Apr 30 2022 12:45 AM
While installing the Windows 11 Dev update to build 22610 today, Windows Defender arrested "Severe" malware, an actively running process, not just an inactive file. The update errored with 0xc190011f at the same time, so 22610 wasn't installed. The only recent downloads I have were never run. 22598 is plenty new, so unpatched vulnerabilities in the existing build shouldn't be why it became infected. Only a blank pen drive was connected recently. The Chromium browser was recently updated, so it wasn't an exploit through an outdated browser.
The error code is 0xc190011f and the Windows Defender detection is
Behavior:Win32/Powessere.SA
behavior: pid:2340:209678432966826
process: pid:2340,ProcessStart:132957367597465384
I performed a Quick Scan and Offline Scan with Windows Defender, updated Emsisoft Emergency Kit and used it to scan from the Recovery Environment, used SFC and DISM, performed a Full Scan, deleted Software Distribution, made a System Image Backup, and installed the 22610 update again. Threats found. At 5%, the Windows Defender notification appeared and the 0xc190011f error code in Windows Update. This was reproduced 4 times in total, quicker when retrying without having deleted Software Distribution.
Feedback Hub link with screenshots, video recording, and diagnostics: https://aka.ms/AAgsen0
Note that screenshots and other attachments are only visible to Microsoft.
Microsoft Support refused this issue because the operating system is currently under development, as if that makes it any more acceptable to distribute malware through Windows Update. It doesn't matter that it's under development, having a "Severely" malicious update for download is intolerable.
If it's completely unknown how to solve the "Severe" Behavior:Win32/Powessere.SA while downloading build 22610 because it's so new, then it's not that difficult to simply pull 22610 from being available for download. I know this is the wrong place to post this, but this is where Microsoft Support said to.
I know it's not supported, but not providing Behavior:Win32/Powessere.SA has to be maintained at all times. Preview builds being unsupported translating to it being acceptable to distribute Behavior:Win32/Powessere.SA is as if the Windows Defender team saying they don't need to maintain their antivirus signatures because none of the malware is their own and therefore not their responsibility to support.
Microsoft Support said "The Windows Insider forum is a peer to peer group of volunteers that are testing future beta releases of Windows 10 and as it is beta software Microsoft offers no support to Insiders who voluntarily download and test these beta builds."
Translation: The Windows Insider forum is a peer to peer group of volunteers that are downloading malicious beta releases of Windows 11 and as it is beta software Microsoft offers no assurance to Insiders who voluntarily download and test these beta builds that they aren't infected with malware.
Microsoft Support also said "When you first joined the Insiders you should have read the Terms of Service and Code of Conduct prior to joining." I did though, nothing in the agreement makes it any more acceptable to provide Behavior:Win32/Powessere.SA no matter how buggy the builds may have to be.
"There are many very qualified Insiders who use this forum who should be able to help you."
I myself do spend a highly significant amount of time each day assisting others, and did for myself, but the root issue can only be solved by Microsoft by pulling the 22610 download or confirming the Windows Defender detection is a false positive.
"Pease take your concern to Windows Insider forums"
At the same time, "The Windows Insider forum is a peer to peer group of volunteers"
Only Microsoft is responsible for hosting the download.
If Microsoft is to provide severely malicious Behavior:Win32/Powessere.SA infected updates of Windows 11, that's not secure anyway, so if security is out the window even with the latest, why don't I just revert to using Windows 7, the best Windows ever, which is by far the finest ever produced?
Apr 30 2022 01:16 AM - edited Apr 30 2022 03:06 AM
@Callistemon Hi,
have you used this scanner?
Microsoft Safety Scanner Download | Microsoft Docs
Of course, if possible, you can upload the infected file:
Microsoft Safety Scanner Download | Microsoft Docs
Apr 30 2022 07:10 AM
Apr 30 2022 11:22 AM
Apr 30 2022 11:26 AM
Apr 30 2022 04:00 PM
May 01 2022 05:23 AM
May 01 2022 12:01 PM
Great - this confirms that Microsoft Defender works correctly!
The warning you received was caused by the latest version, or an unidentified insider program process (Defender downloaded the latest threat definitions) it caused that the danger was no longer detected!
Thank you for your post because such problems need to be clarified - of course you understand that the diagnostic data was automatically transferred to Microsoft - this helps a lot!
May 01 2022 05:09 PM
May 01 2022 05:30 PM
May 01 2022 10:03 PM
May 02 2022 01:01 AM
@Little_Joe Hi
I do not understand why after one warning , which was caused by the process of updating the test version - do you recommend performing a clean installation that will remove everything?
I think this is an exaggeration!
May 02 2022 01:44 AM - edited May 02 2022 01:45 AM
nope, just like you said it was a recommendation of solution to solve the problem. And more than that it is a simple quick fix... Considering we don't have the full detail of the info with that copy came from. But you if you think you want to tackle down all of the virus with other issues it brought then go for it.
May 02 2022 02:20 AM
May 02 2022 07:01 AM
May 02 2022 08:17 AM
May 02 2022 03:54 PM
I just had this exact same issue. Twice. Same scenario, same error, same apparent virus detected.
May 02 2022 07:17 PM
@Little_Joe The virtual machine was originally installed from https://aka.ms/wipiso for build 22499, and was upgraded through Windows Update and more https://aka.ms/wipiso ISOs until 22598, and now Windows Update is attempting to install 22610.
May 02 2022 11:09 PM - edited May 02 2022 11:15 PM
Other users confirm that disabling anti-virus protection before installation ( 22610. ) ensures proper installation of the update!
So you have to decide what steps to hook up!
Can't install windows 11 Insider Preview 22610.1 - Microsoft Tech Community
May 13 2022 10:58 PM