Troubleshoot problems with detecting and removing malware

The troubleshooting info in this topic might help you if you’re experiencing any of the following problems when detecting and removing malware with Microsoft Defender Antivirus, Microsoft Security Essentials, or other Microsoft antimalware solutions:

If scans are taking too long or appear to be progressing very slowly, consider the following solutions:

Ensure you have sufficient disk space

Run scans while your PC is idle by closing all other programs

Microsoft Defender Antivirus requires disk space to remove and quarantine malware files. It might be prevented from completely removing a threat if there isn’t enough space on your PC, particularly on your system drive (commonly drive C). See the following to help free up space:

After you’ve freed up some space, update and then run a scan again.

In general, full scans can take a long time if you have a large disk with lots of files. Large files, especially archives such as ZIP files, take longer to scan.

If Microsoft Defender Antivirus continually encounters errors during scans or during malware removal, try the following solutions:

Please provide feedback to us, so we can deliver fixes as fast as possible. By default, Windows automatically collects error information, but describing the error on the Feedback Hub app can help us address the error more efficiently.

Tip: You can quickly launch the Windows Feedback Hub app in Windows 10 by pressing the Windows logo key + F.

Run Windows Update to apply any fixes and ensure you have the latest components.

If Microsoft Defender Antivirus continually encounters errors during updates, try installing the latest protection updates manually.

To detect the latest threats, use a robust antimalware product, like Microsoft Defender Antivirus, which is built into Windows 10 and Windows 8.1. Ensure that critical security features are turned on and that Microsoft Defender Antivirus is fully updated before scanning.

Use Microsoft Defender Antivirus with cloud-based protection

By default, the following advanced features are enabled. If you’ve turned them off, you should enable them for the best protection:

Automatic sample submission

To turn on these features:

Select Start > Settings > Update & Security > Windows Security > Virus & threat protection.

Under Virus & threat protection settings, select Manage settings.

Make sure the settings for Cloud-delivered protection and Automatic sample submission are turned On.

These settings significantly increase the chances of detecting never-before-seen malware and enable the automated creation of new protection updates that help immunize all other computers running Microsoft Defender Antivirus from the newly discovered threats.

Update Microsoft Defender Antivirus before scanning

By default, Microsoft Defender Antivirus updates definitions automatically at least once every day. You can also manually check for updates:

Select Start > Settings > Update & Security > Windows Security > Virus & threat protection.

Under Virus & threat protection updates, select Check for updates.

Under Threat definitions, select Check for updates.

If you continue to encounter suspicious files that are not detected by Microsoft Defender Antivirus, submit the files to Microsoft for analysis.

Even after a malware has been removed, it might come back if you visit the website that hosts it or receive it again by email. Avoid websites that might contain malware, such as sites that provide illegal downloads.

To block threats from malicious websites, use a modern browser like Microsoft Edge, which uses Microsoft Defender SmartScreen to identify sites with poor reputation. Upgrade to the latest version of Windows to benefit from a host of built-in security enhancements.

In some cases, redetection of the same malware is due to an undetected malware component constantly, quietly, reinstalling the detected malware. The malware is typically reinstalled, and redetected, right after you restart your PC. To resolve this, try scanning with Microsoft Defender Offline to catch hidden threats

Scan with Windows Defender Offline

If the same malware keeps infecting your PC, use Windows Defender Offline to look for and remove recurring malware. Microsoft Defender Offline is a scanning tool that works outside of Windows, allowing it to catch and clean infections that hide themselves when Windows is running.

Note: Before initiating a Microsoft Defender Offline scan, make sure you’ve saved your work. Your PC will restart before starting the scan.

To start an offline scan in Windows 10:

Select Start > Settings > Update & Security > Windows Security > Virus & threat protection.

Under Current threats, select Scan options.

Select Windows Defender Offline scan and then select Scan now.

