Solved.
Kudos0

VirTool:Win32/DefenderTamperingRestore

Posted: 04-Apr-2020 | 9:26AM · 5 Replies ·

I was running MSERT to address another Windows 10 issue and the tool fished out the following file VirTool:Win32/DefenderTamperingRestore (malware/Trojan??).  Not sure for how long this file has been on my computer and what personal/secure information has been compromised. 

I read that Windows Defender is able to detect and remove this type of malware/Trojan.  Ironically, installing Norton disables Windows Defender and in the process may be putting our information at risk.  

I have been a long time Norton user, but after this incidence, I am beginning to be suspicious of the protection provided. 

Just wondering why Norton 360 (for which one spends $$s) failed to detect this.  Also, why is Norton not doing anything about it.

Answers needed!! 

Labels: Windows 10, Vulnerability Protection, Virus Scan, Auto-Protect, Intrusion Prevention, AutoBlock, Firewall, Norton 360, Norton Management, Norton Insight, Threat Detection

Replies

Accepted Solution
Kudos0

Re: VirTool:Win32/DefenderTamperingRestore

Posted: 04-Apr-2020 | 9:39AM · Edited: 04-Apr-2020 | 10:19AM · Permalink

Did you run Quick or Full scan with fresh Microsoft Safety Scanner download from <here>?  

VirTool:Win32/DefenderTamperingRestore

Detected with Windows Defender Antivirus
Aliases: No associated aliases

Summary
This detection is for suboptimal configurations that may prevent Windows Defender Antivirus from functioning properly.

If you see this detection, a suboptimal configuration was detected, and Windows Defender Antivirus will auto-heal by automatically resetting to more secure configurations.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:Win32/DefenderTamperingRestore&ThreatID=2147741622
by my read - your Microsoft Safety Scanner run reported - Windows Defender real time is disabled - 

Generally speaking, when a third-party antivirus program like Bitdefender, Norton, etc. is installed on a Win 8.x or Win 10 computer it will deactivate Windows Defender's real-time protection; if that third-party antivirus is uninstalled then Windows Defender will be automatically re-activated to ensure your computer remains protected.  I don't know for certain, but it's possible that the Tamper Protection feature of Windows Defender is disabled (i.e., HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features is reset to 0) each time you install a different antivirus program, causing the Microsoft Security Scanner (or your re-enabled Windows Defender antivirus) to throw another Win32/DefenderTamperingRestore detection and turn Windows Defender Tamper Protection back on. 

https://community.norton.com/en/forums/do-all-paid-norton-security-products-detect-remove-block-virtoolwin32defendertamperingrestore

Kudos0

Re: VirTool:Win32/DefenderTamperingRestore

Posted: 04-Apr-2020 | 10:22AM · Edited: 04-Apr-2020 | 10:39AM · Permalink

My W10 Home 1909 - Microsoft Safety Scanner Quick scan -

Kudos0

Re: VirTool:Win32/DefenderTamperingRestore

Posted: 04-Apr-2020 | 10:34AM · Edited: 04-Apr-2020 | 10:35AM · Permalink

Microsoft enables Tamper Protection on Windows 10 for all Home users

Microsoft unveiled a new security feature called Tamper Protection for the company's Windows Defender Antivirus solution in December 2018.

Tamper Protection, as the name suggests, protects certain security features from tampering. One of the barriers that Tamper Protection puts in place around security features blocks manipulations of setting changes that are made outside of the official Settings application.

Attackers may attempt to disable real-time protections or certain security features and Tamper Protection was designed to prevent these changes from being made successfully.

[...]

Tip: You may also enable the feature in the Registry. Open the Registry Editor on the system and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features. Locate the TamperProtection setting there and set it to 4 (off) or 5 (on). Note that you need to restart the system or log off and on again before the change takes effect.

https://www.ghacks.net/2019/10/14/microsoft-enables-tamper-protection-on-windows-10-for-all-home-users/

Kudos0

Re: VirTool:Win32/DefenderTamperingRestore

Posted: 04-Apr-2020 | 12:06PM · Permalink

Thank you. Makes sense. But quite ironic again in that their own Tamper Protection is recognized and removed as malware by their own scanner tool!
Kudos0

Re: VirTool:Win32/DefenderTamperingRestore

Posted: 04-Apr-2020 | 12:15PM · Edited: 04-Apr-2020 | 12:40PM · Permalink

krish_sriram:
Thank you. Makes sense. But quite ironic again in that their own Tamper Protection is recognized and removed as malware by their own scanner tool!

by my read - Microsoft Safety Scanner detects - suboptimal configuration that may prevent Windows Defender Antivirus from functioning properly and Windows Defender Antivirus will auto-heal by automatically resetting to more secure configurations <Summary>.

Maybe, you'll turn on Periodic scanning, as test - to see if same detection. 

This thread is closed from further comment. Please visit the forum to start a new thread.