Microsoft has released a critical out-of-band security update addressing a vulnerability in the Microsoft Malware Protection Engine. A remote attacker could exploit this vulnerability to take control of an affected system.

Users and administrators are encouraged to review Microsoft Security Advisory 4022344 (link is external) for details and apply the necessary update.

To date 10.05.2017 it seems unclear for long time now. This by questions asked in Corporate Forums from Symantec and Mcafee. People are unsafe if they have to do something.

• If the LEAK/Exploit/vulnerability is possible if "Windows Defender" as example on Windows 7 is disabled and you have if THIRD Party Virusprotection like Mcafee/Trend/Symantec you have an exploit
• How to PATCH the vulnerability if you have "Windows Defender" disabled. You can only patch it when Windows Defender is active.
• IF the vulnerability is open when you have "Windows Defender" deactivated in any form (From WIM, Via Service, Via Registry etc.)
• You may have some machine in your enterprise who still have it activate (Not deployed though deployment [Special clients], Servers with TERMINAL SERVER role installed, Citrix etc.!)

   

https://technet.microsoft.com/en-us/library/security/4022344

https://support.microsoft.com/de-ch/help/2510781/microsoft-malware-protection-engine-deployment-information

https://social.technet.microsoft.com/Forums/windowsserver/en-US/a4c83e56-758c-4ace-ba0f-4e1ffdc39514/wsus-and-microsoft-security-advisory-4022344-09052017-windows-leak-in-all-ms-security-products?forum=winserverwsus

https://www.us-cert.gov/ncas/current-activity/2017/05/08/Microsoft-Releases-Critical-Security-Update

Registry key to see what version you have in Windows Defender:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion"

Is Windows Defender on or off?

If this key is "1" then Windows Defender is INACTIVE

Check if Windows Defender is running?

"C:\Program Files\Windows Defender\MSASCui.exe"

How to check if Windows Defender is running by Directory Check:

If it's ACTIVE there is Diretory called "C:\ProgramData\Microsoft\Windows Defender"

How to check if you are safe > this file has to be newer than 8.5.2017 to be safe:

"C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1F3264AD-BA13-4E95-93D5-DA22838B8633}\mpengine.dll"

GUID {1F3264AD-BA13-4E95-93D5-DA22838B8633} changes with every DEF update.

You can ONLY Update the DEF if Windows Defender is running.

With Mcafee:

Environment McAfee Endpoint Security (ENS) Threat Prevention 10.x

As per the Windows Anti-Malware agreement, McAfee is not supposed to uninstall Windows Defender on Windows systems. We integrate with Windows Action Center (WAC) and when WAC sees that ENS Threat Prevention is installed, it disables Windows Defender.

Perform the following steps to check whether Windows Defender is disabled after installing ENS Threat Prevention:

1.Open the Control Panel and check the status of Windows Defender.

2.Check the status of the Windows Defender services:

• Press CTRL+ALT+DEL, and then select Task Manager.
• Click the Services tab.
• Check the status of the following services:

Windows Defender Network Inspection Service

Windows Defender Service

The Control Panel should show that Windows Defender is disabled and the Windows Defender services should be stopped. If the Windows Defender services are stopped, but the Control Panel is showing that Windows Defender is enabled, it is a system issue

How to enable/select Windows Defender Patches in WSUS 3.X

Microsoft Technet:

Microsoft Security Advisory 4022344, Security Update for Microsoft Malware Protection Engine

Published: May 8, 2017, Executive Summary

Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

The Microsoft Malware Protection Engine ships with several Microsoft antimalware products. See the Affected Software section for a list of affected products. Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Advisory Details

Issue References

For more information about this issue, see the following references:

*If your version of the Microsoft Malware Protection Engine is equal to or greater than this version, then you are not affected by this vulnerability and do not need to take any further action. For more information on how to verify the engine version number that your software is currently using, see the section, "Verifying Update Installation", in Microsoft Knowledge Base Article 2510781.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.