Windows Defender: Does it delete files with no chance to recover them?

Defender on Windows 10

 

I have never been clear about this and I am currently in freak out mode.

 

Yesterday I was going through some old drives and backing some things up.  I FORGOT to turn off Defender as I usually do when I am dealing with files that I don't want to lose.

 

The reason I turn it off is because I always thought that Defender sometimes simply DELETES files without even "quarantining" them and giving you a chance to recover them.

 

I have never been clear on this.  Is this correct?  It deletes files it identifies as a threat just like that without even giving you a chance to recover them?

 

What if it is a false positive?!

 

So yesterday when I was going through and backing up some files on old drives I wanted to back up because I was concerned I would lose them, all of a sudden Defender started popping up messages that it didn't like a file (maybe more than one). "Microsoft Defender found threats...Get Details"

 

I immediately shut off the real time protection.  When I clicked on the popup to get details all it did was bring up the "Virus and Threat Protection" page.  So I clicked on "Protection History" and NOTHING is listed!

 

I know that at least one file was deleted.  WTF!

 

Defender deletes files just like that with no way to recover them or even see what was deleted?!!!!! URRRR!!!  This is infuriating!

 

Hoping I can get some clarity on this... thanks.

 

==UPDATE #1==

Apology to Mods for having initially posted this in the wrong place (when your Bleeping computer gets you mad you can't think straight!).  Thanks for correcting it!

 

I am looking at the Defender logs in the Event Viewer and so far have not gotten to the bottom of things.  But I did see one file that it apparently deleted so far from one of the old drives I was going through which fortunately I am not concerned about.

 

What I AM concerned about is that it gave me NO CHANCE to recover the file!  I have always suspected Defender does this but how can that be justified!  It's insane!  What about false positives???!!!  What about letting the file owner decide???!!!

 

==UPDATE #2==

WOW!  Just discovered that the log claims that the action taken was that Defender quarantined the file!  Yet when I looked at the protection history, there was no record of that action.

 

BUT... looked in the hidden folder C:\ProgramData\Microsoft\Windows Defender\Quarantine and sure enough!  There is a file in there with the date and time I noticed a file was deleted while I was working with that old drive.

 

So apparently it did quarantine it, BUT it did not give me access to it through the Defender page.  Very disturbing!

 

As a matter of fact, I found about 4 or 5 files that are in quarantine going back a few years I never even knew about!

Edited by NotoriousEXE, 25 April 2025 - 12:10 PM.
Moved to anri-virus section.

There is an article on the 5 Methods: How to Recover Files Deleted by Windows Defender in Windows 10 / 11.

 

Disclaimer: The link above is for informational purposes only, so do NOT download any software from AOMEI MyRecover!

 

Good luck!

There is an article on the 5 Methods: How to Recover Files Deleted by Windows Defender in Windows 10 / 11.

 

Disclaimer: The link above is for informational purposes only, so do NOT download any software from AOMEI MyRecover!

 

Good luck!

Thank you for that.  Good article, but I don't think I will need it as I found the files in Quarantine.  Only problem was that it is not listing the quarantine action in the protection history.  And the quarantined files don't have their original file names.

 

Question about this post.... How can I respond under the quote so this response doesn't look like part of the quote?  When I quote someone I am unable to scroll below the line to the left of this to start this response.

 

Update... the files in Quarantine appear to be encrypted!  So I cannot recover them manually.  However, the one that was deleted that I was worried about appears to be in Quarantine because the encrypted file is almost exactly the same size.  So that must be the one that was deleted and I was not notified about.  Fortunately not worried about that file.

Edited by buddy215, 25 April 2025 - 01:33 PM.

You are welcome, NotoriousEXE!
 
With all due respect, when only two members of the Bleeping Computer forum (one helper and one being helped) are discussing, there is NO need to use the Quote and/or the MultiQuote button.
 
However, if you still need to quote something, you can use the Quote button (which looks like a speech bubble) on the toolbar to quote some of the text, such as a specific part of the previous reply.
 
If you do the above, you must highlight and copy the text you would like to quote and paste it into the quote box.
 
Good luck!

Edited by midimusicman79, 25 April 2025 - 06:31 PM.

Thank you BC Advisor.

 

Even though I came here originally quite a few years ago, I have not spent a lot of time on the site and I'm unfamiliar with the system here.

 

I appreciate your help! 

 

Oh no!  Just looked and apparently I joined the site almost 20 years ago!  Time flies! 

Edited by NotoriousEXE, 25 April 2025 - 02:31 PM.

...What if it is a false positive?

Let me address this more specifically.
 
False positives occur when anti-virus and security programs incorrectly identifies (detects) a legitimate file as malicious (a threat). All anti-virus/security software scanning tools are susceptible to false positive (erroneous detections) from time to time, especially if the scanner uses heuristic analysis technology. An anti-virus identifies malware using behavior-based analysis, signature-based scanning, heuristics and/or reputation analysis.
 
Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. This is the primary reason such detections are quarantined instead of removed. If the detected file turns out to be legitimate, then you can restore it and add the file to the exclusion or ignore list. 
 
When an anti-virus or security program quarantines a file (item) and moves it into a virus vault (virus chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through proprietary security routines which may copy, rename (usually by adding a .vir extension), encrypt and password protect the file as part of the process. 
 
In simple terms, Quarantine is just an added safety measure which allows you to view and investigate the files while keeping them from harming your computer. One reason for doing this is to prevent the permanent deletion of a legitimate file that may have been incorrectly flagged (a "false positive") and placed in quarantine. This can occur if the scanner uses heuristic analysis technology which is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If the file is confirmed as legitimate, it can be safely restored from quarantine and added to the exclusion or ignore list. 
 
When the quarantined file is known to be malicious, you can permanently delete it at any time by launching the program which removed it, going to the Quarantine tab, and choosing the option to delete. In most cases, uninstalling the security program will also remove the quarantine and all other related folders.

• Quarantine, Delete, or Clean: What Should You Do About a Virus?
• Ask Leo: What Does It Mean to Quarantine Malware? And Is It Safe?
• Ask Leo: What happens when my anti-malware tool quarantines something?

You may want to read and keep this link...Microsoft Antivirus and antimalware software: FAQ

You are welcome, NotoriousEXE!