Windows Defender Identifies The SAME PUP As A Threat Repeatedly

Since the implementation of W10 V2004, Windows Defender has now been defaulted to identify

PUPS as a threat.  As a result, many are now made aware of their presence.  And they are "remediated",

on the spot, to prevent them from causing any mischief.

The problem occurs on the subsequent scans with Windows Defender. It identifies the same PUP again,

and again. It has been determined that this is caused by the presence of the PUP in Protection History.

It appears that the default remediation that Windows Defender applies to PUPs is to Block them,

then leave them in Protection History .

EDIT:  It has been found that malware other than PUPS, can require this same procedure.

           Some have discovered, that even Trojans exhibit this same characteristic, when remediated by

          Windows Defender in W10 v2004.

If you have any malware, remediated by Windows Defender, that alerts repeatedly, this procedure applies to

it as well. In order to cleanup the malware completely, find the file in the "container file" in the Protection

History record, and delete the file that is described. If you can't find or access the file, run the Microsoft

Safety Scanner. It uses the same definitions as Windows Defender, and should remediate  the file.

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download 

Then proceed to delete the Protection History info.

END EDIT.

Windows Defender is defaulted to scan its own "Scans/History". Resulting in the discovery of the malware over

and over again.  Even though, other scanners see no evidence of the malware on the PC.       It doesn't exist!

Until Microsoft sees fit to fix this problem,  you can prevent the repeating error indication, by deleting the

items that are described in Windows Defender Protection History. You can delete them by accessing their files,

that are located in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service.

In the "Service" folder, find and delete "Detection History"

Note:  ProgramData is a hidden file. In order to access it, the "Hidden Items" option in "File Explorer" must be

checked.  Find the "Hidden Items" check box under the "View Tab".

And, the first time that you access "Scans", you must select "continue", to obtain the permission.

Restart and try another scan.    Notifications for the current malware should stop.  

However, this program miscue will probably reoccur, when the next PUP / Malware is encountered.  

Glen 

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hey Glen....thank you for your reply. I appreciate it very much. I'm glad you knew exactly what I trying to do. You're right. It didn't dawn on me that it did start happening after the 2004 Windows 10 upgrade. Unfortunately your suggestion did not fix the problem. After I follow your instructions I ran a quick scan so Windows Security would eliminate the  PUP thread but no luck. It still reappear on the Virus & thread protection tap. Showing as current threats found and wanting to start the recommended action. 

I hope Microsoft fixes this glitch soon. Anymore suggestion you have I'll gladly appreciate it. Again thank you for your reply. Hope to hear from you soon.  Take care.

Regards

Pedro Jimenez III

Hi Pedro,

I am sorry to hear that it did not work for you.

Will you do a test for me, to assure that the Exclusion was properly executed?

Please open WindowsPowerShell Admin, by right-clicking "Start" and selecting it.

On the PowerShell screen, type the following cmdlets, each followed by  <enter>

$Preferences = Get-MpPreference     <enter>

$Preferences.ExclusionPath     <enter>

You should see the exclusions that you have set, for Windows Defender.

And you should see C:\Program Data\Microsoft\Windows Defender\Scans\History

When satisfied, type Exit   <enter>  To close PowerShell. If you saw the above, please

let me know.  If not, please execute the Exclusion process again.

Thanks,  Glen

Thanks Glen for you assistance. I really appreciate it. I did what you suggested with Powershell and it does show all the exclusions. Including the one I set for Windows Defender. I notice I had enter the wrong path and chosen wrong folder. I don't know why but I chose the scan folder twice.(...scan/scan/history). I've remove it and added the correct one. Unfortunately its still doing the same thing.  Let me know if anything else you want me to try. Stay safe.

Pedro Jimenez III

Hi Pedro,

Would you please observe Windows Defender Protection History to see if there is

still a reference to your PUP.

Thanks,  Glen

Hi Pedro,

After re-examining the article in Microsoft's DOCS, regarding exclusions, I discovered

that exclusions do not function for "On Demand Scans"

"The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-demand scans."   Quoted from DOCS.     (I don't understand the logic)!

That being the case, in order to eliminate the repeated notifications from the PUP, it may be necessary to delete its entry from the "History", manually. Really not desirable, as it will require

a repeat of that action for subsequent PUPs.     Unless...

Only if the "Exclusion" for the "History Log" is applied when the next PUP is detected, in Real

Time, will the exclusion do any good.    We have to wait and see.   Seems doubtful.

Meanwhile, you should be able to eliminate this current notification by deleting its "History".

Navigate through Explorer as follows.

C:\Program Data\Microsoft\Windows Defender\Scans\(you may have to click "Continue"

to proceed past Scans) \History\Service.  Open each of the folders in "Service" to find

any reference to your PUP.  Delete that one. I don't have a PUP entry, so I cannot define it any closer.

Please let me know how this works out.    Glen

PS;

An OP posted this screenshot. He is having your same problem.

Do you see this in Scan Options when you Scan and get the repeat PUP notification?

  

If you do, have you ever tried to select "Quarantine" instead of "Remove". 

Perhaps if it is Quarantined, Windows Defender will no longer consider it.

Assuming "Remove" just isn't doing the job!!

Please give this a try and let me know if it helped.   Thanks,  Glen

Hey Glen, Good afternoon. Thanks you for all your help. I really appreciate it. Just let you know your last suggestion WORKED! I followed your instructions and navigated as follow: C:\Program Data\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory. I check each folder and found the 2 that always appear as current threats. I deleted them and ran a quick scan and no more PUPs. Thanks very much Glen. You're a Hero, Life saver and an Angel. You don't know how much time I spend online researching for a solution to this annoying threat messages.  I am very grateful you kept assisting me. May you have a Great Day. Stay Safe and God bless.

I didn't know If I can delete the whole files inside the DetectionHistory folder but at least the 2 causing the threat notifications are gone.

Best Regards

Pedro Jimenez III

Can you please help me. I have the same issue wherein 2 threats named PUA:Win32/InstallCore and PUA:Win32/Presenoker keeps poping up

Hi Vibhor,

Please see the EDIT at the bottom of page one of this discussion. If you have a problem

with that, please respond.

Glen

Well thanks to your edit. I am now able to find the program data folder. If I delete all the files and folder under the service tab will it work or will i be having any other trouble? Because I cant understand which file is for the PUP.

Hi Vibhor,

In the folder "Service", you should find some ".Log" files. Open "DetectionHistory".

This is where you should find what you are after. If you don't see any reference to

your PUP(s), just delete the contents of DetectionHistory.

     -----This is the response from an OP who used this procedure successfully-----

"Hey Glen, Good afternoon. Thanks you for all your help. I really appreciate it. Just let you know your last suggestion WORKED! I followed your instructions and navigated as follow: C:\Program Data\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory. I check each folder and found the 2 that always appear as current threats. I deleted them and ran a quick scan and no more PUPs. Thanks very much Glen. You're a Hero, Life saver and an Angel. You don't know how much time I spend online researching for a solution to this annoying threat messages.  I am very grateful you kept assisting me. May you have a Great Day. Stay Safe and God bless.

I didn't know If I can delete the whole files inside the DetectionHistory folder but at least the 2 causing the threat notifications are gone.

Best Regards "

Good luck,  Glen

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Discussion Info

Last updated November 27, 2020 Views 52,214 Applies to: