Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MpCmdRun.exe running, but I use a different antivirus, why?


  • Please log in to reply
30 replies to this topic

#16 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 05 October 2015 - 04:46 PM

It's legitimate. It's a periodic clean-up task from Windows Defender.

http://www.herdprotect.com/mpcmdrun.exe-cbb6623059cc31c6160b59a7a9955630721b4192.aspx

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


#17 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 AM

Posted 05 October 2015 - 05:47 PM

MpCmdRun.exe...Microsoft Malware Protection Command Line Utility
Run (and Automate) Windows Defender from the Command Line
Example command: MpCmdRun -Scan -ScanType 3

MpCmdRun has the following commands:
-Scan
-Trace
-GetFiles
-RemoveDefinitions
-SignatureUpdate
-Restore
-AddDynamicSignature
-ListAllDynamicSignature
-RemoveDynamicSignature
-EnableIntegrityService
-SubmitSample
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#18 rp88

rp88
  • Topic Starter

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 06 October 2015 - 12:22 PM

It's still running as of logging on today. I'm running scan of my whole computer now with avast(the antivirus I run), then I'll do another with mbam, see if either of them detects anything wrong that might be causing this strange running of MpCmdRun.exe.

The thing I am finding so odd is that this MpCmdRun process is running despite me not using windows defender as my antivirus/antispyware, certainly if I try to go to windows defender in the control panel it doesn't open, giving me a message about how it is disabled because I have another antivirus.

P.S. quietman post #17, it might just be me but your link to a microsoft page about defender doesn't seem to work. The other links work fine. The command under which it is running on my machine is not one of those on your list, see my last post on page1 of this thread.

Edited by rp88, 06 October 2015 - 12:23 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#19 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 06 October 2015 - 12:28 PM

If you want to investigate more, you can give this thread a read.

https://answers.microsoft.com/en-us/windows/forum/windows_8-performance/can-one-prevent-antimalware-executable-to-start/14d43f26-c682-4b3d-80b6-59ae754b8649?auth=1

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#20 rp88

rp88
  • Topic Starter

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 06 October 2015 - 12:40 PM

I think that thread is by someone who uses defender as their antivirus, not someone who is seeing it running despite their use of a different antivirus (like I am). Also it isn't "hogging" my cpu, it's not using much resources at all, it's just strange to see it. I've run that avast scan, avast says I'm fine. Mbam is about to finish scanning, I'll see what it says.

Edited by rp88, 06 October 2015 - 12:41 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#21 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 06 October 2015 - 12:47 PM

Take a look at this:

Task Scheduler Library => Microsoft => Microsoft Antimalware: 1 task:
Microsoft Antimalware Scheduled Scan
c:\Program Files\Microsoft Security Client\MpCmdRun.exe Scan -ScheduleJob -RestrictPrivileges

Task Scheduler Library => Microsoft => Windows => Windows Defender: 4 tasks:
Windows Defender Cache Maintenance
%ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance
Windows Defender Cleanup
%ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup
Windows Defender Scheduled Scan
%ProgramFiles%\Windows Defender\MpCmdRun.exe Scan -ScheduleJob
Windows Defender Verification
%ProgramFiles%\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification

Task Scheduler Library => Microsoft => Windows Defender: 2 tasks:
MP Scheduled Scan
c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob -WinTask -RestrictPrivilegesScan
MpIdleTask
c:\program files\windows defender\MpCmdRun.exe -IdleTask -TaskName MpIdleTask

See if you can find these tasks.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#22 rp88

rp88
  • Topic Starter

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 06 October 2015 - 12:53 PM

I can certainly find some of those in task scheduler. The funny thing is that all the ones in that middle list, those 4 tasks, claim they ran on the 4th of this month and that they were terminated by me before they could complete (perhaps I logged off at the time they wanted to run or something).
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#23 rp88

rp88
  • Topic Starter

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 06 October 2015 - 12:56 PM

mbam has just finished, it finds no infections.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#24 rp88

rp88
  • Topic Starter

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 06 October 2015 - 01:20 PM

I've got to do a bit of online shopping soon so I would like to atleast know this isn't a strange effect caused by a virus, I still find it odd that this should run despite the fact I don't use windows defender as my av.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#25 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 06 October 2015 - 01:50 PM

If you can find them in the Task Scheduler, it means that they'll run. Like I said, I wouldn't worry about it. This doesn't looks like an infection at all to me, what infection would launch a clean-up task by Windows Defender?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#26 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 AM

Posted 06 October 2015 - 06:33 PM

P.S. quietman post #17, it might just be me but your link to a microsoft page about defender doesn't seem to work.

The link has been fixed...it's just more info how that file works.

Since MpCmdRun.exe is a legit file as already noted by Aura, none of your scans should detect it as malicious. Your issue appears to be just a matter of pinpointing the reason for it running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#27 rp88

rp88
  • Topic Starter

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 07 October 2015 - 10:25 AM

It isn't running today, I did a full restart late last night rather than merely switching off (we know how windows 8/8.1 doesn't always go ENTIRELY off when you simply shut down). I've logged on today and the process is no longer running. In task scheduler it's entry now says that the most recent run of it was on the 6th at 21:02 (uk time) and that it finished successfully with a result of (0x2). I guess the issue must be something along the lines of when it was started by the startup task it just ddn't want to stop, but after the restart it had stopped and seems ot be back to normal.


Thanks for your help

Edited by rp88, 07 October 2015 - 10:25 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#28 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 AM

Posted 07 October 2015 - 10:26 AM

(we know how windows 8/8.1 doesn't always go ENTIRELY off when you simply shut down)


Not aware of that. When you shut down your computer, it shut down.

And no problem, you're welcome!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#29 RolandJS

RolandJS

  • Members
  • 4,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:35 AM

Posted 07 October 2015 - 10:57 AM

If I understand LanWakeups, If a lan-card wakes up, it also wakes up Windows enough to do what it was scheduled to do, correct?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#30 rp88

rp88
  • Topic Starter

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 07 October 2015 - 11:31 AM

Post #28, I meant fast startup and things like that. It is disabled on one of my machines but on the the machine on which this occured I don't remmeber whether it is enabled or not.

Edited by rp88, 07 October 2015 - 11:31 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users