Forum Discussion
Callistemon
Apr 30, 2022Copper Contributor
Severely malicious running process detected by Windows Defender in 22610 update
While installing the Windows 11 Dev update to build 22610 today, Windows Defender arrested "Severe" malware, an actively running process, not just an inactive file. The update errored with 0xc190011f...
Deleted
Callistemon Hi,
have you used this scanner?
Microsoft Safety Scanner Download | Microsoft Docs
Of course, if possible, you can upload the infected file:
Microsoft Safety Scanner Download | Microsoft Docs
Callistemon
Apr 30, 2022Copper Contributor
Okay I will use that next, but nothing was detected in the Windows Defender Full Scan or with Emsisoft Emergency Kit. It appears no malicious file is found on the disk even immediately after the incident, but only the process actively running.
- CallistemonApr 30, 2022Copper ContributorNothing was detected by the Microsoft Safety Scanner.
- Reza_AmeriMay 01, 2022Silver ContributorIt might have been a false-positive detection.
Sometimes, the Anti-Malware engine detect safe component as unsafe based on their behavior.
Do you know the location of files or components which detected as malicious earlier?- CallistemonMay 02, 2022Copper ContributorNo, the only detection was a running process, which is in the memory, and it did not specify the process name, only the single use unique identifier. It might be C:\Windows\SoftwareDistribution, as deleting that folder causes it to take longer when retrying before the malicious item occurs. None of the scanners detected anything that was saved in C:\Windows\SoftwareDistribution or any other folder.
- DeletedMay 01, 2022
Great - this confirms that Microsoft Defender works correctly!
The warning you received was caused by the latest version, or an unidentified insider program process (Defender downloaded the latest threat definitions) it caused that the danger was no longer detected!
Thank you for your post because such problems need to be clarified - of course you understand that the diagnostic data was automatically transferred to Microsoft - this helps a lot!- CallistemonMay 02, 2022Copper Contributor"this confirms that Microsoft Defender works correctly!... it [Windows Defender] caused that the danger was no longer detected!" But if this item is to be truly malicious, what about all the users with a different antivirus? Why should users have to use use Microsoft antivirus to be protected against Microsoft update malware? If it's a false positive, then that's not quite proper.
"The warning you received was caused by the latest version" I know it is caused by 22610, and not anything else I did. That's why I posted this.