# Trying to update windows defender from UNC path continuously fails

3

I'm trying to update Windows Defender (on Win 10) using definistions stored on a UNC path.

I'm setting the path the the mpam-fe.exe file like this

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\path\to\mpam.exe


Then I'm running Get-MpPreference to verify that the path was set (it is). Once I verify that the path is correct for SignatureDefinitionUpdateFileSharesSources I run

Update-MpSignature -UpdateSource FileShares


I instantly get the error

Update-MpSignature : Virus and spyware definitions update was completed with errors.
At line:1 char:1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ObjectNotFound:    (MSFT_MpSignature:ROOT\Microsoft\...SFT_MpSignature) [Update-MpSignature], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070002,Update-MpSignature


This failure happens almost instantly. Just to verify that the specific powershell instance can access the fileshare in question - I followed it up by just executing the mpam-fe.exe file and it worked.

windows
anti-virus
unc
asked on Server Fault Aug 2, 2017 by George Kendros

4

I have never done this before, but your question made me curious and I started doing some testing. I was able to reproduce your issue. It's clear that not many people do this, because there is zero coherent information on the internet about how to do this. So, it's no surprise you're getting nowhere.

So, here is what I discovered while using Process Monitor. I was able to successfully get Defender to update from a file source.

• First, the update packages consist of three files: mpam-fe.exe, mpam-d.exe, and nis_full.exe. I tried using just mpam-fe.exe and it failed.
• Second, there are 32-bit and 64-bit versions of updates. When you run the Update-MPSignature command it expects to find the updates under the x64 or x86 folder in your source path. So, you need to create the additional folders under your source path and place the update files in there.
• Third, the process that updates Windows Defender is wmiprvse.exe (WMI) - it runs as Local System. Be aware that the connection is made to the file source using the computer account and not a user account. I tried several different things to try to get it to connect to a file share on a domain joined server. This included adding the computer account, domain computers, Everyone, and Anonymous. Nothing worked. It failed every time with Access Denied. I was only able to get it to work when I put the files on my NAS which has zero security restrictions.

Here are other references I used to get this to work: https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/update-mpsignature?f=255&MSPPError=-2147217396

https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus

answered on Server Fault Aug 3, 2017 by Appleoddity
1

I've had this exact issue. The issue was resolved by creating a x64 folder in the share and moving the definitions to that folder. I can't find this requirement anywhere but it works. SCEP uses this folder structure so that's where I got the idea. Even the script provided by Microsoft doesn't create the architecture folder!

Server setup:

• File share (e.g. \\Server\Share$) with full share permissions and Read permissions for Everyone (Domain Computers not required!) • Folder x64 containing 64-bit definition files (e.g. \\Server\Share$\x64\mpam-fe.exe)

Client setup (powershell):

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\Server\Share$Set-MpPreference -SignatureFallbackOrder 'FileShares' Update-MPSignature  0 Appleoddity's answer gives everything you need. Some caveats though; • Update-MpSignature never worked for me in powershell. I spent a lot of time trying to set up the environment for these updates to work and was using Update-MpSignature as the test. • Once I actually run Defender/MSE's built in update function and realized that the update worked correctly in a situation where Update-MpSignature was failing I started backtracking and testing other scenarios which I though weren't working because they were failing through powershell So basically, as you work through the issue using Appleoddity's guide make sure not to rely solely on powershell and Update-MpSignature to test what you're doing. YMMV but it my case I was never able to succesfully run Update-MpSignature. I had jumped to the conclusion that I had set something up wrong, but after more testing I saw that defender itself was updating without issue and only powershell was having problems. answered on Server Fault Aug 14, 2017 by George Kendros 0 Permission Denied Message is caused by Access Denied to the LogFile C:\Windows\Temp\MpSigStub.log  Just delete this LogFile before running Update-MpSignature -UpdateSource FileShares -Verbose  answered on Server Fault Sep 13, 2017 by Gunnar Haslinger 0 Here is the powershell script I have running hourly on a server, then I just point my clients to it. The big point was NOT to extract the file. Windows Defender points to the exe itself. $vdmpathbase = 'E:\VirusDef\latest\x64'
$vdmpackage =$vdmpathbase + '\mpam-fe.exe'
cmd /c "del $vdmpackage /q" Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile$vdmpackage

answered on Server Fault May 3, 2019 by Jeff Riechers
0

Another caveat...

The Defender GUI runs the update download as one of two processes:

1. MSascui.exe - which uses the current session account (this one can usually access the file share as most defender update file shares would allow read to all)
2. Msmpeng.exe - which uses the NT AUTHORITY/SYSTEM account (this will have the computer name account, which in most domain-based systems will also allow access)

For the Update-MpSignature cmdlet, it's a bit different. It runs the update download as wmiprvse.exe which uses NT AUTHORITY/LOCAL SYSTEM. This account has minimum privileges on the computer and uses anonymous credentials on the network. Generally speaking, most network shares won't be configured for anonymous access, so this is why you can get the GUI to work, but the cmdlet doesn't.

answered on Server Fault Mar 2, 2021 by Tony Gedge

User contributions licensed under CC BY-SA 3.0