With a recent update, the Redmond software giant has made a small change to the built-in protection app in Windows 10 called Windows Defender. The application was updated to version 4.12.17007.17123, and now the antivirus portion of the app is located in a different folder path in the file system.
The change is applicable to all editions of Windows 10. The files are moved for all versions of Windows 10 starting with Windows 10 "Creators Update", version 1703.
The affected components include the antivirus engine MsMpEng.exe, the network filter service NisSrv.exe, and the appropriate drivers.
The files MsMpEng.exe and NisSrv.exe have been moved from C:\Program Files\Windows Defender to C:\ProgramData\Microsoft\Windows Defender\Platform\. The related driver files can be found under the folder C:\Windows\System32\drivers\wd, which were previously stored in the C:\Windows\System32\drivers folder.
The file location change happens after installing the update KB4052623. It doesn't explain the reason behind the change, but points to the new location of files in the list of known issues:
- Because of a change in the file path location in the latest update (Antimalware Client Version: 4.12.17007.17123), many downloads are being blocked when AppLocker is enabled.
To work around this issue, open Group Policy, and then change the setting to "Allow" for the following path:
- In rare cases, computers that are running Windows Defender Advanced Threat Protection together with Windows Defender Antivirus are put into a passive mode during the installation of this update. In this passive mode, Real-time Protection is disabled.
To work around this issue, delete the "PassiveMode" value at the following registry subkey:
Note You may have to take ownership of the Windows Defender subkey and enable full access to your user account.
To take ownership of Registry keys, you can use a tool like RegOwnerShipEx.
It is not clear why Microsoft moved the system files for Defender. Maybe later the company might explain the changes in a blog post. It might be because malware is targetting the existing directories or it also might be because Defender's security is being improved by perhaps moving it into sandboxed folders with better security. Only Microsoft can shed light on these changes.