Windows Defender Identifies The SAME PUP As A Threat Repeatedly

Since the implementation of W10 V2004, Windows Defender has now been defaulted to identify

PUPS as a threat.  As a result, many are now made aware of their presence.  And they are "remediated",

on the spot, to prevent them from causing any mischief.

The problem occurs on the subsequent scans with Windows Defender. It identifies the same PUP again,

and again. It has been determined that this is caused by the presence of the PUP in Protection History.

It appears that the default remediation that Windows Defender applies to PUPs is to Block them,

then leave them in Protection History .

EDIT:  It has been found that malware other than PUPS, can require this same procedure.

           Some have discovered, that even Trojans exhibit this same characteristic, when remediated by

          Windows Defender in W10 v2004.

If you have any malware, remediated by Windows Defender, that alerts repeatedly, this procedure applies to

it as well. In order to cleanup the malware completely, find the file in the "container file" in the Protection

History record, and delete the file that is described. If you can't find or access the file, run the Microsoft

Safety Scanner. It uses the same definitions as Windows Defender, and should remediate  the file.

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download 

Then proceed to delete the Protection History info.

END EDIT.

Windows Defender is defaulted to scan its own "Scans/History". Resulting in the discovery of the malware over

and over again.  Even though, other scanners see no evidence of the malware on the PC.       It doesn't exist!

Until Microsoft sees fit to fix this problem,  you can prevent the repeating error indication, by deleting the

items that are described in Windows Defender Protection History. You can delete them by accessing their files,

that are located in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service.

In the "Service" folder, find and delete "Detection History"

Note:  ProgramData is a hidden file. In order to access it, the "Hidden Items" option in "File Explorer" must be

checked.  Find the "Hidden Items" check box under the "View Tab".

And, the first time that you access "Scans", you must select "continue", to obtain the permission.

Restart and try another scan.    Notifications for the current malware should stop.  

However, this program miscue will probably reoccur, when the next PUP / Malware is encountered.  

Glen 

|

Was this discussion helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this discussion?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this discussion?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

and when i delete the gta 5 i get like notif,  when i see protection history his app or folder has been blocked and the info is  app folder block un_a.exe  protected folder %userprofile%\Documents\Rockstar Games\Launcher\Profilesr,  but it say 0 current threat is my computer safe ? 

2 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Followed the link and seem to have got rid of the problem.  (Couldn't open the relevant folders in Detection History though as they're in an unrecognised format - just deleted them).  Hope that MS sorts this out soon.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

GlenProuty,

"Since the implementation of W10 V2004, Windows Defender has now been defaulted to identify

PUPS as a threat."-> To me this is very exciting news (although I acknowledge I have not read thru this entire thread)..

In the past I have recommended and set my clients to turn on PUP (PUA) protection within Windows Defender.

Greg's answermarked suggestion in the following thread 'to turn ON PUP' protection is a featured favorite on my browser toolbar:

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/windows-defender-not-detecting-known-adware/9cfe114b-8d1b-42a2-8268-34dc3acf9390?auth=1

I acknowledge it has picked up some of my "tools" and wacked them out, it was not hard to set up exceptions. (I have backups and know how to recover the "tools" not fit for general usage).

If you want to revert to a less protected state, consider reversing the PUA setting.

Monkey57

3 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Glen, thank you for your advice. Just as others, I spent hours trying to get rid of the "PUA:Win32/InstallCore" notification that kept showing up as an "Active" threat in Windows Defender despite WD also saying that "no threats were found" after running several scans on my PC. I had downloaded and ran several other anti-virus programs (trial versions) too and nothing was found. I already have Malwarebytes and the program was also finding nothing. All was a mystery and frustrating ordeal until I found this post. I followed your instructions and simply deleted the files in the Detection History and that solved the problem. Unbelievable. BIG THANKS to you again for your help with this issue! 

4 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thank you. This worked

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

This solved the problem for today!

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thanks for this Glen. I was getting the same false PUP notification continually from Defender so I restored a week old image from before the Defender notifications started but was still getting them. Malwarebytes in Safe Mode showed no threats so I trawled the net and found your explanation to delete the "PUPs".

Only thing is I am on Win 10 Pro, Version 1909, Build 18363.997 so I wonder if this is an update to Defender across all versions of Win10? There were two updates available for my restored image and the Defender notifications started again after I installed those updates.

I also have Win 10 telemetry black holed and the PUP I was getting was "SettingsModifier:Win32/HostsFileHijack". I read one of your other posts about MS reporting any changes to the HOSTS file as a PUP and although my HOSTS file is clean I assume the program I use to block telemetry plus my use of PiHole is giving MS fits! Only thing I can think of as I am 100% sure my PC is clean and these notifications only appeared after I installed the most recent Windows updates to a week old restored image.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi xox101,

Thanks for the info. The failure on 1909 is news.

Pup detection on v1909, was not defaulted in Windows Defender. Most people

probably never set it up.   Its good to know that it can happen there too.

Microsoft defaulted PUP detection in v2004. That is the reason for so many

seeing this problem now.

The fix for this will be up to Microsoft, so I guess there is no reason for us to

define it any further.

Thanks again,  Glen

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Since the implementation of W10 V2004, Windows Defender has now been defaulted to identify

PUPS as a threat.  As a result, many are now made aware of their presence.  And they are "remediated",

on the spot, to prevent them from causing any mischief.

The problem occurs on the subsequent scans with Windows Defender. It identifies the same PUP again, and again.

It has been determined that this is caused by the presence of the PUP in Protection History.

It appears that the default remediation that Windows Defender applies to PUPs is to Block them, then leave

them in Protection History .

Windows Defender is defaulted to scan its own "Scans/History". Resulting in the discovery of the PUP over and

over again.  Even though, other scanners see no evidence of the PUP on the PC.

Until Microsoft sees fit to Quarantine the PUPs, you can prevent the repeating error indication, by deleting them.

They are described in Windows Defender Protection History. You can delete them by accessing their files, that

are located in C:\Program Data\Microsoft\Windows Defender\Scans\History\Service.

Note:  Program Data is a hidden file. In order to access it, the "Hidden Files" option in "File Explorer" must be

chrcked.  Find the "Hidden Files" check box under the "View Tab".

In the "Service" folder, delete any file that references the PUPs (PUA).  They should be in "Detection History".

If you can not see your PUP (PUA), just delete "Detection History".

Restart and try another scan.    Notifications for the current PUPs should stop.  

However, this program miscue will probably reoccur, when the next PUP is encountered.  

Glen 

Thank you, THANK YOU, for real

I've deleted a pup exe file from downloads ( I haven't opened it at all) and it kept saying it was still there, even in the details. I looked for it in the task manager and even in the extra apps and uninstalls but it didn't exist, strangely it said that it was currently running and active but since I did what was above, it resolved the issue with a full system scan.

I think its a bug for removing certain pups since it said it was a win32 install core pua. I haven't opened it like I said again. Perhaps its a problem with the file running from the security history, because once I've deleted the folders inside the detection history, it was resolved.

Like I've said, thank you

It was a hassle to deal with using malware bytes as I was all like "Strange, it doesn't exist, I've even made sure in the settings to check everywhere" but Windows security kept duplicating it and showing me that file extension to downloads file.

I hope that bug can get fixed in later updates, even an "override" function would help so that it can sweep through the system for that file.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I did this and had the exact same problem, and this really helped so much

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Discussion Info


Last updated June 19, 2021 Views 96,854 Applies to: