + +The antimalware engine update failed. + -

    Description:

    +Description: - -

    -

    Windows Defender has encountered an error trying to update the engine.

    + +Windows Defender has encountered an error trying to update the engine.
    New Engine Version:
    Previous Engine Version: <Previous engine version>
    @@ -1607,55 +1577,46 @@ Result code associated with threat status. Standard HRESULT values.
    Error Description: <Error description> Description of the error.
    -

    -

    User action:

    +User action: - -

    The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.

    -

    To troubleshoot this event: + +The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update. +To troubleshoot this event:

      -
    1. Update the definitions. Either:
        -
      1. Click the Update definitions button on the Update tab in Windows Defender. Update definitions in Windows Defender

        Or,

        -
        2. -
      2. Download the latest definitions from the Microsoft Malware Protection Center. -

        Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.

        -
        3. -
      -
      2. +
    2. [Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
    3. Contact Microsoft Technical Support.
    -

    -Event ID: 2004 - -

    Symbolic name:

    +Event ID: 2004 + + +Symbolic name: - -

    MALWAREPROTECTION_SIGNATURE_REVERSION

    + +MALWAREPROTECTION_SIGNATURE_REVERSION -

    Message:

    +Message: - -

    There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.

    + +There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions. -

    Description:

    +Description: - -

    -

    Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

    + +Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
    Signatures Attempted:
    Error Code: <Error code> @@ -1665,83 +1626,80 @@ Description of the error.
    Signature Version: <Definition version>
    Engine Version: <Antimalware engine version>
    -

    -

    User action:

    +User action: - -

    The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.

    -

    To troubleshoot this event: + +The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions. +To troubleshoot this event:

    1. Restart the computer and try again.
    2. Download the latest definitions from the Microsoft Malware Protection Center. -

      Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.

      +Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
    3. Contact Microsoft Technical Support.
    -

    -Event ID: 2005 - -

    Symbolic name:

    +Event ID: 2005 + + +Symbolic name: - -

    MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE

    + +MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE -

    Message:

    +Message: - -

    The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.

    + +The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update. -

    Description:

    +Description: - -

    -

    Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.

    + +Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
    Current Platform Version: <Current platform version>
    -

    -Event ID: 2006 - -

    Symbolic name:

    +Event ID: 2006 + + +Symbolic name: - -

    MALWAREPROTECTION_PLATFORM_UPDATE_FAILED -

    + +MALWAREPROTECTION_PLATFORM_UPDATE_FAILED + -

    Message:

    +Message: - -

    The platform update failed. -

    + +The platform update failed. + -

    Description:

    +Description: - -

    -

    Windows Defender has encountered an error trying to update the platform.

    + +Windows Defender has encountered an error trying to update the platform.
    Current Platform Version: <Current platform version>
    Error Code: <Error code> @@ -1749,65 +1707,63 @@ Result code associated with threat status. Standard HRESULT values.
    Error Description: <Error description> Description of the error.
    -

    -Event ID: 2007 - -

    Symbolic name:

    +Event ID: 2007 + + +Symbolic name: - -

    MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE

    + +MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE -

    Message:

    +Message: - -

    The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.

    + +The platform will soon be out of date. Download the latest platform to maintain up-to-date protection. -

    Description:

    +Description: - -

    -

    Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.

    + +Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
    Current Platform Version: <Current platform version>
    -

    -Event ID: 2010 - -

    Symbolic name:

    +Event ID: 2010 + + +Symbolic name: - -

    MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED -

    + +MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED + -

    Message:

    +Message: - -

    The antimalware engine used the Dynamic Signature Service to get additional definitions. -

    + +The antimalware engine used the Dynamic Signature Service to get additional definitions. + -

    Description:

    +Description: - -

    -

    Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine.

    + +Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
    Current Signature Version: <Current signature version>
    Signature Type: <Signature type>, for example:
      @@ -1838,35 +1794,34 @@ Description of the error.
    Persistence Limit: Persistence limit of the fastpath signature.
    -

    -Event ID: 2011 - -

    Symbolic name:

    +Event ID: 2011 + + +Symbolic name: - -

    MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED -

    + +MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED + -

    Message:

    +Message: - -

    The Dynamic Signature Service deleted the out-of-date dynamic definitions. -

    + +The Dynamic Signature Service deleted the out-of-date dynamic definitions. + -

    Description:

    +Description: - -

    -

    Windows Defender used Dynamic Signature Service to discard obsolete signatures.

    + +Windows Defender used Dynamic Signature Service to discard obsolete signatures.
    Current Signature Version: <Current signature version>
    Signature Type: <Signature type>, for example:
      @@ -1898,43 +1853,42 @@ Description of the error.
    Persistence Limit: Persistence limit of the fastpath signature.
    -

    -

    User action:

    +User action: - -

    No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.