On Windows 8.1 you will need to download Microsoft Defender Offline as a separate tool. For more information, see Help protect my PC with Microsoft Defender Offline.

If malware has caused irreversible changes to your PC, you can try to reset your PC. This might involve restoring data from backup.

Reset, restore, or reinstall your PC

Back up any files and settings you want to keep so that you can restore them later. Windows provides several options on how you can reset or refresh your PC. If you choose to manually reinstall, you will need to prepare installation discs, product keys, and setup files.

Note: Whenever possible, restore your files from backups generated before the infection and stored in an external location, such as OneDrive, which provides regular cloud-based backups with version histories. Backups that are on your PC during an infection might have already been modified by the malware.

See the following articles for more information about reinstalling or recovering Windows:

As soon as you restore your PC, make sure you have the latest software running. The latest versions of software include available fixes of known security issues. This will help ensure your PC is not infected by malware that exploit security vulnerabilities.

See the following articles for more information about updating Microsoft software and third-party applications:

Provide feedback to Microsoft

Microsoft continually works on enhancing the user experience on all current products, including Windows Defender Antivirus. We encourage all customers to make use of the following feedback channels included in Windows 10:

Set Windows to automatically prompt for your feedback. Windows is already configured to automatically prompt for feedback by default. To ensure this feature is turned on, select Start > Settings > Privacy > Diagnostics & feedback. Under Feedback frequency, make sure that Windows is set to ask for your feedback automatically.

Manually send feedback at any time through the Feedback Hub app. To send feedback, type Feedback Hub in the search box on the taskbar, then select it from the list of results to open the app. In the app, select Feedback > Add new feedback. Select Security, Privacy, and Accounts > Windows Defender Antivirus as the category.

Read Diagnostics, feedback, and privacy in Windows 10 for questions about privacy and feedback settings.

Windows Defender and Malwarebytes for windows 10

I have been unable to run a windows defender scan since 1/4/2018. I noticed there was an update on 1/8/2018. Is there away to re-install or repair windows defender without fresh install. I tried to download and install windows defender but was told a copy already exists.

I have Malwarebytes Pro antimalware installed and have never had an issue with it interfering with windows defender before.

[Original Title: Windows Defender for windows 10]

Replies (4) 

55 people found this reply helpful

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

From the first day I owned this computer, with windows 8 OS, to today when I have upgrade to windows 10 OS I have been able to run both windows defender and Malwarebytes together with no issues. That is until sometime after January 4, 2018 and the update from Microsoft.

And I believe Microsoft even updated windows defender in 2016 to allow another antivirus/antimalware program to run simultaneously.

I have real-time protection turned on for both program but I don’t run automatic scans. I try to run a Malwarebytes antimalware full scan daily because it runs so much faster than windows defender quick scan. If necessary I would run a quick scan with windows defender but not since January 4th.

Hosts file is detected as malware in Windows Defender

Symptoms

Consider the following scenario:

You install Windows 8.

You change the Hosts file by specifying custom IP-address-to-host-name mappings to prevent users from browsing to some websites.

You run a scan in Microsoft Windows Defender.

In this scenario, the Hosts file is detected as a SettingsModifier:Win32/PossibleHostsFileHijack malware threat by Windows Defender.

Cause

This issue occurs because Windows Defender may determine incorrectly that the Hosts file was changed by malware, such as adware or spyware. Typically, malware programs change the Hosts file to redirect users to malicious websites. Therefore, Windows Defender may detect the Hosts file as a security threat.

Resolution

To resolve this issue, exclude the Hosts file from scanning in Windows Defender. To do this, follow these steps:

Open Windows Defender.

On the Settings tab, click Excluded files and locations.

Under File locations, click Browse.

Locate and then click the Hosts file.

Note By default, the Hosts file is located in the %systemroot%\system32\drivers\etc folder.

Click Add, and then click Save changes.

Exit Windows Defender.

