Microsoft Defender Anti-Malware/Platform Update Kit for Windows 11 (Updated: November 26th, 2021)

Discussion in 'Windows 11' started by steven4554, Jul 3, 2021.

  1. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #1 steven4554, Jul 3, 2021
    Last edited: Nov 26, 2021 at 01:58
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #2 steven4554, Jul 9, 2021
    Last edited: Nov 18, 2021
    (OP)
    Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2106.6)
    Now available for all on MS Catalog Website.

    Direct Download Links have been removed, as this version of the platform update is out of date and could pose a security risk.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #3 steven4554, Jul 20, 2021
    Last edited: Nov 18, 2021
    (OP)
    Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2107.4)
    Now available for all on MS Catalog Website.

    Direct Download Links have been removed, as this version of the platform update is out of date and could pose a security risk.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #4 steven4554, Aug 29, 2021
    Last edited: Nov 18, 2021
    (OP)
    Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2108.5)
    Only available for Insiders, Not available on MS Catalog website.

    Direct Download Links have been removed, as this version of the platform update is out of date and could pose a security risk.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #5 steven4554, Sep 1, 2021
    Last edited: Nov 18, 2021
    (OP)
    Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.2108.7)
    Now available for all on MS Catalog Website.

    Direct Download Links have been removed, as this version of the platform update is out of date and could pose a security risk.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #6 steven4554, Sep 15, 2021
    Last edited: Sep 16, 2021
    (OP)
    Microsoft Defender Verification Tool v1.6
    Created by @BAU
    Updated by @BAU @steven4554

    Source Code
    Code:
    @(set `" <#=")& echo off & title Defender Update Kit Verification Tool v1.6
    set "0=%~f0"&set 1=%*& powershell -nop -c iex ([io.file]::ReadAllText($env:0)) &exit/b || #>)
    
    $messages = @{
      WARN_DEFENDER_CABS_MISSING  = " Place this script in the same folder as Defender Update cabs "
      WARN_DIGITAL_SIGNATURES_ERR = " ERR! "
      WARN_DIGITAL_SIGNATURES_OK  = " OK! "
    }
    
    cd -Lit(split-path $env:0)
    $x86   = gci defender-dism-x86*.cab   | sort creationtime | select-object -last 1
    $x64   = gci defender-dism-x64*.cab   | sort creationtime | select-object -last 1
    $arm64 = gci defender-dism-arm64*.cab | sort creationtime | select-object -last 1
    
    if ($null -eq $x86 -and $null -eq $x64 -and $null -eq $arm64) {
      write-host -fore black -back yellow $messages.WARN_DEFENDER_CABS_MISSING; choice /c EX1T; exit 1
    }
    
    $root = "defender-dism";  ri $root -recurse -force -ea 0|out-null; ni $root -item directory -force -ea 0|out-null
    if ($x86) {ni "$root\x86"   -item directory -force -ea 0|out-null; expand -R $x86.Name -F:* "$root\x86"}
    if ($x64) {ni "$root\x64"   -item directory -force -ea 0|out-null; expand -R $x64.Name -F:* "$root\x64"}
    if ($arm64) {ni "$root\arm64" -item directory -force -ea 0|out-null; expand -R $arm64.Name -F:* "$root\arm64"}
    
    $ext = '.exe .dll .mui .sys .ax .ocx .cpl .scr .msu .msi .Msix .msixbundle .appx .appxbundle .cab .cat .cdxml .ps1xml .psd1 .psm1'
    $filter = $ext.Split(); $err = @()
    gci $root\*.* -file -recurse | foreach-object {       
      if ($filter -contains $_.Extension) {
       $sig = Get-AuthenticodeSignature $_
       if ($sig.status -eq 0) {
         $sig.SignerCertificate| add-member Thumbprint $sig.SignerCertificate.Subject.Split('=')[1].Trim(', O').Trim(', OU') -force
         write-output $sig
       }
       else { $err += "Invalid   "+$_.FullName+"`nModified  "+$_.LastWriteTime+"  Size  "+$_.Length+"`n" }
      }
    }
    write-host
    if ($err.length -eq 0 -and ($x86 -or $x64 -or $arm64)) {
      write-host -fore yellow -back darkgreen $messages.WARN_DIGITAL_SIGNATURES_OK
    } else {
      write-output $err; write-host -fore yellow -back darkred $messages.WARN_DIGITAL_SIGNATURES_ERR
    }
    write-host
    choice /c EX1T
    #,# AveYo and steven4554
    
    Save as defender_update_kit_verify.bat in the same folder as Defender Update Kit cabs
    It will extract cabs in a defender-dism folder, then run Get-AuthenticodeSignature powershell cmdlet on all sensitive files.