    + +No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. -Event ID: 2012 - -

    Symbolic name:

    +Event ID: 2012 + + +Symbolic name: - -

    MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED -

    + +MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED + -

    Message:

    +Message: - -

    The antimalware engine encountered an error when trying to use the Dynamic Signature Service. -

    + +The antimalware engine encountered an error when trying to use the Dynamic Signature Service. + -

    Description:

    +Description: - -

    -

    Windows Defender has encountered an error trying to use Dynamic Signature Service.

    + +Windows Defender has encountered an error trying to use Dynamic Signature Service.
    Current Signature Version: <Current signature version>
    Signature Type: <Signature type>, for example:
      @@ -1969,109 +1923,106 @@ Description of the error.
    Persistence Limit: Persistence limit of the fastpath signature.
    -

    -

    User action:

    +User action: - -

    Check your Internet connectivity settings.

    + +Check your Internet connectivity settings. -Event ID: 2013 - -

    Symbolic name:

    +Event ID: 2013 + + +Symbolic name: - -

    MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL -

    + +MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL + -

    Message:

    +Message: - -

    The Dynamic Signature Service deleted all dynamic definitions. -

    + +The Dynamic Signature Service deleted all dynamic definitions. + -

    Description:

    +Description: - -

    -

    Windows Defender discarded all Dynamic Signature Service signatures.

    + +Windows Defender discarded all Dynamic Signature Service signatures.
    Current Signature Version: <Current signature version>
    -

    -Event ID: 2020 - -

    Symbolic name:

    +Event ID: 2020 + + +Symbolic name: - -

    MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED -

    + +MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED + -

    Message:

    +Message: - -

    The antimalware engine downloaded a clean file. -

    + +The antimalware engine downloaded a clean file. + -

    Description:

    +Description: - -

    -

    Windows Defender downloaded a clean file.

    + +Windows Defender downloaded a clean file.
    Filename: <File name> Name of the file.
    Current Signature Version: <Current signature version>
    Current Engine Version: <Current engine version>
    -

    -Event ID: 2021 - -

    Symbolic name:

    +Event ID: 2021 + + +Symbolic name: - -

    MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED

    + +MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED -

    Message:

    +Message: - -

    The antimalware engine failed to download a clean file. -

    + +The antimalware engine failed to download a clean file. + -

    Description:

    +Description: - -

    -

    Windows Defender has encountered an error trying to download a clean file.

    + +Windows Defender has encountered an error trying to download a clean file.
    Filename: <File name> Name of the file.
    @@ -2082,185 +2033,185 @@ Result code associated with threat status. Standard HRESULT values.
    Error Description: <Error description> Description of the error.
    -

    -

    User action:

    +User action: - -

    Check your Internet connectivity settings. -

    -

    The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. -

    + +Check your Internet connectivity settings. +The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. -Event ID: 2030 - -

    Symbolic name:

    +Event ID: 2030 + + +Symbolic name: - -

    MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED

    + +MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED -

    Message:

    +Message: - -

    The antimalware engine was downloaded and is configured to run offline on the next system restart.

    + +The antimalware engine was downloaded and is configured to run offline on the next system restart. -

    Description:

    +Description: - -

    Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.

    + +Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot. -Event ID: 2031 - -

    Symbolic name:

    +Event ID: 2031 + + +Symbolic name: - -

    MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED -

    + +MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED + -

    Message:

    +Message: - -

    The antimalware engine was unable to download and configure an offline scan.

    + +The antimalware engine was unable to download and configure an offline scan. -

    Description:

    +Description: - -

    -

    Windows Defender has encountered an error trying to download and configure Windows Defender Offline.

    + +Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
    Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
    Error Description: <Error description> Description of the error.
    -

    -Event ID: 2040 - -

    Symbolic name:

    +Event ID: 2040 + + +Symbolic name: - -

    MALWAREPROTECTION_OS_EXPIRING -

    + +MALWAREPROTECTION_OS_EXPIRING + -

    Message:

    +Message: - -

    Antimalware support for this operating system version will soon end. -

    + +Antimalware support for this operating system version will soon end. + -

    Description:

    +Description: - -

    The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.

    + +The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats. -Event ID: 2041 - -

    Symbolic name:

    +Event ID: 2041 + + +Symbolic name: - -

    MALWAREPROTECTION_OS_EOL -

    + +MALWAREPROTECTION_OS_EOL + -

    Message:

    +Message: - -

    Antimalware support for this operating system has ended. You must upgrade the operating system for continued support. -

    + +Antimalware support for this operating system has ended. You must upgrade the operating system for continued support. + -

    Description:

    +Description: - -

    The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.

