Severely malicious running process detected by Windows Defender in 22610 update

Copper Contributor

While installing the Windows 11 Dev update to build 22610 today, Windows Defender arrested "Severe" malware, an actively running process, not just an inactive file. The update errored with 0xc190011f at the same time, so 22610 wasn't installed. The only recent downloads I have were never run. 22598 is plenty new, so unpatched vulnerabilities in the existing build shouldn't be why it became infected. Only a blank pen drive was connected recently. The Chromium browser was recently updated, so it wasn't an exploit through an outdated browser.

 

The error code is 0xc190011f and the Windows Defender detection is

Behavior:Win32/Powessere.SA

behavior: pid:2340:209678432966826

process: pid:2340,ProcessStart:132957367597465384

 

I performed a Quick Scan and Offline Scan with Windows Defender, updated Emsisoft Emergency Kit and used it to scan from the Recovery Environment, used SFC and DISM, performed a Full Scan, deleted Software Distribution, made a System Image Backup, and installed the 22610 update again. Threats found. At 5%, the Windows Defender notification appeared and the 0xc190011f error code in Windows Update. This was reproduced 4 times in total, quicker when retrying without having deleted Software Distribution.

 

Feedback Hub link with screenshots, video recording, and diagnostics: https://aka.ms/AAgsen0

Note that screenshots and other attachments are only visible to Microsoft.

 

Microsoft Support refused this issue because the operating system is currently under development, as if that makes it any more acceptable to distribute malware through Windows Update. It doesn't matter that it's under development, having a "Severely" malicious update for download is intolerable.

 

If it's completely unknown how to solve the "Severe" Behavior:Win32/Powessere.SA while downloading build 22610 because it's so new, then it's not that difficult to simply pull 22610 from being available for download. I know this is the wrong place to post this, but this is where Microsoft Support said to.

 

I know it's not supported, but not providing Behavior:Win32/Powessere.SA has to be maintained at all times. Preview builds being unsupported translating to it being acceptable to distribute Behavior:Win32/Powessere.SA is as if the Windows Defender team saying they don't need to maintain their antivirus signatures because none of the malware is their own and therefore not their responsibility to support.

 

Microsoft Support said "The Windows Insider forum is a peer to peer group of volunteers that are testing future beta releases of Windows 10 and as it is beta software Microsoft offers no support to Insiders who voluntarily download and test these beta builds."

 

Translation: The Windows Insider forum is a peer to peer group of volunteers that are downloading malicious beta releases of Windows 11 and as it is beta software Microsoft offers no assurance to Insiders who voluntarily download and test these beta builds that they aren't infected with malware.

 

Microsoft Support also said "When you first joined the Insiders you should have read the Terms of Service and Code of Conduct prior to joining." I did though, nothing in the agreement makes it any more acceptable to provide Behavior:Win32/Powessere.SA no matter how buggy the builds may have to be.

 

"There are many very qualified Insiders who use this forum who should be able to help you."

I myself do spend a highly significant amount of time each day assisting others, and did for myself, but the root issue can only be solved by Microsoft by pulling the 22610 download or confirming the Windows Defender detection is a false positive.

 

"Pease take your concern to Windows Insider forums"

At the same time, "The Windows Insider forum is a peer to peer group of volunteers"

Only Microsoft is responsible for hosting the download.

 

If Microsoft is to provide severely malicious Behavior:Win32/Powessere.SA infected updates of Windows 11, that's not secure anyway, so if security is out the window even with the latest, why don't I just revert to using Windows 7, the best Windows ever, which is by far the finest ever produced?

 

unknown.png

22 Replies

@Callistemon  Hi,

have you used this scanner?

