Latest Defender update deletes certain source code and exe files

by Alexandru Poloboc
Alexandru Poloboc
Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor,... read more
Affiliate Disclosure
  • Windows 10 users are not at all pleased with the actions triggered by the latest Windows Defender update.
  • Apparently. following the July 2021 update, Microsoft's built-in security tool starts deleting certain source code and exe files.
  • Windows Defender flagged a copy of the popular DeCSS DVD encryption software as a Trojanquarantined it, deleting it after another 60 seconds.
  • Other antivirus software such as Kaspersky finds absolutely nono threat, while on VirusTotal, 32 out of 72 engines also misidentify this as malicious.
windows 10 defender

Throughout this article, we will discuss an issue that has Windows 10 users on tenterhooks because it’s messing with some of their stored files.

How many of you remember what DeCSS is?

If you don’t let us refresh your memory, by telling you that DeCSS is one of the first free computer programs capable of decrypting content on a commercially produced DVD video disc.

Before the release of DeCSS, open-source operating systems, such as BSD and Linux, could not play encrypted video DVDs.

The above-mentioned issue is directly related to this type of software, as reported by a Reddit user who figured out exactly what’s happening.

Windows Defender update erases some Windows 10 user files

Reddit user architecture13 first noticed something was off went he wanted to check on his archived copy of both the Source Code and Complied .exe for DeCSS,

This happened, as we said on Windows 10, OS Build is 19043.1110, version 21H1, installed on 6/10/2020.

Little did he know that the latest update applied to the Windows Defender tool would cost him part of this stored data.

The Windows Defender definitions daily update flagged a copy of the popular DeCSS DVD encryption software as a Trojan and immediately placed it into quarantine, deleting it after another 60 seconds.

According to architecture13, the protection tool picks up the software as the Glupteba!ml Trojan, marking it as a severe threat.

As a side note, Windows Defender is also misdiagnosing XFX Keygen programs from the mid-2000s as high threats, labeling them as potential ransomware.

It seems that the new strict parameters that Micorosft implemented for its trademark security software are not tolerant to old cracked software and takes swift action against these so-called threats.

As you can already imagine, such a topic has sparked endless debate across social media platforms and forums alike, where many other users shared the fact that they have experienced similar incidents.

At my workplace, we had an incident where an antivirus broke a program that was being used for monitoring industrial control systems. The industrial control system’s safety logic went “NOPE” upon loss of monitoring and shut down everything.

Granted, the vendor’s poor programming practices such as not digitally signing the program didn’t help, but the only way we could avoid that from happening again was to whitelist specific files.

If Windows Defender started yeeting our stuff and give the middle finger to our exemption list, I can assure you that management would have engineers’ heads on pikes if we told them “we’re waiting on Microsoft to fix their antivirus first before restarting the production line”.

As a comparison, other antivirus software such as Kaspersky finds absolutely nono threat. However, on VirusTotal, 32 out of 72 engines also misidentify this as malicious.

You can also have a quick look at the log file:

MpCmdRun: Command Line: mpcmdrun  -restore -all
 Start Time: ‎Tue ‎Jul ‎20 ‎2021 20:10:48

MpEnsureProcessMitigationPolicy: hr = 0x1
ERROR: MpQuarantineRequest failed: name: HackTool:Win32/Keygen!MSR, GUID: {8003F52C-0000-0000-33A7-F7F5B974DFEF} (80508014)
ERROR: QuarantineRestore failed (80508014)
ERROR: MpQuarantineRequest failed: name: HackTool:Win32/Keygen!MSR, GUID: {8003F52C-0000-0000-B7CE-870973926357} (80508014)
ERROR: QuarantineRestore failed (80508014)
ERROR: MpQuarantineRequest failed: name: Trojan:Win32/Glupteba!ml, GUID: {80040956-0000-0000-D48C-06A3EB93B95A} (80508014)
ERROR: QuarantineRestore failed (80508014)
MpCmdRun.exe: hr = 0x80508014.
MpCmdRun: End Time: ‎Tue ‎Jul ‎20 ‎2021 20:10:48

The best advice anyone could give you, in this case, is to create a backup of this old software, on the off chance you want to reuse it again, as the operating system will surely delete it.

Another important aspect to keep in mind is the importance of being informed and knowing how to react in these situations when Windows Defender deletes your files.

Have you also experienced similar issues with Microsoft’s built-in security tool? Let us know in the comments section below.