    + +The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats. -Event ID: 2042 - -

    Symbolic name:

    +Event ID: 2042 + + +Symbolic name: - -

    MALWAREPROTECTION_PROTECTION_EOL -

    + +MALWAREPROTECTION_PROTECTION_EOL + -

    Message:

    +Message: - -

    The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware. -

    + +The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware. + -

    Description:

    +Description: - -

    The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.

    + +The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. -Event ID: 3002 - -

    Symbolic name:

    +Event ID: 3002 + + +Symbolic name: - -

    MALWAREPROTECTION_RTP_FEATURE_FAILURE -

    + +MALWAREPROTECTION_RTP_FEATURE_FAILURE + -

    Message:

    +Message: - -

    Real-time protection encountered an error and failed.

    + +Real-time protection encountered an error and failed. -

    Description:

    +Description: - -

    -

    Windows Defender Real-Time Protection feature has encountered an error and failed.

    + +Windows Defender Real-Time Protection feature has encountered an error and failed.
    Feature: <Feature>, for example:
      @@ -2276,47 +2227,43 @@ Result code associated with threat status. Standard HRESULT values.
    Description of the error.
    Reason: The reason Windows Defender real-time protection has restarted a feature.
    -

    -

    User action:

    +User action: - -

    You should restart the system then run a full scan because it's possible the system was not protected for some time. -

    -

    The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start. -

    -

    If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. -

    + +You should restart the system then run a full scan because it's possible the system was not protected for some time. +The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start. +If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. -Event ID: 3007 - -

    Symbolic name:

    +Event ID: 3007 + + +Symbolic name: - -

    MALWAREPROTECTION_RTP_FEATURE_RECOVERED

    + +MALWAREPROTECTION_RTP_FEATURE_RECOVERED -

    Message:

    +Message: - -

    Real-time protection recovered from a failure. We recommend running a full system scan when you see this error. -

    + +Real-time protection recovered from a failure. We recommend running a full system scan when you see this error. + -

    Description:

    +Description: - -

    -

    Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.

    + +Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
    Feature: <Feature>, for example:
      @@ -2328,96 +2275,97 @@ Description of the error.
    Reason: The reason Windows Defender real-time protection has restarted a feature.
    -

    -

    User action:

    +User action: - -

    The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support.

    + +The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support. -Event ID: 5000 - -

    Symbolic name:

    +Event ID: 5000 + + +Symbolic name: - -

    MALWAREPROTECTION_RTP_ENABLED -

    + +MALWAREPROTECTION_RTP_ENABLED + -

    Message:

    +Message: - -

    Real-time protection is enabled. -

    + +Real-time protection is enabled. + -

    Description:

    +Description: - -

    Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.

    + +Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled. -Event ID: 5001 - -

    Symbolic name:

    +Event ID: 5001 + + +Symbolic name: - -

    MALWAREPROTECTION_RTP_DISABLED

    + +MALWAREPROTECTION_RTP_DISABLED -

    Message:

    +Message: - -

    Real-time protection is disabled. -

    + +Real-time protection is disabled. + -

    Description:

    +Description: - -

    Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.

    + +Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. -Event ID: 5004 - -

    Symbolic name:

    +Event ID: 5004 + + +Symbolic name: - -

    MALWAREPROTECTION_RTP_FEATURE_CONFIGURED -

    + +MALWAREPROTECTION_RTP_FEATURE_CONFIGURED + -

    Message:

    +Message: - -

    The real-time protection configuration changed. -

    + +The real-time protection configuration changed. + -

    Description:

    +Description: - -

    -

    Windows Defender Real-time Protection feature configuration has changed.

    + +Windows Defender Real-time Protection feature configuration has changed.
    Feature: <Feature>, for example:
      @@ -2429,67 +2377,65 @@ Description of the error.
    Configuration:
    -

    -Event ID: 5007 - -

    Symbolic name:

    +Event ID: 5007 + + +Symbolic name: - -

    MALWAREPROTECTION_CONFIG_CHANGED -

    + +MALWAREPROTECTION_CONFIG_CHANGED + -

    Message:

    +Message: - -

    The antimalware platform configuration changed.

    + +The antimalware platform configuration changed. -

    Description:

    +Description: - -

    -

    Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

    + +Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
    Old value: <Old value number> Old Windows Defender configuration value.
    New value: <New value number> New Windows Defender configuration value.
    -

    -Event ID: 5008 - -

    Symbolic name:

    +Event ID: 5008 + + +Symbolic name: - -

    MALWAREPROTECTION_ENGINE_FAILURE

    + +MALWAREPROTECTION_ENGINE_FAILURE -

    Message:

    +Message: - -

    The antimalware engine encountered an error and failed.

    + +The antimalware engine encountered an error and failed. -

    Description:

    +Description: - -

    -

    Windows Defender engine has been terminated due to an unexpected error.

    + +Windows Defender engine has been terminated due to an unexpected error.
    Failure Type: <Failure type>, for example: Crash @@ -2497,15 +2443,14 @@ or Hang
    Exception Code: <Error code>
    Resource: <Resource>
    -

    -

    User action:

    +User action: - -

    To troubleshoot this event:

      + +To troubleshoot this event:
      1. Try to restart the service.
        • For antimalware, antivirus and spyware, at an elevated command prompt, type net stop msmpsvc, and then type net start msmpsvc to restart the antimalware engine.
        • For the Network Inspection System, at an elevated command prompt, type net start nissrv, and then type net start nissrv to restart the Network Inspection System engine by using the NiSSRV.exe file. @@ -2514,189 +2459,190 @@ or Hang
        • If it fails in the same way, look up the error code by accessing the Microsoft Support Site and entering the error number in the Search box, and contact Microsoft Technical Support.
      -

      -

      User action:

      +User action: - -

      The Windows Defender client engine stopped due to an unexpected error.

      -

      To troubleshoot this event: + +The Windows Defender client engine stopped due to an unexpected error. +To troubleshoot this event:

      1. Run the scan again.
      2. If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
      3. Contact Microsoft Technical Support.
      -

      -Event ID: 5009 - -

      Symbolic name:

      +Event ID: 5009 + + +Symbolic name: - -

      MALWAREPROTECTION_ANTISPYWARE_ENABLED -

      + +MALWAREPROTECTION_ANTISPYWARE_ENABLED + -

      Message:

      +Message: - -

      Scanning for malware and other potentially unwanted software is enabled. -

      + +Scanning for malware and other potentially unwanted software is enabled. + -

      Description:

      +Description: - -

      Windows Defender scanning for malware and other potentially unwanted software has been enabled.

      + +Windows Defender scanning for malware and other potentially unwanted software has been enabled. -Event ID: 5010 - -

      Symbolic name:

      +Event ID: 5010 + + +Symbolic name: - -

      MALWAREPROTECTION_ANTISPYWARE_DISABLED -

      + +MALWAREPROTECTION_ANTISPYWARE_DISABLED + -

      Message:

      +Message: - -

      Scanning for malware and other potentially unwanted software is disabled.

      + +Scanning for malware and other potentially unwanted software is disabled. -

      Description:

      +Description: - -

      Windows Defender scanning for malware and other potentially unwanted software is disabled.

      + +Windows Defender scanning for malware and other potentially unwanted software is disabled. -Event ID: 5011 - -

      Symbolic name:

      +Event ID: 5011 + + +Symbolic name: - -

      MALWAREPROTECTION_ANTIVIRUS_ENABLED

      + +MALWAREPROTECTION_ANTIVIRUS_ENABLED -

      Message:

      +Message: - -

      Scanning for viruses is enabled.

      + +Scanning for viruses is enabled. -

      Description:

      +Description: - -

      Windows Defender scanning for viruses has been enabled.

      + +Windows Defender scanning for viruses has been enabled. -Event ID: 5012 - -

      Symbolic name:

      +Event ID: 5012 + + +Symbolic name: - -

      MALWAREPROTECTION_ANTIVIRUS_DISABLED -

      + +MALWAREPROTECTION_ANTIVIRUS_DISABLED + -

      Message:

      +Message: - -

      Scanning for viruses is disabled. -

      + +Scanning for viruses is disabled. + -

      Description:

      +Description: - -

      Windows Defender scanning for viruses is disabled.

      + +Windows Defender scanning for viruses is disabled. -Event ID: 5100 - -

      Symbolic name:

      +Event ID: 5100 + + +Symbolic name: - -

      MALWAREPROTECTION_EXPIRATION_WARNING_STATE -

      + +MALWAREPROTECTION_EXPIRATION_WARNING_STATE + -

      Message:

      +Message: - -

      The antimalware platform will expire soon. -

      + +The antimalware platform will expire soon. + -

      Description:

      +Description: - -

      -

      Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.

      + +Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
      Expiration Reason: The reason Windows Defender will expire.
      Expiration Date: The date Windows Defender will expire.
      -

      -Event ID: 5101 - -

      Symbolic name:

      +Event ID: 5101 + + +Symbolic name: - -

      MALWAREPROTECTION_DISABLED_EXPIRED_STATE -

      + +MALWAREPROTECTION_DISABLED_EXPIRED_STATE + -

      Message:

      +Message: - -

      The antimalware platform is expired. -

      + +The antimalware platform is expired. + -

      Description::

      +Description: - -

      -

      Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.

