Go to ...

RSS Feed

July 11, 2020

Windows Defender 2004 Reports PUP/PUA Even After Cleanup or Removal


Here’s an interesting tidbit, which I’ve been easily able to confirm on my own PCs running 2004. In the recent past I’ve run the MiniTool Partition Wizard and the CCleaner installer. Both include “bundleware” in their installers. Thus, they’re quite correctly identified in Windows Defender as including PUPs  or PUAs — or Potentially Unwanted Programs or Applications. In both cases, in fact, they include opt-in versions of popular anti-virus programs. Presumably the makers of the software made a deal with the AV companies to get paid for including this stuff in their otherwise “free” software. I wrote about this for Win10.Guru on May 29 in a story entitled Software Bundling Reads Its Ugly Head … Again! What I didn’t know at the time, but have since learned, is that with Version 2004, Defender continues to report PUPs even AFTER they’ve been removed or otherwise cleaned-up on a target PC. Check this out:

Windows Defender 2004 Keeps Reporting PUP.side-by-side

Even though the list of PUPs at left have all been cleaned up, Defender keeps on reporting them. If you filter by “Cleaned items,” it shows what’s actually there: nothing! (At right.)
[Click image for full-sized view.]

What to do About Persistent Reports in Defender?

Alas, there’s not much anyone can do about this issue. Microsoft is going to have to fix this in a future update, I’m afraid. Although WindowsLatest.com reports that if you visit the C:\Program Data\Microsoft\Windows Defender\Scans\History\Service folder and delete “PUP history information” there it will cease such reporting, I couldn’t get that to work. I was not able to delete the log files in that folder, either, so I erased their contents. But that history data is obviously recorded somewhere else in Windows Defender as well, because the historic PUP/PUA detections kept on showing up until I turned on the “Cleaned items” filter shown in the right-hand side of the preceding screenshot.

For the moment, it looks like you need to use the filter to block detections that have been taken care of. This will let you see new detections as they come in. But until MS fixes the spurious reporting from Defender (sooner rather than later, would be nice) there’s not much else one can do. It’s not a serious gotcha, and it’s easy to steer around. But such things have been popping up with some frequency lately. And that’s the way things go sometimes, here in Windows-World!

Author: Ed Tittel

Ed Tittel is a 30-plus-year computer industry veteran. He’s a Princeton and multiple University of Texas graduate who’s worked in IT since 1981 when he started his first programming job. Over the past three decades he’s also worked as a manager, technical evangelist, consultant, trainer, and an expert witness. See his professional bio for all the details.

Leave a Reply

More Stories From 20H2