Win32/DefenderTamperingRestore caught by Windows Defender

Just saw this show up on our virus report on one system and one critical server. Microsoft info on it is non-existent and only 5 days old, however.

Anyone else see this? Is it just a false positive from turning AV off temporarily at some point in the past? Thanks in advance!

 

Question Info


Last updated April 1, 2020 Views 12,838 Applies to:
Hi ChNew,
I am Sumit, an Independent Advisor and a 2-Year Windows Insider MVP here to help.

Probably not a false positive. Possible for you to do an offline scan on the server with Windows Defender offline?

Otherwise to make sure you can scan using an Anti-malware like Malwarebytes.


Malwarebytes Cybersecurity for Windows, Mac, Android & iOS ...
https://www.malwarebytes.com/

Disclaimer:
This is a non-Microsoft website which would provide accurate and safe information. Watch out for ads on the site which are frequently classified as a PUP (Potentially Unwanted Products). There is no need to buy paid products to fix your computers as they do more harm than good sometimes.
Sumit

Available 6 PM - 8 AM Pacific Standard time
Stay safe and wash your hands

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi CN. I'm Greg, an installation specialist, 10 year Windows MVP, and Guardian Moderator here to help you.


Run a full scan with the most powerful on-demand free scanner Malwarebytes:
https://www.malwarebytes.com/mwb-download/.

In the Scan Settings first set it to include scanning for Rootkits.

If necessary run it in Safe Mode with Networking, or Safe Mode accessed by one of these methods: https://www.digitalcitizen.life/4-ways-boot-saf...

Clean up anything found, restart PC and then run again until it comes up clean.

Check for any remainders in Settings > Apps > Apps & Features, and also in each of your browser's Extensions, Home Page settings, Search service or Add-On's as shown here: https://community.box.com/t5/How-to-Guides-for-...

Then check for damaged System Files: https://www.lifewire.com/how-to-use-sfc-scannow...
If it cannot repair them see Step 10 here to continue: http://answers.microsoft.com/en-us/windows/wiki...

If you want to keep Malwarebytes as an on-demand scanner then you can turn off its Real Time trial version in it's Settings > Account Details tab.

I hope this helps. Feel free to ask back any questions and let us know how it goes. I will keep working with you until it's resolved.

______________________________________________
Standard Disclaimer: There are links to non-Microsoft websites. The pages appear to be providing accurate, safe information. Watch out for ads on the sites that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the sites before you decide to download and install it.
_________________

Windows MVP 2010-20

Over 100,000 helped in forums in 10 years
I do not quit for those who are polite and cooperative.
I will walk you through any steps and will not let you fail.

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Thank you for info on where to start removing it - however I was hoping for more information on what it is, where it came from, threat vectors, etc. This seems to be quite new and the systems that are showing that are infected (remediation action was NoAction in Defender) are not public systems.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Some very new downloaded update to a program can state there’s a virus, I had several with Norton which would block the update due to it being less than 5 days old, Defender may be the same, I would check the age of the download which contains the malware.
However try running these programs:
MBAM free: https://www.malwarebytes.com/mwb-download/
Eset online scanner: http://www.eset.com/us/online-scanner/
Adwcleaner: https://www.malwarebytes.com/adwcleaner/

If these find one or more infections but do not fully remove them it will be wise to register with a malware removal site to receive dedicated malware removal instructions, an expert will remain with you throughout the process until confirmation that your PC is 100% clean.
Malwarebytes virus/malware removal forum:
https://forums.malwarebytes.com/forum/7-windows...
Bleeping computer malware/virus removal forum:
https://www.bleepingcomputer.com/forums/forum22...

Disclaimer - This post contains reference to non-Microsoft websites and there may be ads on the page for products & services including products frequently classified as a PUP (Potentially Unwanted Product). Please thoroughly research any product / service advertised on the page before you decide to use them. Your discretion is very much advised.
Virginia - Time Lady.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

We are seeing the same issue. It appears to be working its way through systems. I have isolated several of the systems and ran additional secondary scans using multiple 3rd party tools and so far have been unable to find anything. 

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

As far as I can tell, the reg key that Defender points out is on any system with managed endpoint protection from SCCM. The systems I have scanned all have it set to 0. Beyond that I can't see what tried to change it, if anything, or if this is just a false alarm. One system of mine in particular isn't even exposed to users or the internet - and that is extremely concerning if it is not some false match.

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Microsoft has updated their documentation since this morning indicating that it is the result of sub-optimal Windows Defender configurations. It would appear to be a false trigger: 

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:Win32/DefenderTamperingRestore&ThreatID=2147741622

6 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Looks like Microsoft has updated the entry on their security site - this is a catch to reconfigure real-time detection if it has been disabled. Below is what is listed on MS's site now:

Summary

This detection is for suboptimal configurations that may prevent Windows Defender Antivirus from functioning properly.


If you see this detection, a suboptimal configuration was detected, and Windows Defender Antivirus will auto-heal by automatically resetting to more secure configurations.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:Win32/DefenderTamperingRestore&ThreatID=2147741622

4 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Lol just posted that as well - *whew*

Thanks everyone for your attention to this.

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Can I just ignore it or do I have to change my configuration? I have Norton. Thanks

1 person was helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.