      + +Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
      Expiration Reason:
      Expiration Date:
      @@ -2705,7 +2651,6 @@ Result code associated with threat status. Standard HRESULT values.
      Error Description: <Error description> Description of the error.
      -

      @@ -2719,58 +2664,52 @@ This section provides the following information about Windows Defender Antivirus - Advice on what to do now Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes. - + + +
      - + - - - - + + + + + - + + + - - - + + + - - + + + - - + + + - - - + + + - - - - - + + + + + + + + + + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - - - - - - -
      External error codesError code: 0x80508007
      Error codeMessage displayedPossible reason for errorWhat to do nowMessage +ERR_MP_NO_MEMORY +
      -

      0x80508007 -

      +Possible reason       		-

      ERR_MP_NO_MEMORY -

      +This error indicates that you might have run out of memory.
      Resolution -

      This error indicates that you might have run out of memory. -

      -      		 -

      1. Check the available memory on your device.
      2. Close any unused applications that are running to free up memory on your device.
      3. Restart the device and run the scan again.
      -
      Error code: 0x8050800C
      MessageERR_MP_BAD_INPUT_DATA +
      Possible reason -

      0x8050800C

      +This error indicates that there might be a problem with your security product.       		-

      ERR_MP_BAD_INPUT_DATA

      -      		 -

      This error indicates that there might be a problem with your security product.

      -      		 -

      +

      Resolution
      1. Update the definitions. Either:
          -
        1. Click the Update definitions button on the Update tab in Windows Defender. Update definitions in Windows Defender

          Or,

          +
        2. Click the Update definitions button on the Update tab in Windows Defender. Update definitions in Windows DefenderOr,
        3. Download the latest definitions from the Microsoft Malware Protection Center. -

          Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.

          +Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
        2. @@ -2778,195 +2717,149 @@ Use the information in these tables to help troubleshoot Windows Defender Antivi
      2. Restart the device and try again.
      -
      Error code: 0x80508020
      MessageERR_MP_BAD_CONFIGURATION + +
      Possible reason -

      0x80508020

      -      		 -

      ERR_MP_BAD_CONFIGURATION -

      -      		 -

      This error indicates that there might be an engine configuration error; commonly, this is related to input +This error indicates that there might be an engine configuration error; commonly, this is related to input data that does not allow the engine to function properly. -
      Error code: 0x805080211 +
      MessageERR_MP_QUARANTINE_FAILED + +
      Possible reason -

      0x805080211 -

      -      		 -

      ERR_MP_QUARANTINE_FAILED -

      -      		 -

      This error indicates that Windows Defender failed to quarantine a threat. -

      +This error indicates that Windows Defender failed to quarantine a threat.
      Error code: 0x80508022 +
      MessageERR_MP_REBOOT_REQUIRED + +
      Possible reason -

      0x80508022 -

      -      		 -

      ERR_MP_REBOOT_REQUIRED -

      -      		 -

      This error indicates that a reboot is required to complete threat removal. -

      +This error indicates that a reboot is required to complete threat removal.
      -

      0x80508023 -

      +      		 +0x80508023 +
      MessageERR_MP_THREAT_NOT_FOUND + +
      Possible reason +This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. +
      Resolution -

      ERR_MP_THREAT_NOT_FOUND -

      -      		 -

      This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. -

      -      		 -

      Run the Microsoft Safety Scanner then update your security software and try again. -

      +Run the Microsoft Safety Scanner then update your security software and try again.
      -

      ERR_MP_FULL_SCAN_REQUIRED -

      -      		 -

      This error indicates that a full system scan might be required. -

      -      		 -

      Run a full system scan. -

      +      		Error code: 0x80508024
      MessageERR_MP_FULL_SCAN_REQUIRED + +
      Possible reason +This error indicates that a full system scan might be required. +
      Resolution +Run a full system scan.
      Error code: 0x80508025 +
      MessageERR_MP_MANUAL_STEPS_REQUIRED + +
      Possible reason -

      0x80508024 -

      +This error indicates that manual steps are required to complete threat removal. +
      Resolution +Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history.
      Error code: 0x80508026 +
      MessageERR_MP_REMOVE_NOT_SUPPORTED + +
      Possible reason -

      0x80508025 -

      -      		 -

      ERR_MP_MANUAL_STEPS_REQUIRED -

      -      		 -

      This error indicates that manual steps are required to complete threat removal. -

