We are trying to manually update Windows Defender by using official Standalone-Update packages provided by Microsoft. By manually I mean to run the packages using 3rd party patch/software management. There is no WSUS and running standalone update packages is the intended way if you do not use WSUS.
As long as ENS is active, the Windows Defender service do not start, but it is necessary for the standalone update package to run sucessfully. Did anyone else had the same problem and found a solution that do not include to deinstall ENS completely to have the update run ?
Thank you for your post. As long as ENS is active, under ideal conditions, it is going to be ENS that will be taking care of your anti malware needs. hence May I know why you are trying to update Windows Defender.
However, I have never tried running an update for Windows Defender with ENS present. Since you have mentioned offline packages being used here, Have you tried a direct update form the internet?
Sure you can ask. There is a known vulnerability in outdated WIndows Defender version. We are running Tenable NEssus Scanner vs every machine to find and to mitigate those vulns. For WIndows Defender we found no good way to do it automaticially.
Thank you for your prompt response. Sorry about the delay. Kindly please point me to the source where I can download this update file and check. Is this a KB update that can be done via Windows update?
If that's the case, Does running Windows update help you here?
Hi ! Thanks for your response.
THe update file mentioned is the Security INtelligence Update for Windows Defender Antivirus, to be found under https://www.microsoft.com/en-us/wdsi/defenderupdates
In detail, the mpam-fe.exe https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64
Running Windows Update is no option since alle devices got GPO in place that points to 3rd party Patch Management, including all Windows patches+KBs BUT excluding Windows Defender updates. This is not an issue of the 3rd party vendor but microsoft policies.
This is the CVE we try to mitigate:
Thank you for your response. Ideally since McAfee ENS has taken over the Anti Malware responsibility, there should be no requirement for MpSigStub.exe to run which would eliminate the possibility of this attack. However, I shall give this a try in my lab environment and get back to you with an update on the same.
Thank you for your time and patience with us on this. I am afraid the result is same with me as well. And we may have to go with Microsoft's suggestion on this:
"The definitions are not updating on my system. What do I do?
This security update is delivered only through definition updates. This cannot happen if Defender is in a disabled state (such as in the case of a third-party antivirus product providing real time protection). If Defender is disabled, you can delete the vulnerable file from the system: C:\WINDOWS\System32\MpSigStub.exe.
If Defender is re-enabled at a later time, MpSigStub.exe will be replaced only when updating signatures via Microsoft Update or WSUS. MpSigStub.exe will not be replaced via the standalone Mpam-fe.exe install or via UNC Path installs."
Source: Based on this Threat Advisory you have provided for this issue.