A recent update for Windows Defender to version 4.12.17007.17123 changed the path of the built-in antivirus software on Windows 10 devices.
Microsoft changed the paths the of the Windows Defender Antivirus service component MsMpEng.exe and the Network Realtime Inspection service component NisSrv.exe, as well as the path of Windows Defender Antivirus drivers.
The change affects machines running Windows 10 version 1703 and newer on Windows 10 Home, Pro and Enterprise machines.
Microsoft moved the files MsMpEng.exe and NisSrv.exe from %ProgramFiles%Windows Defender to %ProgramData%MicrosoftWindows DefenderPlatform, and Windows Defender Antivirus drivers from %Windir%System32drivers to %Windir%System32driverswd.
The support page KB4052623 confirms the update, but does not provide explanation why the change was made. Windows 10 Home, Pro and Enterprise, and Windows Server 2016 are affected by the change according to Microsoft.
This article describes an antimalware platform update package for Windows Defender for the following operating systems: Windows 10 (Enterprise, Pro, and Home), Windows Server 2016.
Because of a change in the file path location in the latest update (Antimalware Client Version: 4.12.17007.17123)..
The change did cause issues with Windows 10’s AppLocker functionality, and that is the main reason why Microsoft published the support article.
According to Microsoft’s information, the path change could cause AppLocker to block many downloads on the Windows machine.
The company published a workaround that requires that administrators set the following path %OSDrive%ProgramDataMicrosoftWindows DefenderPlatform* in the Group Policy.
The update may cause another rare issue according to Microsoft on systems on which Windows Defender Advanced Threat Protection runs together with Windows Defender Antivirus. Systems may be put into “passive mode” during installation of the update which disables real-time protection.
Read also: You can steal Chrome data (if you have local access)
Administrators need to delete the PassiveMode value in the Windows Registry under HKLMSOFTWAREMicrosoftWindows Defender to resolve the issue. Microsoft notes that it may be necessary to take ownership of the Windows Defender subkey, and to enable full access to the user account to do so.
The following table lists the affected components, and the old and new storage location.
| Component | Old location | New location |
|
Windows Defender Antivirus service (MsMpEng.exe) Network Realtime Inspection service (NisSrv.exe) |
%ProgramFiles%Windows Defender | %ProgramData%MicrosoftWindows DefenderPlatform<Version> |
| Windows Defender Antivirus drivers | %Windir%System32drivers | %Windir%System32driverswd |
Closing Words
It is unclear at this point in time why Microsoft made the Windows Defender path changes in first place. (via Deskmodder)