References

For more information about the SettingsModifier:Win32/PossibleHostsFileHijack malware threat, go to the following Microsoft Malware Protection Center encyclopedia entry:

For information about how to reset the Hosts file to the default settings, click the following article number to go to the article in the Microsoft Knowledge Base:

972034 How can I reset the Hosts file back to the default?

Solution for ‘Malware detected Windows Defender is taking action’ alerts

• Windows Defender has a very long history and has been renamed a few times. The good news is that it kept evolving and now it’s a pretty decent antivirus.
• In case the alerts and pop-us are confusing or don’t make sense, follow this guide to fix any incompatibilities and scan for malware.
• This article is part of a series of guides to fixing Windows Defender errors.
• Make sure to bookmark the Windows 10 Troubleshooting Hub if you are interested in reading about general errors or update bugs.

If you just received a system pop-up from Windows Defender saying that malware detected Windows Defender is taking action to clean detected malware but nothing happens, you need to make sure that everything is still secured.

A virus or a malware might be causing all these problems, though, on the other hand, it might be only a compatibility issue between Windows Defender and another third-party antivirus program.

So, before taking any action you need to make sure that Windows Defender is properly running on your Windows 10 system.

The first thing you should do is to verify the Windows Defender history. The antivirus program might have found infected files but it might not be able to properly remove them (especially if the ‘malware detected Windows Defender is taking action’ message is displayed repeatedly).

If that occurred, then identify these files and manually remove them. You can also run the Microsoft Safety Scanner in order to extend the Windows Defender functionality.

If the history log isn’t showing any infected files it might be because Windows Defender detects the same virus but in different locations, and so does not make a history entry. In that case, you should choose a different antivirus solution that can perform a more complex scan.

You can also initiate the system scan through Safe Mode – in safe mode, third-party apps and processes are disabled by default so certain malware won’t be able to interfere with the scanning and removal process.

In that matter, I recommend you to install BullGuard AV as this is one of the best antivirus solutions that you can use today.

Don’t worry, installing this antivirus is intuitive, you only have to follow on-screen prompts.

Having won several awards from independent tests, it has proven its capability of detecting multiple types of malware and completely cleaning the system.

The 15-day trial will surely convince you that it has a small footprint so it will not have a negative impact on the performance of your computer.

The top features that make BullGuard a good choice are:

• light on system resources, comparable with Windows Defender
• Game Booster mode that blocks pop-ups or interruptions
• Vulnerability Scanner that goes beyond a simple scan and comes with various recommendations

BullGuard Antivirus

During the installation process, Windows Defender should be automatically disabled. If it’s not, you need to perform this operation manually:

• Access Local Group Policy Editor on your computer: press Win+R and enter gpedit.msc.
• From there navigate towards: Computer Configuration – > Administrative Templates – > Windows Components – > Windows Defender.
• Click on the Windows Defender field and from the right panel of the main window click on Turn off Windows Defender.
• Choose Enable – this will actually disable the default Windows Defender software.

In the end, run BitDefender and initiate a full scan. If malicious files will be found, the antivirus will automatically remove everything.

Remember that you should perform the system scan from Safe Mode for being about to delete even the most persistent malware. You can enter safe mode by following:

• Press the Win+R hotkeys and enter msconfig.
• The System Configuration window will be displayed.
• Switch to boot tap and click on the Safe boot option.
• Also, select the Network option.
• Save your changes and restart your computer.
• Done.

Now, if there isn’t any infected file left on your computer but you still receive the Windows Defender malware detected Windows Defender is taking action to clean detected malware message you should verify any possible conflicts between Windows Defender and other similar security programs.

For example, if you also use Kaspersky and its license expired, Windows Defender will identify the antivirus as a potential deceptive program.

So, now you should know how to react when noticing the malware detected Windows Defender is taking action to clean detected malware pop-up message displayed by Windows Defender.

As already outlined, you should choose a third-party antivirus solution easily identify and remove even the most complex malware and viruses.