"Windows Defender Backup" rule not working

[mogli]

The new "Windows Defender Backup" rule doesn't delete anything here (Windows 11), any ideas?
(That's kind of expected as the folder should have a strong anti-tampering protection.)

[nukecad]

Thanks for the report.

I hadn't looked at it before but just gave it a go.

On Windows 10 here it found 8 out of 10 files (sounds like a commercial) to delete in "C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup"

But as you say running a clean did not actually delete any of them.

If I try to delete one maunally in File Explorer it asks for elevated 'System' permission to delete it. (I am already admin).

I've flagged it up to the staff for the developers to look at.

[hazelnut]

@nukecad

Do any of them get cleaned if you use  Win 10 Storage cleaning?

[nukecad]

Good thought @hazelnut.

But no, I just tried it and they are still there after a 'Clean now' in Storage Sense.

I've looked a bit more at what these particular Defender Backup files are.

I haven't checked them all, but the 4 that I have checked are duplicate copies of the'live' files in use, rather than being old versions.
The contents of the 'live' files and the backup are identical on the 4 that I checked.

Presumably Defender has the backup there in case something happens to the live copy, or maybe as a double check of the integrity of the live copy?

As they appear to be reserve/reference copies, rather than old versions, then I for one will be leaving them there.

Deleting them would also be pretty useless if they are needed reference copies, and so Defender then has to recreate them again.
 

[lmacri]

On 15/06/2023 at 08:29, mogli said:

The new "Windows Defender Backup" rule doesn't delete anything here (Windows 11), any ideas? (That's kind of expected as the folder should have a strong anti-tampering protection.)

Hi mogli:

Thanks for reporting this.

The Sept 2020 github thread at Persistent Error When Deleting (Windows Defender Backups) would suggest that BleachBit developers also tried to incorporate a similar cleanup of MS Defender backup files into their disk cleaning software but ultimately removed that option because because they believed the deletion of these backup files was being blocked by Microsoft Defender's tamper protection self-protection module.  However, they must have found a workaround because I just tested BleachBit Portable v4.4.2 (Preview mode only - I didn't actually proceed with the clean) on my Win 10 laptop and 278 MB / 10 files in C:\ProgramData\Microsoft\WindowsDefender\Definition Updates\Backup were marked for deletion.

I use Microsoft Defender for my real-time antivirus protection on my Win 10 machine and can use the built-in Disk Cleanup utility at Windows Administrative Tools | Disk Cleanup | Clean Up System Files | Microsoft Defender Antivirus to safely purge any "non-critical" Microsoft Defender files.  However, Disk Cleaner shows that there are currently only about 12 MB of "non-critical" MS Defender files on my hard drive ...

... and Disk Cleaner doesn't appear to touch any of the 262 MB / 8 files of files in C:\ProgramData\Microsoft\WindowsDefender\Definition Updates\Backup shown below that CCleaner v6.13 is failing to clean.**

** Note that CCleaner detects 2 fewer MS Defender backup files than BleachBit

 

I'm not sure why Piriform / Avast thought it was a good idea to add routine cleaning of these Microsoft Defender definition update backups to CCleaner when Microsoft clearly doesn't think it's a good idea, unless they're just trying to mimic what BleachBit is doing. If Avast / Piriform is going to fix this cleaning rule so it works as expected (which would likely require temporary disabling of Microsoft Defender tamper protection, which sounds like a terrible idea) they should at least move this new option under Custom Clean | Windows | Advanced (i.e, instead of under System) just to warn users that this type of cleaning should not be done on a routine basis.
-------------
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3086 * Firefox v114.0.2 * Microsoft Defender v4.18.23050.5-1.1.23050.3 * Malwarebytes Premium v4.5.31.270-1.0.2047 * Macrium Reflect Free v8.0.7279 * CCleaner Free Portable v6.13.10517 * BleachBit Portable v4.4.2

[Wisewiz]

I agree completely with lmacri:

"If Avast / Piriform is going to fix this cleaning rule so it works as expected (which would likely require temporary disabling of Microsoft Defender tamper protection, which sounds like a terrible idea) they should at least move this new option under Custom Clean | Windows | Advanced (i.e, instead of under System) just to warn users that this type of cleaning should not be done on a routine basis."

In a simple test, I imaged my C:\ drive, then temporarily turned off Defender's Tamper Protection, and re-attempted the deletion of the files in that Backup folder. They deleted with no problem, and having thus determined that @lmacriwas correct in her assumption that Defender's Tamper Protection was preventing the deletion previously, I restored the deleted files and re-enabled Defender's Tamper Protection.