    Changelog:
    v1.6 - BAU improved Output Speed
    v1.5 - BAU has switched to the file extensions to be included that have a Digital Signature. Also this version has enhanced output.
    v1.4 - Added two file extension exclusions to correct and fix Digital Signature Errors.
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. BAU

    BAU MDL Expert

    Feb 10, 2009
    1,220
    3,200
    60
    Updated my posts as well - with a twist!
    filter switched to inclusion instead of exclusion so it should be futureproof + enhanced output - show signer name instead of useless Thumbprint
    I prefer using instead the generic Verify Digital Signatures from right click - Send to for any files/folders
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #8 steven4554, Sep 16, 2021
    Last edited: Nov 11, 2021
    (OP)

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. KleineZiege

    KleineZiege MDL Addicted

    Dec 11, 2018
    699
    370
    30
    #9 KleineZiege, Sep 22, 2021
    Last edited: Sep 22, 2021
    New Platform Update [ 4.18.2109.2-0 ]

    1 error is displayed to me

    <defender>1.1.2109.4</defender>
    <engine>1.1.18600.3</engine>
    <platform>4.18.2109.2</platform>
    <signatures>1.349.1197.0</signatures>

    Edit:

    new win 11 created with uup-converter-wimlib-72u
    no problems, only new defination is downloaded.
    1.349.1201.0

    my definition for the package was
    1.349.1197.0

    would still be nice if they could eliminate this error, I do not like red and error ( fun fits yes everything, thank you very much, since they have conjured up something great

    I am surprised that the new engine version: 1.1.18600.3 does not appear in the created image.
    would i have to integrate extra files for this ?

    Edit:
    have found it which file responsible for the engine.
    just stupid that I have deleted the old vmware, and in the new set up it does not load the new engine 1.1.18600.3 :(
     

    Attached Files:

  10. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #10 steven4554, Sep 22, 2021
    Last edited: Sep 22, 2021
    (OP)
    Thanks for making me aware about the new platform update, this will be in this Friday's x64 cab. I don't mind people making their own personal defender cabs, but I would like to ask that you do not provide download links as they haven't been verified as safe or free from tampering. Also the reason why virus definition is showing error, is the mpengine.dll file has been tampered with. There is no new engine update yet, as MS hasn't released the next version of virus definitions which will be 1.351.0.0.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #11 steven4554, Sep 23, 2021
    Last edited: Sep 23, 2021
    (OP)
    Deleted.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. steven4554

    steven4554 MDL Expert

    Jul 12, 2009
    1,154
    1,896
    60
    #13 steven4554, Oct 5, 2021
    Last edited: Nov 18, 2021
    (OP)
    Thanks, and is available for all on MS Catalog website.

    Direct Download Links have been removed, as this version of the platform update is out of date and could pose a security risk.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. xCyBx

    xCyBx MDL Member

    Aug 6, 2018
    103
    73
    10
    Thank you :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. KleineZiege

    KleineZiege MDL Addicted

    Dec 11, 2018
    699
    370
    30
    New Plattform Update v4.18.2110.5
     

    Attached Files:

  15. Jan Klos

    Jan Klos MDL Novice

    Apr 17, 2018
    2
    2
    0
    Pardon me for a possibly dumb question, but has someone successfully tested this on Windows 11? I have used Windows Defender Integration Tool v2.4 (also tried the original MS version) to integrate the latest cab (also tried the latest cab on the original MS website) to integrate to a vanilla Windows 11 ISO, no other changes to the image. After installing (tried many times in a VM) and initial OOBE (again, tested on vanilla 11 ISO without any unattended.xml), Windows still installs & uses the old platform version present in 'Program Files\Windows Defender'. Checking the registry, I see that 'HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation' is still 'C:\Program Files\Windows Defender\' (and not ProgramData) and, most importantly, BlockedLocation key is created, with value 'C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0' (corresponding to the version in cab). So it seems that the platform update is noticed and explicitly blocked. The signatures/engine, on the other hand, seems to be installed without problems.
     
  16. windows builder

    windows builder MDL Guru

    Sep 13, 2017
    2,096
    1,411
    90
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Jan Klos

    Jan Klos MDL Novice

    Apr 17, 2018
    2
    2
    0
    OK, figured it out, the DefenderUpdateWinImage is wrong & obsolete, even the modified 2.4 version. It overrides newer versions of MpAsDesc.dll(.mui) files with stock versions from Program Files. This must be something from old versions that did not contain their own versions of those files? Commenting these blocks:
    # MpAsDesc.dll,
    # Language mui file(mpasdesc.dll.mui).
    # x86 mui files for amd64.
    makes the update to install correctly (then again, you might just as well extract the files and just copy them). This has been broken for a while...
     
  18. drew84

    drew84 MDL Expert

    Mar 13, 2014
    1,079
    1,657
    60