Advice Request Microsoft Defender detects the file as malicious but does not remove it.

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
Several users reported the issue with Defender and downloaded files (lastly by @YuanJiawj). Defender can detect the file as malicious, and on some computers the file is automatically removed but on others it is not. Furthermore, if the user chooses the option to take action, Defender tries to remove/quarantine the file but it takes a long time or the action fails.
Did you encounter such a problem in the past? If so then post here to discuss the issue.(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
From my experience with malicious downloads, Defender works differently with Edge (Chrome) and Firefox.

When I download a malicious file via Edge, the download is usually blocked by SmartScreen. If the file is not checked by SmartScreen (usually an archive), then after the download Defender shows an alert about the detected threat.

The same file but downloaded by Firefox (especially files in archives) does not trigger any alert from Defender (the file is not scanned). It is detected on execution or when it is directly accessed. Next, Defender usually asks about what action should be taken. In some cases, the remediation can take a few minutes. In my case, it never happened that Defender failed to quarantine or remove the downloaded file after it was detected and the action was chosen.

Another situation can happen when Defender detects the file which is actually used by another process (legal or malicious). In this case, the file cannot be removed until the calling process is active. This can also happen when alongside Defender another real-time protection is installed in the system.
 
Last edited:

Antimalware18

Level 11
Verified
Top Poster
Well-known
Jan 17, 2014
503
It was one of the issues that stopped me from using defender in the past (im using it now with DefenderUI) when testing any file (including EICAR) that was malicious defender would either Alert to the file, and not remove it and I would have to manually choose for defender to remove it and in some of the cases the second problem would come into effect, it would say it had been removed but file was still in Download folder with all its data (seen by viewing properties of the file)

DefenderUI has seemed to remedy that on my machine atleast. now when a file is detected it will be removed promptly.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,861
I had this issue again yesterday. The file was downloaded by Firefox and wasn't detected initially. But when I entered the Downloads folder, the file was accessed and detected by Defender. Defender took a while to remove it and according to its UI, the file was quarantined. But in reality, the file was still there. Every time I entered the folder, the same thing was repeating every time. Restarted the system, but still the same.
As I previously mentioned in the Configure Defender thread, disabling Windows Defender Sandbox fixes this issue for me (on Windows 11). So yesterday I disabled the Defender sandbox, restarted the system and this time Defender quarantined the file accurately.
Weird solution of a weird issue.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
It was one of the issues that stopped me from using defender in the past (im using it now with DefenderUI) when testing any file (including EICAR) that was malicious defender would either Alert to the file, and not remove it and I would have to manually choose for defender to remove it and in some of the cases the second problem would come into effect, it would say it had been removed but file was still in Download folder with all its data (seen by viewing properties of the file)

DefenderUI has seemed to remedy that on my machine atleast. now when a file is detected it will be removed promptly.

It is probable that you have non-default settings related to Defender actions. Normally the threats that are detected as severe are managed by Defender automatically. When I download the Eicar sample from https://secure.eicar.org/eicar.com, then it is initially blocked by SmartScreen. After choosing to keep it anyway it is downloaded but automatically removed by Defender. I do not use DefenderUI, so maybe it restored the default Defender's actions on your computer.
Did you use Edge, Chrome, or another web browser when this issue occurred?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
I had this issue again yesterday. The file was downloaded by Firefox and wasn't detected initially. But when I entered the Downloads folder, the file was accessed and detected by Defender. Defender took a while to remove it and according to its UI, the file was quarantined. But in reality, the file was still there. Every time I entered the folder, the same thing was repeating every time. Restarted the system, but still the same.
As I previously mentioned in the Configure Defender thread, disabling Windows Defender Sandbox fixes this issue for me (on Windows 11). So yesterday I disabled the Defender sandbox, restarted the system and this time Defender quarantined the file accurately.
Weird solution of a weird issue.
Interesting, I did not think about this possibility. I will try this on my computer, too.(y)
Is this issue present when using Edge?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
When using Edge (keep anyway) and Defender the default actions are as follows:
  • eicar.com - Defender detects download and the file is removed.
  • eicar.com.txt - SmartScreen in Edge blocks malicious website (red alert) - when choosing "More information >> Continue to the unsafe site (not recommended)", we can see the Eicar content.
  • eicar_com.zip - Defender detects download and the file is removed.
  • eicarcom2.zip - SmartScreen does not block download, but Defender detects download, and the file is removed.
After finishing the download, Edge shows an info 'Couldn't download - Virus detected'.
 
Last edited:

Antimalware18

Level 11
Verified
Top Poster
Well-known
Jan 17, 2014
503
It is probable that you have non-default settings related to Defender actions. Normally the threats that are detected as severe are managed by Defender automatically. When I download the Eicar sample from https://secure.eicar.org/eicar.com, then it is initially blocked by SmartScreen. After choosing to keep it anyway it is downloaded but automatically removed by Defender. I do not use DefenderUI, so maybe it restored the default Defender's actions on your computer.
Did you use Edge, Chrome, or another web browser when this issue occurred?
It's happened on my machine when using either Firefox or edge. I wasn't using WD when I was using Vivaldi so I can't say on that.