      -      		 -

      Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history. -

      +This error indicates that removal inside the container type might not be not supported. +
      Resolution +Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
      Error code: 0x80508027 +
      MessageERR_MP_REMOVE_LOW_MEDIUM_DISABLED + +
      Possible reason -

      0x80508026 -

      -      		 -

      ERR_MP_REMOVE_NOT_SUPPORTED -

      -      		 -

      This error indicates that removal inside the container type might not be not supported. -

      -      		 -

      Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources. -

      +This error indicates that removal of low and medium threats might be disabled. +
      Resolution +Check the detected threats and resolve them as required.
      Error code: 0x80508029 +
      MessageERROR_MP_RESCAN_REQUIRED + +
      Possible reason -

      0x80508027 -

      -      		 -

      ERR_MP_REMOVE_LOW_MEDIUM_DISABLED -

      -      		 -

      This error indicates that removal of low and medium threats might be disabled. -

      -      		 -

      Check the detected threats and resolve them as required. -

      +This error indicates a rescan of the threat is required. +
      Resolution +Run a full system scan.
      Error code: 0x80508030 +
      MessageERROR_MP_CALLISTO_REQUIRED + +
      Possible reason -

      0x80508029 -

      -      		 -

      ERROR_MP_RESCAN_REQUIRED -

      -      		 -

      This error indicates a rescan of the threat is required. -

      -      		 -

      Run a full system scan. -

      +This error indicates that an offline scan is required. +
      Resolution +Run Windows Defender Offline. You can read about how to do this in the Windows Defender Offline +article.
      Error code: 0x80508031 +
      MessageERROR_MP_PLATFORM_OUTDATED + +
      Possible reason -

      0x80508030 -

      -      		 -

      ERROR_MP_CALLISTO_REQUIRED -

      -      		 -

      This error indicates that an offline scan is required. -

      -      		 -

      Run Windows Defender Offline. You can read about how to do this in the Windows Defender Offline -article.

      -
      -

      0x80508031 -

      -      		 -

      ERROR_MP_PLATFORM_OUTDATED -

      -      		 -

      This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. -

      -      		 -

      You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection. -

      +This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. +
      Resolution +You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
      @@ -2974,349 +2867,330 @@ article.

      The following error codes are used during internal testing of Windows Defender AV. - +If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint. + + +
      - + - + - - + -
      Internal error codesInternal error codes
      Error codeError code Message displayedPossible reason for errorWhat to do nowPossible reason for error and resolution
      -

      0x80501004

      +0x80501004       		-

      ERROR_MP_NO_INTERNET_CONN -

      +ERROR_MP_NO_INTERNET_CONN +       		-

      Check your Internet connection, then run the scan again.

      -      		 -

      Check your Internet connection, then run the scan again.

      +Check your Internet connection, then run the scan again.
      -

      0x80501000

      +0x80501000       		-

      ERROR_MP_UI_CONSOLIDATION_BASE

      +ERROR_MP_UI_CONSOLIDATION_BASE       		-

      This is an internal error. The cause is not clearly defined.

      +This is an internal error. The cause is not clearly defined.       		-

      -

        -
      1. Update the definitions. Either:
          -
        1. Click the Update definitions button on the Update tab in Windows Defender. Update definitions in Windows Defender

          Or,

          -
          2. -
        2. Download the latest definitions from the Microsoft Malware Protection Center. -

          Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.

          -
          3. -
        -
        2. -
      2. Run a full scan. -
        3. -
      3. Restart the device and try again.
        4. -
      -

