Forum Discussion
Severely malicious running process detected by Windows Defender in 22610 update
While installing the Windows 11 Dev update to build 22610 today, Windows Defender arrested "Severe" malware, an actively running process, not just an inactive file. The update errored with 0xc190011f at the same time, so 22610 wasn't installed. The only recent downloads I have were never run. 22598 is plenty new, so unpatched vulnerabilities in the existing build shouldn't be why it became infected. Only a blank pen drive was connected recently. The Chromium browser was recently updated, so it wasn't an exploit through an outdated browser.
The error code is 0xc190011f and the Windows Defender detection is
Behavior:Win32/Powessere.SA
behavior: pid:2340:209678432966826
process: pid:2340,ProcessStart:132957367597465384
I performed a Quick Scan and Offline Scan with Windows Defender, updated Emsisoft Emergency Kit and used it to scan from the Recovery Environment, used SFC and DISM, performed a Full Scan, deleted Software Distribution, made a System Image Backup, and installed the 22610 update again. Threats found. At 5%, the Windows Defender notification appeared and the 0xc190011f error code in Windows Update. This was reproduced 4 times in total, quicker when retrying without having deleted Software Distribution.
Feedback Hub link with screenshots, video recording, and diagnostics: https://aka.ms/AAgsen0
Note that screenshots and other attachments are only visible to Microsoft.
Microsoft Support refused this issue because the operating system is currently under development, as if that makes it any more acceptable to distribute malware through Windows Update. It doesn't matter that it's under development, having a "Severely" malicious update for download is intolerable.
If it's completely unknown how to solve the "Severe" Behavior:Win32/Powessere.SA while downloading build 22610 because it's so new, then it's not that difficult to simply pull 22610 from being available for download. I know this is the wrong place to post this, but this is where Microsoft Support said to.
I know it's not supported, but not providing Behavior:Win32/Powessere.SA has to be maintained at all times. Preview builds being unsupported translating to it being acceptable to distribute Behavior:Win32/Powessere.SA is as if the Windows Defender team saying they don't need to maintain their antivirus signatures because none of the malware is their own and therefore not their responsibility to support.
Microsoft Support said "The Windows Insider forum is a peer to peer group of volunteers that are testing future beta releases of Windows 10 and as it is beta software Microsoft offers no support to Insiders who voluntarily download and test these beta builds."
Translation: The Windows Insider forum is a peer to peer group of volunteers that are downloading malicious beta releases of Windows 11 and as it is beta software Microsoft offers no assurance to Insiders who voluntarily download and test these beta builds that they aren't infected with malware.
Microsoft Support also said "When you first joined the Insiders you should have read the Terms of Service and Code of Conduct prior to joining." I did though, nothing in the agreement makes it any more acceptable to provide Behavior:Win32/Powessere.SA no matter how buggy the builds may have to be.
"There are many very qualified Insiders who use this forum who should be able to help you."
I myself do spend a highly significant amount of time each day assisting others, and did for myself, but the root issue can only be solved by Microsoft by pulling the 22610 download or confirming the Windows Defender detection is a false positive.
"Pease take your concern to Windows Insider forums"
At the same time, "The Windows Insider forum is a peer to peer group of volunteers"
Only Microsoft is responsible for hosting the download.
If Microsoft is to provide severely malicious Behavior:Win32/Powessere.SA infected updates of Windows 11, that's not secure anyway, so if security is out the window even with the latest, why don't I just revert to using Windows 7, the best Windows ever, which is by far the finest ever produced?
- CallistemonCopper ContributorThe error was caused by Skip_TPM_Check_on_Dynamic_Update for bypassing the Despicable Requirements of Windows 11. After that CMD was run again to uninstall, no threats were blocked while updating, instead a Setup window appeared to complain about the Despicable Requirements, then a different error code occurred after that's closed. Only build 22610 had this issue. Once 22616 was available, having Skip_TPM_Check_on_Dynamic_Update made the Setup window open instead of being blocked, which then proceeded through without the Despicable Requirements.
- Deleted
Callistemon Hi,
have you used this scanner?
Microsoft Safety Scanner Download | Microsoft Docs
Of course, if possible, you can upload the infected file:
Microsoft Safety Scanner Download | Microsoft Docs
- CallistemonCopper ContributorOkay I will use that next, but nothing was detected in the Windows Defender Full Scan or with Emsisoft Emergency Kit. It appears no malicious file is found on the disk even immediately after the incident, but only the process actively running.
- CallistemonCopper ContributorNothing was detected by the Microsoft Safety Scanner.
- Little_JoeBronze ContributorHello,
Suggest you try to perform a clean installation and backup your data, otherwise you could spent a lot of time to rescue your OS....- Deleted
Little_Joe Hi
I do not understand why after one warning , which was caused by the process of updating the test version - do you recommend performing a clean installation that will remove everything?
I think this is an exaggeration!
- Reza_AmeriSilver ContributorMicrosoft Updates are clean and not infected.
Did you install the Windows 11 from official Microsoft website?
Try run a full scan with Microsoft Defender.
You did the right thing by sending Feedback and hopefully the Windows team will investigate the issue.- CallistemonCopper ContributorThe virtual machine was originally installed with a 22499 ISO from https://aka.ms/wipiso
It has been upgraded to 22523, 22533, 22538, 22543, 22557, 22563, 22572, 22579, 22581, 22589, 22593, and 22598. As stated in the original post, a Full Scan with Windows Defender was run, and so was a Windows Defender Offline Scan. I also updated Emsisoft Emergency Kit and used it to scan from the Recovery Environment, and SFC and DISM did not report any corruption. The Behavior:Win32/Powessere.SA process that is "Severely" malicious is the only thing that occurs, and that's it.
- Jonnathan RadenzCopper Contributor
I just had this exact same issue. Twice. Same scenario, same error, same apparent virus detected.