As for the actions chosen I. DefenderUI they are set to "remove" I should t note that for some reason my DrfenderUI doesn't give me the option to change this setting for any of the catagories.
 

YuanJiawj

Level 12
Verified
Top Poster
Well-known
Oct 9, 2014
583
We were using Firefox with WD, my friend uses this browser so we've downloaded that file via Firefox.
We have re-downloaded the file via Edge, Defender (Smartscreen on Edge doesn't detect that file like malicious) takes actions (delete file) and now everything is ok.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
With activated Defender Sandbox and downloading via Edge (SmartScreen OFF), files are also automatically deleted by Defender, but:
  • eicar.com - no difference
  • eicar.com.txt - shows the website with Eicar content, because I turned OFF SmartScreen.
  • eicar_com.zip - Defender Protection History shows the event that the threat is active and has not been eliminated.
  • eicarcom2.zip - Defender Protection History shows the event that the threat is active and has not been eliminated.
So, it seems that Defender Sandbox can have an impact on Defender events. Defender complains and thinks that the threat cannot be removed, but the file is removed anyway (on my computer with Edge).
I am going to test it with Firefox.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
When using Defender (with Sandbox) + Firefox, all three files (eicar.com, eicar_com.zip, eicarcom2.zip) can be downloaded without Defender's alerts. When any of these files is directly accessed then Defender shows an alert, but does not take automatic actions. The user can choose what to do with the file. After about one minute, the file is automatically deleted anyway.(y)
 

YuanJiawj

Level 12
Verified
Top Poster
Well-known
Oct 9, 2014
583
When using Defender (with Sandbox) + Firefox, all three files (eicar.com, eicar_com.zip, eicarcom2.zip) can be downloaded without Defender's alerts. When any of these files is directly accessed then Defender shows an alert, but does not take automatic actions. The user can choose what to do with the file. After about one minute, the file is automatically deleted anyway.(y)
have you tried with file posted on my post?
 

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,582
Same worries here.
On Opera and Edge, the file is directly deleted.

On the other hand via Firefox or IDM, Defender takes time, and it happens that from time to time, the deletion is not done...

But I have even more serious problems! It happened to me that Defender does not react at all ! (on Opera and Firefox), on the other hand, when scanning or running, Defender puts its alert and removes the threat... (tested on a FormBook infection)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
have you tried with file posted on my post?

Yes. When I tried to open it with 7-Zip, Defender showed the alert. I clicked the alert and Defender let me choose what to do. I did not make a choice and the file was quarantined soon. Defender chooses default action (which can be: remove, quarantine, or do nothing).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
...
But I have even more serious problems! It happened to me that Defender does not react at all ! (on Opera and Firefox), on the other hand, when scanning or running, Defender puts its alert and removes the threat... (tested on a FormBook infection)
That is normal for Firefox (did not test Opera). Defender does not automatically check files downloaded by Firefox. (y)
If the file is an executable, then after manually opening the Download folder it should be checked via Defenders "Block At First Sight", but it seems that this does not work flawlessly. In Edge, the "Block At First Sight" is triggered automatically.

Post edited.
"Block AT First Sight" sometimes works for files downloaded by Firefox and sometimes not.
 
Last edited:

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,582
That is normal for Firefox (did not test Opera). Defender does not automatically check files downloaded by Firefox. (y)
If the file is an executable, then after manually opening the Download folder it will be checked via Defenders "Block At First Sight". In Edge, the "Block At First Sight" is triggered automatically.

On Opera it is very rare that it doesn't react at all (I had this problem once, the rest of the time it reacts during the download)

For Firefox, thanks for the explanation :)
 

Gandalf_The_Grey

Level 82
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
When using Defender (with Sandbox) + Firefox, all three files (eicar.com, eicar_com.zip, eicarcom2.zip) can be downloaded without Defender's alerts. When any of these files is directly accessed then Defender shows an alert, but does not take automatic actions. The user can choose what to do with the file. After about one minute, the file is automatically deleted anyway.(y)
So, that's probably the reason we don't hear nothing anymore about sandboxing Microsoft Defender (y)
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,861
Interesting, I did not think about this possibility. I will try this on my computer, too.(y)
Is this issue present when using Edge?
As you have tested already, it's not an issue when Edge is used. But when I had this incident a couple of times before, once or twice, it was probably when I extracted a malicious file from a zip using 7zip. I don't remember TBH, so I could be wrong.
Since we are talking about the MS Defender's removal, sometimes Defender is able to detect and remove password protected malicious zip file. Only happened with Edge probably. For example, files from anyrun. It doesn't happen most of the time but has happened for me a few times. Any idea why this happens? How it's able to detected password-protected zip files?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
...
Since we are talking about the MS Defender's removal, sometimes Defender is able to detect and remove password protected malicious zip file. Only happened with Edge probably. For example, files from anyrun. It doesn't happen most of the time but has happened for me a few times. Any idea why this happens? How it's able to detected password-protected zip files?
It is possible if Defender has got a signature of this password-protected archive.
 

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,483
This happens to me on a regular basis. Most files that are detected aren't automatically deleted (with a few exceptions), and those which require manual interaction, just take forever to load the action and end up doing nothing at all. I think this is a variation of one of the main issues Windows Defenders always had, which is problems when dealing with threats.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top