{"id":17887,"date":"2020-08-14T05:44:27","date_gmt":"2020-08-14T00:14:27","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=17887"},"modified":"2024-02-02T13:57:32","modified_gmt":"2024-02-02T08:27:32","slug":"windows-defender-identifies-same-threat-repeatedly","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/windows-defender-identifies-same-threat-repeatedly\/","title":{"rendered":"Windows Defender Shows the Same Threat Repeatedly. How to Clear the Protection History"},"content":{"rendered":"

On some Windows 10 and 11 computers, Microsoft Defender Antivirus may repeatedly warn about the same threat, although you’ve taken the necessary action (remediated) on that threat.<\/p>\n

\"windows<\/p>\n

When you click “Start actions” after choosing “Remove”, nothing happens. Windows Defender would keep showing that non-existent threat.<\/p>\n

Cause<\/h2>\n

This is caused by a bug in Windows Defender that causes it to read the earlier items recorded in the Windows Defender Protection History and repeatedly warn the user.<\/p>\n

RELATED:<\/strong> Windows Defender “HostsFileHijack” alert appears if Telemetry is blocked<\/a><\/div>\n

The Windows Security Protection History page (windowsdefender:\/\/fullhistory\/<\/a>) shows the list of threats detected on the computer and each threat has a corresponding “Actions” button.<\/p>\n

The Protection History page also lists the items blocked by Controlled Folder Access, Attack Surface Reduction Rules, and the threats detected during the Windows Defender Offline scan.<\/p>\n

\"defender<\/p>\n

We’ll see how to clear the protection history in Windows Security on Windows 10 and 11.<\/p>\n

Resolution<\/h2>\n

To prevent Microsoft Defender Antivirus from warning you about remediated threats, reset the Protection history. Use one of the following methods:<\/p>\n

Option 1: Delete the Defender protection history folder<\/h3>\n

Delete the Windows Defender Protection History information by following these steps:<\/p>\n