Microsoft Safety Scanner Download | Microsoft Docs 

Of course, if possible, you can upload the infected file:

Microsoft Safety Scanner Download | Microsoft Docs

Andrzej1_0-1651313147028.png

 

Microsoft Updates are clean and not infected.
Did you install the Windows 11 from official Microsoft website?
Try run a full scan with Microsoft Defender.
You did the right thing by sending Feedback and hopefully the Windows team will investigate the issue.
Okay I will use that next, but nothing was detected in the Windows Defender Full Scan or with Emsisoft Emergency Kit. It appears no malicious file is found on the disk even immediately after the incident, but only the process actively running.
The virtual machine was originally installed with a 22499 ISO from https://aka.ms/wipiso
It has been upgraded to 22523, 22533, 22538, 22543, 22557, 22563, 22572, 22579, 22581, 22589, 22593, and 22598. As stated in the original post, a Full Scan with Windows Defender was run, and so was a Windows Defender Offline Scan. I also updated Emsisoft Emergency Kit and used it to scan from the Recovery Environment, and SFC and DISM did not report any corruption. The Behavior:Win32/Powessere.SA process that is "Severely" malicious is the only thing that occurs, and that's it.
Nothing was detected by the Microsoft Safety Scanner.
It might have been a false-positive detection.
Sometimes, the Anti-Malware engine detect safe component as unsafe based on their behavior.
Do you know the location of files or components which detected as malicious earlier?

@Callistemon 

Great - this confirms that Microsoft Defender works correctly!
The warning you received was caused by the latest version, or an unidentified insider program process (Defender downloaded the latest threat definitions) it caused that the danger was no longer detected!
Thank you for your post because such problems need to be clarified - of course you understand that the diagnostic data was automatically transferred to Microsoft - this helps a lot!

No, the only detection was a running process, which is in the memory, and it did not specify the process name, only the single use unique identifier. It might be C:\Windows\SoftwareDistribution, as deleting that folder causes it to take longer when retrying before the malicious item occurs. None of the scanners detected anything that was saved in C:\Windows\SoftwareDistribution or any other folder.
"this confirms that Microsoft Defender works correctly!... it [Windows Defender] caused that the danger was no longer detected!" But if this item is to be truly malicious, what about all the users with a different antivirus? Why should users have to use use Microsoft antivirus to be protected against Microsoft update malware? If it's a false positive, then that's not quite proper.

"The warning you received was caused by the latest version" I know it is caused by 22610, and not anything else I did. That's why I posted this.
Hello,
Suggest you try to perform a clean installation and backup your data, otherwise you could spent a lot of time to rescue your OS....

@Little_Joe  Hi

I do not understand why after one warning , which was caused by the process of updating the test version - do you recommend performing a clean installation that will remove everything?

I think this is an exaggeration!

@A1 

nope, just like you said it was a recommendation of solution to solve the problem. And more than that it is a simple quick fix... Considering we don't have the full detail of the info with that copy came from. But you if you think you want to tackle down all of the virus with other issues it brought then go for it.:smile:

In this thread, defender reported a threat to the process before downloading the latest threat definitions so I rated it as correct
In case you perform multiple scans with different Anti-Malware products, I believe you are safe. However, in case you have sample of malicious files, and you believe they are not being detected let us know.
This problem recurs in other users - the insider program, so it is not a malicious process.

@Callistemon 

 

I just had this exact same issue. Twice.  Same scenario, same error, same apparent virus detected.  

@Little_Joe  The virtual machine was originally installed from https://aka.ms/wipiso for build 22499, and was upgraded through Windows Update and more https://aka.ms/wipiso ISOs until 22598, and now Windows Update is attempting to install 22610.

@Callistemon 

Other users confirm that disabling anti-virus protection before installation ( 22610. ) ensures proper installation of the update!
So you have to decide what steps to hook up!

Can't install windows 11 Insider Preview 22610.1 - Microsoft Tech Community

The error was caused by Skip_TPM_Check_on_Dynamic_Update for bypassing the Despicable Requirements of Windows 11. After that CMD was run again to uninstall, no threats were blocked while updating, instead a Setup window appeared to complain about the Despicable Requirements, then a different error code occurred after that's closed. Only build 22610 had this issue. Once 22616 was available, having Skip_TPM_Check_on_Dynamic_Update made the Setup window open instead of being blocked, which then proceeded through without the Despicable Requirements.