Microsoft Defender Enable for platform updates not needed?

[g-k-m]

Today i noticed this update when i checked for updates, and i've fully disabled microsoft defender using ur bat, disable temper protection and real time av protection, run twice as admin, restart, run twice as admin, restart. And despite that i was able to get platform updates. Idk how or why. So maybe u don't actually have to run the enable bat to get them? Also on a side note, usosvc can be changed to manual since it starts itself anyway when u check for updates, and u prob don't wanna automatically install updates as an advanced user, just no reason for it to run in the background

[TairikuOokami]

Windows Security Platform does not update Defender, but System Guard, Exploits Protection.
You can disable it via Services/drivers, but it can result in BSOD, since it is a core feature.

[g-k-m]

So does this mean we don't have to use the enable defender.bat once a month for security platform updates?

[TairikuOokami]

MS complicates everything. There are 2, but both are sort of interconnected:

Microsoft Defender Antivirus Platform and Windows Security Platform SecHealthUI

I got Security Platform update 1000.27777.0.1008, but my Defender Platform is still from March.

I had to enable Defender to get it updated

[g-k-m]

https://catalog.update.microsoft.com/Search.aspx?q=defender%20platform

Seems like you can just download the update from here, tho it seems to be a bit behind
The update on my pc is from 25th of March and says 4.18.25010.11-0
The catalog has 9th of April, 4.18.25030.2
Yours is 18th of April, 4.18.25040.1-0

It appears that each week a new definition update is released and the version is incremented by 10, so next week would be 25050 and so on. Somewhere around 31th March / 1st of April was 25020 most likely.

Imo, a week behind isn't that bad at all. However, when i run updateplatform.amd64fre_fb6d4e5152d96c81a46effcc6eb063b438b67650.exe which i assume is the 64 bit version (x86 the 32 bit version and arm64 the arm version), it runs for about 2 seconds and closes. Clearly, something responsible has been disabled as my platform folder is not modified at all. However, if all the definition update does is update the platform files, those could be easily be uploaded by someone (maybe they already are) to download for people who have defender disabled. I'd have to make a complete copy of my C:\ disk before and after the definition update and then compare it with smth like WinMerge to see if any files other than the ones in the platform folder are changed by comparing sha256 values. Altho, it's not guaranteed that platform folder files on two different pcs will be the same even if from the same definition update, who knows maybe microsoft applies different stuff for different systems.

Also, could use some kind of program that checks what processes access a certain folder, to check which windows process is actually using this platform folder (if any at all), this way we will know exactly what the platform files are used for. But not sure which program can do that.

[g-k-m]

Ok so i used procmon64 with boot time logging, default filters with include Path "C:\ProgramData\Microsoft\Windows Defender" which is where the platform folder is plus definition updates folder and other stuff. I then used boot logging (generate thread profiling events unchecked) to capture all processes that access that path even before procmon is launched. The resulting .pom file was 3.7 mil events, but only 12 match the filter, aka only 12 events of any process accessing the folder, all of which are my firewall

Which means no windows process or any other process accessed this folder at all, suggesting it's useless. But, chatgpt told me that procmon application runs in user mode, so a kernel driver or kernel process could access the folder without procmon noticing. However, then it told me its driver ProcmonXX.sys operates in kernel mode. It then said:

However, there are still some scenarios where access might not be logged:

Kernel Drivers Bypassing APIs: If a kernel driver accesses the folder in a way that doesn't involve the file system APIs (e.g., raw disk operations), it won't be logged by ProcMon.

Too Early in Boot Sequence: If the access occurred during an extremely early stage of boot—before ProcMon's boot logging feature fully initialized—it might not be captured.

Hidden or Protected Activity: Some malicious or advanced software may employ obfuscation techniques to hide their activity, potentially avoiding detection.

If you still suspect that activity might have occurred outside ProcMon's scope, you could consider enabling file system auditing through Windows, or using deeper tools like WinDbg or ETW, to monitor at a kernel level. Let me know if you'd like details on how to do that!

I won't have anywhere near enough free time in the next month or so to be debugging with such tools, but maybe in the future.

It then said:

Windows Security Platform Updates:

Updates for features like System Guard or Exploit Protection are often delivered through Windows Update as part of broader Windows Security Platform Updates. These updates are separate from Defender-specific updates and should still be applied even if Defender is disabled.

and then said

That's correct—the Defender platform and definition updates are specifically focused on Microsoft Defender Antivirus functionality. They include updates for:

Malware detection rules (definition updates).

Improvements to the Defender engine itself (platform updates).

These updates do not apply to independent features like System Guard or Exploit Protection, which continue to work even if Defender is disabled. Features like these are part of Windows' broader security infrastructure and are typically updated through Windows Update in the form of cumulative updates or separate security patches.

So, you can safely disable Defender without worrying about losing updates for System Guard, Exploit Protection, or other security mechanisms that aren't tied directly to the antivirus functionality. As long as Windows Update is enabled, you'll still receive relevant updates for these features.

Let me know if you'd like further details about how these security features interact with Windows updates!

So it doesn't seem like defender platform updates are actually needed, it seems like the windows security platform updates are the important ones

[TairikuOokami]

Needed no, recommended, yes. For example LSA seems to be affected by Defender updates.
https://www.bleepingcomputer.com/news/microsoft/microsoft-removes-lsa-protection-from-windows-settings-to-fix-bug/