    \n
  1. Start Windows in Safe mode<\/strong>. See How to Start Windows 10 or 11 in Safe Mode<\/a> for more information.<\/li>\n
  2. Right-click Start, and click Run.<\/li>\n
  3. Copy the following folder path and paste it into the Run box, and click OK.\n
    C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\DetectionHistory<\/pre>\n
    It’s better to paste the above path in Explorer’s address bar or the Run dialog to access the folder directly rather than navigating to it manually, in case it’s a hidden folder. Alternatively, you can open the folder by pasting the path in Explorer address bar and pressing Enter<\/strong>.<\/em>
    \n\"detectionhistory\n<\/li>\n
  4. Delete the entire contents of the DetectionHistory<\/strong> folder. Each subfolder contains details about a past threat.\n
    \"detectionhistory<\/p>\n
    Note:<\/strong> If you can’t delete the “DetectionHistory” folder due to the “Access denied” error, ensure you’ve booted into Safe mode<\/strong>. You should be able to delete the folder via Safe mode.<\/em>\n<\/li>\n
  5. Restart Windows.<\/li>\n<\/ol>\n
    The repeat notifications for the previously detected and remediated threats won\u2019t show up again.<\/p>\n
    Windows Defender’s Protection History page should now be empty.<\/p>\n
    \"windows<\/p>\n
    \n
    Option 2: Configure Defender to Automatically Clear the History<\/h3>\n
    To make Windows Defender automatically clear the Protection history on a daily basis, or after a certain number of days, use the following PowerShell command.<\/p>\n
      \n
    1. Open PowerShell as administrator.<\/li>\n
    2. Run the following command and press Enter<\/kbd>:\n
      Set-MpPreference -ScanPurgeItemsAfterDelay 1<\/pre>\n
      In the above example, 1<\/code> is the number of days after which the protection log and items in the log folder will be cleared automatically.<\/em><\/em><\/p>\n
      \n
      The ScanPurgeItemsAfterDelay<\/code> setting specifies the number of days to keep items in the scan history folder. After this time, Windows Defender removes the items. If you specify a value of zero, Windows Defender does not remove items. If you do not specify a value, Windows Defender removes items from the scan history folder after the default length of time, which is 30 days.<\/p>\n
      If Microsoft fixes the repeated detection issue later on, and you wish to revert the setting to the Windows Defender default setting, run:<\/p>\n
      Set-MpPreference -ScanPurgeItemsAfterDelay 15<\/pre>\n
      To view the current ScanPurgeItemsAfterDelay<\/code> setting, run the following command in PowerShell.<\/p>\n
      (Get-MpPreference).ScanPurgeItemsAfterDelay<\/pre>\n<\/div>\n<\/li>\n
    3. Close PowerShell.<\/li>\n<\/ol>\n
      \n
      Option 3: Add the Protection History folder to exclusions<\/h3>\n
      Another way to stop Windows Defender’s repeated alerts on the same threat is to add the Windows Defender’s protection history folder to the list of excluded folders.<\/p>\n
        \n
      1. Open Windows Defender Security settings.<\/li>\n
      2. Click Virus & Threat Protection<\/strong>.<\/li>\n
      3. Click Manage settings<\/strong>.<\/li>\n
      4. Scroll down to Exclusions<\/strong>.<\/li>\n
      5. Select Add or remove exclusions<\/strong><\/li>\n
      6. Select Add an exclusion<\/strong>. Choose Folder<\/strong>.<\/li>\n
      7. In the browse dialog box, enter the following folder:\n
        C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History<\/pre>\n<\/li>\n
      8. Click Select Folder<\/strong>.<\/li>\n<\/ol>\n
        Windows Defender should no longer scan the protection history folder and thereby would stop the repeat alerts.<\/p>\n","protected":false},"excerpt":{"rendered":"
        On some Windows 10 and 11 computers, Microsoft Defender Antivirus may repeatedly warn about the same threat, although you’ve taken the necessary action (remediated) on that threat. When you click “Start actions” after choosing “Remove”, nothing happens. Windows Defender would keep showing that non-existent threat.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,869],"tags":[396,661],"class_list":["post-17887","post","type-post","status-publish","format-standard","hentry","category-windows-10","category-windows-11","tag-powershell","tag-windows-defender"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":3689,"url":"https:\/\/www.winhelponline.com\/blog\/start-windows-defender-offline-scan\/","url_meta":{"origin":17887,"position":0},"title":"How to Start Microsoft Defender Offline Scan in Windows 10\/11","author":"Ramesh","date":"August 4, 2016","format":false,"excerpt":"Malware is more complex today than it was many years ago. It operates at the filter driver, service, or rootkit level, and eliminating it is tough. Sometimes, you need to boot to the Windows RE environment and then delete the core malware files and services added to your Windows installation.\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"Microsoft Defender Offline scan - Virus and threat protection - Windows Security","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":5125,"url":"https:\/\/www.winhelponline.com\/blog\/windows-defender-disabled-real-time-protection-virus\/","url_meta":{"origin":17887,"position":1},"title":"Microsoft Defender: “Managed by your administrator” or “Your IT administrator has limited access”","author":"Ramesh","date":"January 23, 2017","format":false,"excerpt":"In the aftermath of a malware attack, the Windows Defender Security settings page may show the message Some settings are managed by your organization\u00a0or This setting is managed by your administrator. The real-time protection and cloud-based protection options may remain disabled or grayed out. Here is what the Windows Defender\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"Microsoft Defender Antivirus group policy settings","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":6620,"url":"https:\/\/www.winhelponline.com\/blog\/set-up-onedrive-yellow-exclamation-defender-security-center\/","url_meta":{"origin":17887,"position":2},"title":"[Fix] Windows Defender Yellow Exclamation Icon and “Set up OneDrive” Warning","author":"Ramesh","date":"September 20, 2018","format":false,"excerpt":"The Windows 10 action center may show a prompt with a black exclamation inside a yellow triangle icon in the Notification area. When you click on that, it opens Windows Defender Security Center.\u00a0In the Windows Defender Security Center, underneath the \"Virus & threat protection\" icon the exclamation mark inside a\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"windows defender set up onedrive - yellow exclamation warning","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2018\/09\/defender-set-up-onedrive-yellow-exclamation.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2018\/09\/defender-set-up-onedrive-yellow-exclamation.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2018\/09\/defender-set-up-onedrive-yellow-exclamation.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2018\/09\/defender-set-up-onedrive-yellow-exclamation.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":5966,"url":"https:\/\/www.winhelponline.com\/blog\/windows-defender-disabled-by-malwarebytes-antivirus-protection\/","url_meta":{"origin":17887,"position":3},"title":"Fix: Malwarebytes Disables Defender or 3rd Party Anti-Virus","author":"Ramesh","date":"November 22, 2017","format":false,"excerpt":"After installing Malwarebytes Premium 14-day trial or licensed product, your anti-virus software (e.g., Microsoft Defender Antivirus) may get disabled automatically. In this scenario, when you attempt to start the Microsoft Defender Antivirus Service\u00a0(WinDefend) via the Services console, it shows the following error, and the service wouldn't start. The Windows Defender\u2026","rel":"","context":"In "Utilities"","block_context":{"text":"Utilities","link":"https:\/\/www.winhelponline.com\/blog\/category\/utilities\/"},"img":{"alt_text":"malwarebytes security center register","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/mbam-register-wsc-off.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/mbam-register-wsc-off.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/mbam-register-wsc-off.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/11\/mbam-register-wsc-off.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":29754,"url":"https:\/\/www.winhelponline.com\/blog\/defender-advanced-threat-protection-mssense-exe-crashes\/","url_meta":{"origin":17887,"position":4},"title":"MSSense.exe Crashes: Windows Defender Advanced Threat Protection Service Executable","author":"Ramesh","date":"November 11, 2022","format":false,"excerpt":"Many Windows 10\/11 Pro and Server 2012 R2 systems are encountering repeated mssense.exe crashes. It's the service executable for the Windows Defender Advanced Threat Protection Service (\"Sense\"), found on Pro and higher editions. When mssense.exe crashes, WerFaultSecure.exe creates a report and a crash dump every time. This can happen every\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"defender atp crash (sense - mssense.exe)","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/11\/defender-atp-sense-crashes-msinfo32.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/11\/defender-atp-sense-crashes-msinfo32.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/11\/defender-atp-sense-crashes-msinfo32.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/11\/defender-atp-sense-crashes-msinfo32.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":45734,"url":"https:\/\/www.winhelponline.com\/blog\/defender-accidentally-allowed-a-threat\/","url_meta":{"origin":17887,"position":5},"title":"Accidentally Allowed a Threat in Windows Defender. What to do now?","author":"Ramesh","date":"May 13, 2023","format":false,"excerpt":"When Microsoft Defender Antivirus finds a virus, it asks you what action to take on the threat. The options are \"Remove\", \"Quarantine\", and \"Allow on device\". You may wonder: What happens if you've accidentally clicked \"Allow\" instead of \"Remove\"? What happens to the \"allowed\" threat? Will Microsoft Defender Antivirus redetect\u2026","rel":"","context":"In "Windows 10"","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"Defender Allowed Threats reset","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2023\/05\/defender-allowed-threats-clear-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/17887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=17887"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/17887\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=17887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=17887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=17887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}