I'd take it a step further than lmacri, though: rather than moving that rule to Advanced, I'd just remove it, period. Without disabling Defender's Tamper Protection, it does nothing, and if advanced users think of disabling Defender to make the rule work as expected, they will be doing a very risky thing.

I only did this as a test, after creating a reliable drive image, and I do not recommend this procedure to anyone. "Just say No."

[nukecad]

Personally I'd class them as duplicate system files.

And as we always say about the Duplicate Finder: "Leave the system duplicates alone, they are (usually) not junk but are there for a good reason".

[Wisewiz]

@nukecad: Agreed. So why not just remove this rule, which we agree does nothing and which, in any case, we would not recommend using even if it did work?

[nukecad]

36 minutes ago, Wisewiz said:

@nukecad: Agreed. So why not just remove this rule, which we agree does nothing and which, in any case, we would not recommend using even if it did work?

Well programme developers are only people and just like the rest of us make mistakes now and again. (Or get enthusiastic and do something that isn't needed).

[Wisewiz]

I think you misunderstood me (possibly). I wasn't criticizing the devs at Piriform/Avast, I was just making a polite (I hope) suggestion. Taking something out is, after all, a lot easier than putting something new in.

And yes, I've made mistakes, too. I remember the last time I made a mistake: it was a rainy Saturday in 1963, and ... aahng, you don't want to hear about it. 

[nukecad]

Ah, but I was criticising them a bit, in a polite way of course. (Not for the first time, and sometimes less politely).

[Wisewiz]

Well, I'll be! I thought you had a direct line to the head coder, and a reserved spot on the to-do list at Piriform/Avast. Shucks!

OTOH, if they got everything right the first time around, what would we do with the time we'd have on our hands if nobody complained to CC Community Forums?

[mogli]

@Wisewiz
That's interesting. Can you describe how the anti-tampering stuff introduced in newer Windows 10 versions and Windows 11 can be turned off?

[lmacri]

I don't know if @Dave CCleaner or any of the other Avast/Piriform employees are following this thread but it might make sense to move it to the CCleaner Bug Reporting board at https://community.ccleaner.com/forum/8-ccleaner-bug-reporting/ since the new Windows Defender Backup cleaning doesn't work as expected (i.e., it throws a "File Access Denied" error when it attempts to clean the protected C:\ProgramData\Microsoft\WindowsDefender\Definition Updates\Backup folder).
-------------
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3086 * Firefox v115.0.0 * Microsoft Defender v4.18.23050.5-1.1.23050.3 * Malwarebytes Premium v4.5.32.271-1.0.2051 * Macrium Reflect Free v8.0.7279 * CCleaner Free Portable v6.13.10517

[Wisewiz]

29 minutes ago, mogli said:

@Wisewiz
That's interesting. Can you describe how the anti-tampering stuff introduced in newer Windows 10 versions and Windows 11 can be turned off?

Microsoft/Windows Defender (the name changes with the weather) has many controls available. If you go to Windows Security > Virus & threat protection > Virus & threat protection settings > Manage settings, and scroll down, you'll find Tamper Protection, among other settings. If you toggle the slider for Tamper Protection to OFF, alarms will go off in the Defender internal system, and you'll see a flag in your notification tray.

Until you toggle that setting back to ON.

[Wisewiz]

The other thing is having a software app that can temporarily turn Defender OFF, once the Tamper Protection is removed. I will not recommend or provide a link to any such program, but I have one. They are readily available, but hard to get installed, because they can turn off Defender, and Defender doesn't want them to turn it off.

Off Tamper Protection allows you to turn off Defender. When Defender is off, any of its backup files can be deleted, by CCleaner or by any other method.

[mogli]

Yeah, but the point is how to do it when tamper protection is on, of course.

[hazelnut]

47 minutes ago, mogli said:

Yeah, but the point is how to do it when tamper protection is on, of course.

I guess that's a bit like having your front door locked and then wanting to be able to just walk in.

[mogli]

Exactly, one needs to go as far as smashing a window but piriform shouldn't go this far, otherwise microsoft needs to step in, but that means this cleaning rule is nonsense.

[nukecad]

12 hours ago, lmacri said:

I don't know if @Dave CCleaner or any of the other Avast/Piriform employees are following this thread but it might make sense to move it to the CCleaner Bug Reporting board

I've moved it.
We often don't bother which particular sub-forum a thread is in, people can still find them. Though it does make things tidier if they are in the most relevant one.

