MS Defender Error: "Mallware Signeture Download" Appears Legitimate (Unfortunately).

Ow, the other day I was infected by the the Vundo trojan. I believe the trojan came in through an infected webpage and attacked a Java vulnerability on my machine. During the cleanup, I installed a variety of anti-malware software, including Microsoft Windows Defender. Although I don’t believe things can be 100% clean after such an infection, I *really* don’t want to reformat that workstation. That said, I was extremely suspicious today when a Dr. Watson/Microsoft Error Reporting error pops up with obvious misspellings (picture taken after report submission):


“Mallware Signeture Download”

I immediately went to Google and found that other people experienced the error and were also suspicious of the spelling errors, since such errors are common in actual malware. Feeling adventurous, I decided to allow the software to send the reports that I didn’t bother looking at because if it’s malware, it would be a setup anyway, right? Immediately after the data submission, I brought up a command window and typed netstat -b which listed the following:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    MYWORKSTATION:1332       watson.microsoft.com:http  ESTABLISHED     2728
  [DW20.EXE]

After going to http://watson.microsoft.com and receiving a Directory Listing Denied error, I pinged watson.microsoft.com and noted the IP resolved to 65.55.22.252. Using Sam Spade, I then asked ARIN who owns that IP block and sure enough, the IP is owned by Microsoft.

12/14/08 15:35:18 IP block 65.55.22.252
Trying 65.55.22.252 at ARIN
Trying 65.55.22 at ARIN

OrgName:    Microsoft Corp
OrgID:      MSFT
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US

NetRange:   65.52.0.0 - 65.55.255.255

Now, I was pretty confident that the pop-up was indeed legitimate. But I became completely convinced after I found a posting by “Dude” on pcreview.co.uk that shows the string can be found within the program files, themselves.

$ cd "$PROGRAMFILES/Windows Defender"
$ for file in *; do strings -t x -e l $file | grep Mallware | grep Signeture
&& echo $file ; done
10cdc Mallware Signeture Download
MSASCui.exe
26fc Mallware Signeture Download
MpSigDwn.dll

Having such spelling errors in an anti-virus program is unacceptable. Hopefully Microsoft will address it soon so that IT pros can stop wasting their time researching its legitimacy. However, seeing that the problem has been around since at least 11/2006, a fix doesn’t really seem likely.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, and holds a number of certifications, including those relating to SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Security, Windows
6 comments on “MS Defender Error: "Mallware Signeture Download" Appears Legitimate (Unfortunately).
  1. Vivian says:

    Thanks Chrissy.
    I had just installed windows defender and got the same error report.
    Because of the misspelling, I didn’t submit the report. But immediately googled the suspect application name exactly as spelled…and I saw your link.

    Thanks for your thorough investigation. It saved me a lot a time.

    Vivian

  2. Antonio says:

    ARRR! Chrissy

    Just found the same message today!
    My Toshiba went crazy last night (started to open applications like crazy) and afterwards some MS software started to check for errors in office. Corrected one error and today, when I started again my pc, I have this error report software that wants to send info to MS.
    It wants to report two errors: one is this “Mallware Signeture Download”

    Thanks for the information you have here.
    Im going to click send to the report …

  3. David Pelton says:

    Thanks, but I think there may be some mistakes here. I think all of us were previous (or may still be) infected with malware.

    I believe this because in addition to several “Mallware Signeture Download” lines I also had “Microsoft Office Word”.

    The difference between my error reporting dialog and the one you show is that I have a link under more information (maybe that goes away after you send the information). Anyway, when I click that for one of the “Mallware Signeture Download” links I am taken to a dialog that shows the error signature which lists the EventType as mptelemetry.

    Searching the web for the that eventtype led me to http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.private.security.spyware.appcompat&tid=1e346d40-bf90-4567-817e-3cf9071e41ec&cat=&lang=&cr=&sloc=&p=1 where I see that the error is an inability to connect to a website usually for an update.

    I think what we have here is that a malware (which I had on my machine and cleaned up) was trying to report and failed. That malware, I’ll bet, was entitled “Mallware Signeture Download”.

    Also, when I look through the attached CAB file about the report (and look at the one for Word) it even more points to “Mallware Signeture Download” being the name of an application as opposed to the action being performed here.

  4. Ena says:

    The update was for Windows Defender. I don’t know if your Windows Defender automatically updates, but if that is the website and it was trying to download a signature. It was the signature to identify a problem. Not a signature to initiate a problem.

  5. RedNose says:

    I tried to search for the string in Windows Defender files in Vista SP2 and Windows 7 but could not find any Mallware or Signeture. I think either you were really infected or Microsoft got wiser.

  6. lymnenjoync says:

    I read this forum since 2 week and I want to register and say hi to everybody

Leave a Reply

Your email address will not be published. Required fields are marked *

*