      +
      -

      0x80501001

      +0x80501001       		-

      ERROR_MP_ACTIONS_FAILED

      +ERROR_MP_ACTIONS_FAILED
      -

      0x80501002

      +0x80501002       		-

      ERROR_MP_NOENGINE

      +ERROR_MP_NOENGINE
      -

      0x80501003

      +0x80501003       		-

      ERROR_MP_ACTIVE_THREATS

      +ERROR_MP_ACTIVE_THREATS
      -

      0x805011011

      +0x805011011       		-

      MP_ERROR_CODE_LUA_CANCELLED

      +MP_ERROR_CODE_LUA_CANCELLED
      -

      0x80501101

      +0x80501101       		-

      ERROR_LUA_CANCELLATION

      +ERROR_LUA_CANCELLATION
      -

      0x80501102

      +0x80501102       		-

      MP_ERROR_CODE_ALREADY_SHUTDOWN

      +MP_ERROR_CODE_ALREADY_SHUTDOWN
      -

      0x80501103

      +0x80501103       		-

      MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING

      +MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING
      -

      0x80501104

      +0x80501104       		-

      MP_ERROR_CODE_CANCELLED

      +MP_ERROR_CODE_CANCELLED
      -

      0x80501105

      +0x80501105       		-

      MP_ERROR_CODE_NO_TARGETOS

      +MP_ERROR_CODE_NO_TARGETOS
      -

      0x80501106

      +0x80501106       		-

      MP_ERROR_CODE_BAD_REGEXP

      +MP_ERROR_CODE_BAD_REGEXP
      -

      0x80501107

      +0x80501107       		-

      MP_ERROR_TEST_INDUCED_ERROR

      +MP_ERROR_TEST_INDUCED_ERROR
      -

      0x80501108

      +0x80501108       		-

      MP_ERROR_SIG_BACKUP_DISABLED

      +MP_ERROR_SIG_BACKUP_DISABLED
      -

      0x80508001

      +0x80508001       		-

      ERR_MP_BAD_INIT_MODULES

      +ERR_MP_BAD_INIT_MODULES
      -

      0x80508002

      +0x80508002       		-

      ERR_MP_BAD_DATABASE

      +ERR_MP_BAD_DATABASE
      -

      0x80508004

      +0x80508004       		-

      ERR_MP_BAD_UFS

      +ERR_MP_BAD_UFS
      -

      0x8050800C

      +0x8050800C       		-

      ERR_MP_BAD_INPUT_DATA

      +ERR_MP_BAD_INPUT_DATA
      -

      0x8050800D

      +0x8050800D       		-

      ERR_MP_BAD_GLOBAL_STORAGE

      +ERR_MP_BAD_GLOBAL_STORAGE
      -

      0x8050800E

      +0x8050800E       		-

      ERR_MP_OBSOLETE

      +ERR_MP_OBSOLETE
      -

      0x8050800F

      +0x8050800F       		-

      ERR_MP_NOT_SUPPORTED

      +ERR_MP_NOT_SUPPORTED
      -

      0x8050800F +0x8050800F 0x80508010 -

      		 -

      ERR_MP_NO_MORE_ITEMS

      +ERR_MP_NO_MORE_ITEMS
      -

      0x80508011

      +0x80508011       		-

      ERR_MP_DUPLICATE_SCANID

      +ERR_MP_DUPLICATE_SCANID
      -

      0x80508012

      +0x80508012       		-

      ERR_MP_BAD_SCANID

      +ERR_MP_BAD_SCANID
      -

      0x80508013

      +0x80508013       		-

      ERR_MP_BAD_USERDB_VERSION

      +ERR_MP_BAD_USERDB_VERSION
      -

      0x80508014

      +0x80508014       		-

      ERR_MP_RESTORE_FAILED

      +ERR_MP_RESTORE_FAILED
      -

      0x80508016

      +0x80508016       		-

      ERR_MP_BAD_ACTION

      +ERR_MP_BAD_ACTION
      -

      0x80508019

      +0x80508019       		-

      ERR_MP_NOT_FOUND

      +ERR_MP_NOT_FOUND
      -

      0x80509001

      +0x80509001       		-

      ERR_RELO_BAD_EHANDLE

      +ERR_RELO_BAD_EHANDLE
      -

      0x80509003

      +0x80509003       		-

      ERR_RELO_KERNEL_NOT_LOADED

      +ERR_RELO_KERNEL_NOT_LOADED
      -

      0x8050A001

      +0x8050A001       		-

      ERR_MP_BADDB_OPEN

      +ERR_MP_BADDB_OPEN
      -

      0x8050A002

      +0x8050A002       		-

      ERR_MP_BADDB_HEADER

      +ERR_MP_BADDB_HEADER
      -

      0x8050A003

      +0x8050A003       		-

      ERR_MP_BADDB_OLDENGINE

      +ERR_MP_BADDB_OLDENGINE
      -

      0x8050A004

      +0x8050A004       		-

      ERR_MP_BADDB_CONTENT

      +ERR_MP_BADDB_CONTENT
      -

      0x8050A005

      +0x8050A005       		-

      ERR_MP_BADDB_NOTSIGNED

      +ERR_MP_BADDB_NOTSIGNED
      -

      0x8050801

      +0x8050801       		-

      ERR_MP_REMOVE_FAILED

      +ERR_MP_REMOVE_FAILED       		-

      This is an internal error. It might be triggered when malware removal is not successful. -

      +This is an internal error. It might be triggered when malware removal is not successful.
      -

      0x80508018 -

      +0x80508018       		-

      ERR_MP_SCAN_ABORTED -

      +ERR_MP_SCAN_ABORTED +       		-

      This is an internal error. It might have triggered when a scan fails to complete. -