PS. Dave no longer works at CCleaner, there have been a few staff changes in recent months, so I doubt that anyone will see 'pings' or messages for him. (unless someone logs in using that username/password).

[lmacri]

On 05/07/2023 at 03:31, nukecad said:

... Dave no longer works at CCleaner, there have been a few staff changes in recent months, so I doubt that anyone will see 'pings' or messages for him...

Hi nukecad:

That for the heads up.  Do you know if any of the Avast / Piriform employees are still monitoring the CCleaner Bug Reporting board and/or might respond to an @mention?   I don't recall seeing seen a post in the forum by an employee for almost two months now, but I don't visit the forum on a daily basis.
-------------
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3086 * Firefox v115.0.1 * Microsoft Defender v4.18.23050.5-1.1.23060.1005 * Malwarebytes Premium v4.5.32.271-1.0.2051 * Macrium Reflect Free v8.0.7279 * CCleaner Free Portable v6.13.10517

[nukecad]

It has gone noticibly quieter as far as the Staff making posts is concerned.

There have been some indications that they are still reading posts. (well one at least when something we flagged for attention appears to have been acted on).
How often is another question.

[nukecad]

It looks like "Windows Devender Backup" is now causing more issues if/when it is ticked for cleaning:

https://community.ccleaner.com/topic/65179-ccleaner-v61410584-crashing-on-windows-11/#comment-343691

[Andavari]

Probably consider yourselves lucky it couldn't clean Microsoft Defender Antivirus!

Defender is easy to mess it up, and even Microsoft's own new beta cleaning tool causes nothing but grief when it cleans it (which is ticked by default to be cleaned) since Defender has to seemingly rebuild it's cache or whatever it's doing that takes way too long for it to finish rebuilding. It takes several minutes even with an SSD as the OS drive, and the rebuilding can continue upon the next reboot as if it were corrupted. In my opinion it's better left alone!

 

The only thing that's ever been "safe" to clean in Defender is from a now old entry from Winapp2.ini. Using it doesn't cause a very long cache rebuild or the thought that Defender has been corrupted. Instead Defender just barks softly about needing to run a system scan, and that's it, no damage done.

This is what's cleaned from that mentioned old Winapp2.ini entry:
FileKey1=%CommonAppData%\Microsoft\Windows Defender\Network Inspection System\Support|*.txt;NisLog.txt.bak
FileKey2=%CommonAppData%\Microsoft\Windows Defender\Scans\BackupStore|*.*
FileKey3=%CommonAppData%\Microsoft\Windows Defender\Scans\History\CacheManager|*.*|RECURSE
FileKey4=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Service|*.log
FileKey5=%CommonAppData%\Microsoft\Windows Defender\Scans\History\Store|*.*
FileKey6=%CommonAppData%\Microsoft\Windows Defender\Scans\MetaStore|*.*|RECURSE
FileKey7=%CommonAppData%\Microsoft\Windows Defender\Scans\RtSigs\Data|*.*|RECURSE
FileKey8=%CommonAppData%\Microsoft\Windows Defender\Support|*.*|RECURSE

 

[Wisewiz]

Once a week or so, I use the built-in Disk Cleanup utility to supplement the work CCleaner does for me. It's particularly valuable for Windows Update leftovers. But it also offers to clean up "Non-critical files used by Microsoft Windows Defender." I generally find somewhere around 20MB listed in Disk Cleanup's selection window, and if I tick that option and run Disk Cleanup's Delete Files function, and then re-open Disk Cleaner to see what it now shows for delete-able Defender files, it shows about 19Mb or more still there.

However, If I run Disk Cleanup and it finds 20MB for Defender, and I tick that choice and hit OK, and it shows the confirmation window with an option button to Delete the selected files, this works a lot better:

Leave that confirmation window open (IOW, don't hit the OK button), then open Defender's control window, and turn off Tamper Protection, and then turn off Defender temporarily (it's always temporary, because Windows will tun it back on in a few minutes at most) and THEN hit the OK button in the Disk Cleanup confirmation window, wait for Disk Cleanup to finish, and then turn Defender back on and turn Tamper Protection back on, and then open Disk Cleanup again, it will show only a few KB of Defender files.

That sounds like a lot of work, but it's not, and once you do it, it'll be easy the next time.

I'm quite sure that Disk Cleanup doesn't EVER do anything harmful to your computer. 

Let's be clear: I'm not recommending that you clean up Defender's "Non-critical files," that's your business. Just saying that this is one way to do it if you choose to do it.