Morning. I think. Today I appear to have a little red dot on my windows defender icon… so lets see what it is.

OK – the service has stopped… ok – hit “Restart now”, lots of those moving dots…

It’s taking a while?

Nope, that’s not working, ok lets poke around – check the windows update – ah… updates have failed, ok not great… let’s have a look:

Definition Update for Windows Defender Antivirus – KB2267602 (Definition 1.289.21.0) – Error 0x80070643

Update for Windows Defender Antivirus antimalware platform – KB4052623 (Version 4.18.1902.2) – Error 0x80070643

Well that means… not a lot really… time for some research

Research!

So I find out the following:

  • Error 0x80070643 is a catch all error – which is not helpful
  • I can’t restart the services since they appear not to have implemented the appropriate functions (Stoppable)
  • Lots of other people have the same problem – and there is lots of conflicting advice

So looking on Microsoft’s site I found this which matches the problem (yay) apart from I can’t even do the manual update mentioned – running that update in an Administrative PowerShell gives me the following log:

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -dynamicsignatures
 Start Time: ‎Thu ‎Feb ‎28 ‎2019 10:21:29

MpEnsureProcessMitigationPolicy: hr = 0x1
Start: MpRemoveDefinitions(0)
ERROR: MpRollbackSignature failed with hr=800106B5
MpCmdRun: End Time: ‎Thu ‎Feb ‎28 ‎2019 10:21:29
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
 Start Time: ‎Thu ‎Feb ‎28 ‎2019 10:21:38

MpEnsureProcessMitigationPolicy: hr = 0x1
Start: MpSignatureUpdate()
Calling MpUpdateStartEx with option 0x1
Update started 
Update completed with hr: 0x800106b5
ERROR: Signature Update failed with hr=800106B5
MpCmdRun: End Time: ‎Thu ‎Feb ‎28 ‎2019 10:21:38
-------------------------------------------------------------------------------------

Not very useful, and now another error: 0x800106b5 – which I can’t seem to find much about, in fact more people are talking about a similar number 0x800106ba which is apparently related to a conflict with another security process.

So I also tried to verify the local Windows image to see if it’s broken or compromised using the following commands (again administrative PowerShell) :

dism /online /cleanup-image /restorehealth
SFC /scannow

Both tools give me a clean bill of health.

Current State

So the state is now this:

  1. Windows update is reporting the 2 failures – which won’t install (retried 6 times now with 3 reboots)
  2. Security Service is running
  3. Windows Defender Antivirus Service is “stopping” according to services – and can’t be restarted (all options greyed out)
  4. The windows installation is “Good”

Now my other windows 10 box appears to be fine, so somewhere the update has broken.

My other options for resolution are: https://support.microsoft.com/en-ph/help/918355/how-to-troubleshoot-definition-update-issues-for-windows-defender – apparently this was a known issue, which is now fixed?

Resolution – the Manual Install

So lets try a manual update:

  1. go to: https://www.microsoft.com/security/portal/definitions/adl.aspx (redirects to https://www.microsoft.com/en-us/wdsi/definitions)
  2. Skip automatic updates (broken, hence why we’re here), skip triggering (same), Enterprise steps have already been done (see above), and now select the appropriate windows version and platform (32/64/ARM) and save the file
  3. having downloaded the appropriate mpam-fe.exe, I ran it… which didn’t do much, I also extracted the files (it’s an archive) into a folder and ran the stub inside, again – not a lot going on here.
  4. Tried restarting the service via the security center – still no joy.
  5. Going back to the trouble shoot article – try looking at Windows Update as a source of the error – the log file for which is no longer in %windir%\WindowsUpdateLog – you need to run the PowerShell command: Get-WindowsUpdateLog which will generate a log from the event tracing calls. Looking through that I find our old friend: 0x800106b5
  6. Find another article on MicroSoft: https://answers.microsoft.com/en-us/protect/forum/all/i-get-an-error-code-0x800106b5-while-trying-to/45e1fc49-ad73-4e6a-9945-2cc4ad881b0f which sadly references a KB article which is no longer available…
  7. So tried the Windows Update Trouble shooter – which finds no problems… which is odd since I can see update failures in the log. Hmmm.
  8. So now we need to see if we have the most recent Servicing Stack Update – which the answer is yes, it was installed. Awesome
  9. Now we need to try and install the KB manually – which for KB4052623 we can do: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623 – this gives you 3 files… and doesn’t tell you which one you should use… as far as I can tell it’s 32 Bit, 64 bit, and ARM when listed in a directory. Ran and installed(?) update – ran the .exe twice since I think I ran the 32bit version first 😦 so ran the 64bit one after. Side note – must see if PowerShell has a “file” equivalent.
  10. So an anomaly – KB2267602 is not listed on the update catalogue. Nada. Although the definition version now matches Definition Update for Microsoft Security Essentials – KB2310138 (Definition 1.289.106.0) which is a 300Mb update containing far too many files to be helpful. NOT installing this.
  11. Ok – lets try a reboot and see if the manually installed update clears a block.

 
Success! It’s all green. Oddly saying the update was applied on the 22nd (it’s the 28th today). Clicking on “Check for Updates” resets this to match the information on https://www.microsoft.com/en-us/wdsi/definitions which is today’s date and the version number as below:

Version: 1.289.106.0
Released: Feb 28, 2019 07:51 AM UTC
Documentation: Release notes

So we are up to date on the definitions.

Solution

At this point – too many changes, I’d go for the manual install of the definitions (mpam-fe.exe) and the manual install of KB4052623. Given the errors, it implies that the Windows Defender service was stopped from running by windows update somehow, since the image was apparently good, so it wasn’t corruption of the files or a bust update of the service.

Useful commands/websites:

  • http://www.catalog.update.microsoft.com/ – list of all updates
  • https://www.microsoft.com/en-us/wdsi/definitions – antivirus/security definitions
  • Get-WindowsUpdateLog – powershell command to let you compile the Update log for viewing
  • dism – Deployment Image Servicing and Management tool – run without options to get help, basically your windows image manager – your image == your install.
  • SFC – Resource Checker – verifies the integrity of your install, this will flag up bust/corrupt files