In more than one Windows Defender related VT’s vulnerability reporting is (correctly) skipped on “WinDefend” service being “Disabled”.
However, when the feature is not installed and service does not even exist, the said check fails to exit early and proceeds to reporting. Engine version is stored in registry (protected for modifications) even if there are no Windows Defender executables present, which is the last check leading to unwanted reporting.
Affected detections: (Version used: 2025-03-20T05:38:32Z)
- OID:1.3.6.1.4.1.25623.1.0.818323
- OID:1.3.6.1.4.1.25623.1.0.818164
- OID:1.3.6.1.4.1.25623.1.0.826960
- OID:1.3.6.1.4.1.25623.1.0.815620
- OID:1.3.6.1.4.1.25623.1.0.832643
- OID:1.3.6.1.4.1.25623.1.0.816864
- OID:1.3.6.1.4.1.25623.1.0.817314
Reproduced at least in Windows Server 2019, maybe other OS variants and versions, too.