      +This is an internal error. It might have triggered when a scan fails to complete.
      diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 6bef064955..7eba149ae9 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -10,6 +10,8 @@ ms.sitesec: library ms.pagetype: security localizationpriority: medium author: iaanw +ms.author: iawilt +ms.date: 06/13/2017 --- diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index d331e9d39e..942587b25b 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -1,6 +1,6 @@ --- title: Windows Defender Antivirus -description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10. +description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -12,16 +12,17 @@ localizationpriority: medium author: iaanw --- -# Windows Defender Antivirus in Windows 10 +# Windows Defender Antivirus in Windows 10 and Windows Server 2016 **Applies to** - Windows 10 +- Windows Server 2016 Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network. -For more important information about running Windows Defender AV on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx). +For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). Windows Defender AV can be managed with: - System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) @@ -57,14 +58,14 @@ See the [In this library](#in-this-library) list at the end of this topic for li ## Minimum system requirements -Windows Defender has the same hardware requirements as Windows 10. For more information, see: +Windows Defender AV has the same hardware requirements as Windows 10. For more information, see: - [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx) - [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx) Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic. -Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md). +Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md). @@ -73,10 +74,13 @@ Functionality, configuration, and management is largely the same when using Wind Topic | Description :---|:--- -[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script -[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools -[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings +[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) | The Windows Defender Security Center combines the settings and notifications from the previous Windows Defender AV app and Windows Settings in one easy-to-manage place +[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) | Windows Defender AV can be used on Windows Server 2016, and features the same configuration and management capabilities as the Windows 10 version - with some added features for automatic exclusions +[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) | Windows Defender AV operates in different modes depending on whether it detects other AV products or if you are using Windows Defender Advanced Threat Protection +[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script +[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools +[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected -[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues +[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index b3305b6b1c..29fbb9377a 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -1,6 +1,6 @@ --- title: Windows Defender Antivirus on Windows Server 2016 -description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint +description: Enable and configure Windows Defender AV on Windows Server 2016 keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -13,7 +13,7 @@ author: iaanw --- -# Windows Defender Antivirus on Windows Server +# Windows Defender Antivirus on Windows Server 2016 **Applies to:** @@ -36,15 +36,124 @@ author: iaanw Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same. -See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features. - While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences: - In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. - In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product. +This topic includes the following instructions for setting up and running Windows Defender AV on a server platform: + +- [Enable the interface](#BKMK_UsingDef) + +- [Verify Windows Defender AV is running](#BKMK_DefRun) + +- [Update antimalware definitions](#BKMK_UpdateDef) + +- [Submit Samples](#BKMK_DefSamples) + +- [Configure automatic exclusions](#BKMK_DefExclusions) + + +## Enable the interface +By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs. + +You can enable or disable the interface by using the **Add Roles and Features Wizard** or PowerShellCmdlets, as described in the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic. + +The following PowerShell cmdlet will enable the interface: + +```PowerShell +Install-WindowsFeature -Name Windows-Defender-GUI +``` + +The following cmdlet will disable the interface: + +```PS +Uninstall-WindowsFeature -Name Windows-Server-Antimalware +``` + +> [!TIP] +> Event messages for the antimalware engine included with Windows Defender AV can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md). + + + +## Verify Windows Defender is running +To verify that Windows Defender AV is running on the server, run the following command from a command prompt: + +```DOS +sc query Windefend +``` + +The `sc query` command returns information about the Windows Defender service. If Windows Defender is running, the `STATE` value displays `RUNNING`. + + +## Update antimalware definitions +In order to get updated antimalware definitions, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender AV definitions are approved for the computers you manage. + +By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods: + +- **Windows Update** in Control Panel. + + - **Install updates automatically** results in all updates being automatically installed, including Windows Defender definition updates. + + - **Download updates but let me choose whether to install them** allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed. + +- **Group Policy**. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** + +- The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install definition updates. + + - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender definition updates. + + - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed. + +To ensure that protection from malware is maintained, we recommend that you enable the following services: + +- Windows Defender Network Inspection service + +- Windows Error Reporting service + +- Windows Update service + +The following table lists the services for Windows Defender and the dependent services. + +|Service Name|File Location|Description| +|--------|---------|--------| +|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.| +|Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.| +|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.| +|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.| +|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates| + + + + +## Submit Samples +Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware definitions. + +We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files. + +### Enable automatic sample submission + +- To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings: + + - **0** Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI. + + - **1** Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files. + + - **2** Never send. The Windows Defender service does not prompt and does not send any files. + + - **3** Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation. + + +## Configure automatic exclusions +To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016. + +See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information. + + ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) \ No newline at end of file +- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) + +