Q&A Manually Deleting the Protection History in Microsoft Defender in Windows 11

HarborFront

Level 62
Thread author
Verified
Top poster
Content Creator
Oct 9, 2016
5,100
To manually clear your Windows Defender Protection History you simply need to delete the “Service” folder under the Windows Defender directory on your PC.

  • Press Windows key + R to open the Run window.
  • In the Run window, copy and paste the path below in the Open input field then press the Enter key or click “OK“.
    • If prompted for folder permission, just click “Continue“.
C:\ProgramData\Microsoft\Windows Defender\Scans\History

  • Right-click on the Service folder, select Delete.

Restart Windows Security Protection​

You need to either restart your PC or simply restart Windows Defender. Either way will officially clear the Windows Security Protection History from your Windows 11 PC. Follow the directions below to restart Windows Defender and clear the Protection History without restarting your PC.

  • Right-click on the Start button (Windows logo) down at the bottom left of your screen and select “Settings” from the pop-up menu.
  • Click on “Privacy & security” from the vertical menu on the left then click on “Windows Security” at the top right.
  • Click on “Virus & threat protection“, under “Protection areas“.
  • Under “Virus & threat protection settings” click the “Manage settings” link.
  • Toggle the Real-time protection button Off then back On which will restart Windows Defender.

 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,083
This will work only for standard detections. All detections related to advanced settings (like ASR rules, etc.) cannot be cleared in this way.

One has to additionally delete the file:
C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db

Unfortunately, this requires the TrustedInstaller privilege to stop the windefend service. One has to use AdvanvedRun, Defender Control, etc., to do this. See for example:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-954124
 
F

ForgottenSeer 94654

To manually clear your Windows Defender Protection History you simply need to delete the “Service” folder under the Windows Defender directory on your PC.

  • Press Windows key + R to open the Run window.
  • In the Run window, copy and paste the path below in the Open input field then press the Enter key or click “OK“.
    • If prompted for folder permission, just click “Continue“.
C:\ProgramData\Microsoft\Windows Defender\Scans\History

  • Right-click on the Service folder, select Delete.

Restart Windows Security Protection​

You need to either restart your PC or simply restart Windows Defender. Either way will officially clear the Windows Security Protection History from your Windows 11 PC. Follow the directions below to restart Windows Defender and clear the Protection History without restarting your PC.

  • Right-click on the Start button (Windows logo) down at the bottom left of your screen and select “Settings” from the pop-up menu.
  • Click on “Privacy & security” from the vertical menu on the left then click on “Windows Security” at the top right.
  • Click on “Virus & threat protection“, under “Protection areas“.
  • Under “Virus & threat protection settings” click the “Manage settings” link.
  • Toggle the Real-time protection button Off then back On which will restart Windows Defender.

Microsoft Defender Protection History is a work-in-progress (as is Controlled Folder Access). If you are searching for perfection of operation, next to no user involvement, then you might want to look elsewhere. I have a huge number of block events that would drive users insane here, but since nothing is broken I just ignore all of it.

@Andy Ful thoughts ?
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,083
Defender stores detection/block events in two different ways:
  1. Protection history - available via Security Center
  2. Event Log - available via 'ProviderName'='Microsoft-Windows-Windows Defender'
The second way is used in ConfigureDefender to see the detected/blocked events - it can be easily maintained and cleared. It is displayed in Notepad, so one can easily use the Search feature and edit the content - good for analysis.


The example of output from ConfigureDefender:

Code:
*************************************************************************
*************************************************************************

Event[0]:
Time Created  : 25.03.2022 12:55:08
ProviderName : Microsoft-Windows-Windows Defender
Id           : 5001
Message      : Skanowanie będące częścią ochrony w czasie rzeczywistym produktu Program antywirusowy Microsoft Defender w poszukiwaniu złośliwego kodu oraz innego niechcianego oprogramowania zostało wyłączone.

*************************************************************************
*************************************************************************

Event[1]:
Time Created  : 25.03.2022 12:54:51
ProviderName : Microsoft-Windows-Windows Defender
Id           : 1116
Message      : Produkt Program antywirusowy Microsoft Defender wykrył złośliwe oprogramowanie lub inne potencjalnie niechciane oprogramowanie.
                Aby uzyskać więcej informacji, zobacz:
               https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:O97M/Sadoca.C!ml&threatid=2147750313&enterprise=0
                    Nazwa: Trojan:O97M/Sadoca.C!ml
                    Identyfikator: 2147750313
                    Ważność: Poważny
                    Kategoria: Koń trojański
                    Ścieżka: file:_C:\test\PwerShellSu.doc
                    Pochodzenie wykrycia: Komputer lokalny
                    Typ wykrycia: FastPath
                    Źródło wykrycia: Ochrona w czasie rzeczywistym
                    Użytkownik: XX-YY\Tester
                    Nazwa procesu: C:\Windows\explorer.exe
                    Wersja analizy zabezpieczeń: AV: 1.361.642.0, AS: 1.361.642.0, NIS: 1.361.642.0
                    Wersja aparatu: AM: 1.1.19000.8, NIS: 1.1.19000.8

*************************************************************************
*************************************************************************

Event[2]:
Time Created  : 24.03.2022 19:47:01
ProviderName : Microsoft-Windows-Windows Defender
Id           : 5001
Message      : Skanowanie będące częścią ochrony w czasie rzeczywistym produktu Program antywirusowy Microsoft Defender w poszukiwaniu złośliwego kodu oraz innego niechcianego oprogramowania zostało wyłączone.

*************************************************************************
*************************************************************************

Event[3]:
Time Created  : 24.03.2022 17:41:20
ProviderName : Microsoft-Windows-Windows Defender
Id           : 1116
Message      : Produkt Program antywirusowy Microsoft Defender wykrył złośliwe oprogramowanie lub inne potencjalnie niechciane oprogramowanie.
                Aby uzyskać więcej informacji, zobacz:
               https://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:O97M/Instabus.YA!MTB&threatid=2147733551&enterprise=0
                    Nazwa: TrojanDownloader:O97M/Instabus.YA!MTB
                    Identyfikator: 2147733551
                    Ważność: Poważny
                    Kategoria: Koń trojański pobierający inne programy
                    Ścieżka: file:_C:\Users\Tester\Downloads\98e4695eb06b12221f09956c4ee465ca5b50f20c0a5dc0550cad02d1d7131526; webfile:_D:\Users\Admin\Downloads\98e4695eb06b12221f09956c4ee465ca5b50f20c0a5dc0550cad02d1d7131526|https://raw.githubusercontent.com/InQuest/malware-samples/master/2019-01-15-Ma
               l-Excel-Doc-Macrosheet/98e4695eb06b12221f09956c4ee465ca5b50f20c0a5dc0550cad02d1d7131526|pid:8436,ProcessStart:132926136800978443
                    Pochodzenie wykrycia: Internet
                    Typ wykrycia: Konkretne
                    Źródło wykrycia: Pobrania i załączniki
                    Użytkownik: XX-YY\Tester
                    Nazwa procesu: Unknown
                    Wersja analizy zabezpieczeń: AV: 1.361.529.0, AS: 1.361.529.0, NIS: 1.361.529.0
                    Wersja aparatu: AM: 1.1.19000.8, NIS: 1.1.19000.8

*************************************************************************
*************************************************************************


How to clear events:

1648292118599.png



The "Protection history" from Security Center is for Defender free on default settings. It is not the greatest usability achievement you could hope for.:)
 
Last edited: