Event ID 3006 — Real-Time Protection Spyware Removal

Applies To: Windows Server 2008 R2

Windows Defender uses Real-Time Protection to examine auto-start extensibility points (ASEPs). If a change to one of these ASEPs is detected, Windows Defender will alert you. By default, Windows Defender monitors the following ASEPs: applications that are configured to automatically start when the computer starts up, system configuration settings, Internet Explorer Add-ons, Internet Explorer configuration settings, installed services, installed drivers, application registration, and Windows Add-ons.

When Windows Defender raises an alert, it takes the action specified in the definition that detected the spyware or other potentially unwanted software. If Windows Defender incorrectly identified legitimate software, you can allow it to run on the computer. If Windows Defender detected spyware or other potentially unwanted software, you should remove it.

Event Details

Product: Windows Operating System
ID: 3006
Source: Microsoft-Windows-Windows Defender
Version: 6.1
Symbolic Name: MALWAREPROTECTION_RTP_MALWARE_ACTION_FAILED
Message: %1 Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.
For more information please see the following:
%15
%tScan ID:%b%3
%tUser:%b%8\%9
%tName:%b%11
%tID:%b%12
%tSeverity ID:%b%13
%tCategory ID:%b%14
%tPath:%b%16
%tAlert Type:%b%18
%tAction:%b%20
%tError Code:%b%21
%tError description:%b%22

Resolve

Fix issues with removing spyware or other potentially unwanted software

To determine how to fix this error condition, examine the error code reported in the event message text.

The event message can report the following error codes:

  • ERR_MP_BAD_INPUT_DATA (0x8050800C)
  • ERR_MP_FULL_SCAN_REQUIRED (0x80508024)
  • ERR_MP_MANUAL_STEPS_REQUIRED (0x80508025)
  • ERR_MP_NO_MEMORY (0x80508007)
  • ERR_MP_NOT_FOUND (0x80508019)
  • ERR_MP_REMOVE_LOW_MEDIUM_DISABLED (0x80508027)
  • ERR_MP_REMOVE_NOT_SUPPORTED (0x80508026)

ERR_MP_BAD_INPUT_DATA (0x8050800C)

This error code indicates that an internal error has occurred. You should restart your computer.

ERR_MP_FULL_SCAN_REQUIRED (0x80508024)

This error code indicates that a Windows Defender full scan is required.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To run a full scan by using Windows Defender:

  1. Click Start, point to All Programs, and then click Windows Defender.
  2. Click the down arrow next to Scan, and then click Full Scan.
  3. Ensure that the full scan completed successfully.

ERR_MP_MANUAL_STEPS_REQUIRED (0x80508025)

This error code indicates that additional steps are required to completely remove the spyware or other potentially unwanted software that was detected on your computer. For more information about additional steps, see the Microsoft Malware Protection Center (https://go.microsoft.com/fwlink/?LinkId=99353), and search the encyclopedia for the name of the spyware or other potentially unwanted software.

ERR_MP_NO_MEMORY (0x80508007)

This error code indicates that your computer is low on resources. You should free up some memory on your computer.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To free up memory on your computer:

  1. Right-click the taskbar, and then click Task Manager.
  2. Click the Applications tab and make sure that the status of all tasks is Running. If any tasks have the status Not responding, you can end the task by clicking End Task.
  3. Click the Processes tab.
  4. Click Memory and investigate processes that are using a lot of memory.
  5. If there are no tasks with the status of Not responding or processes that are using a lot of memory, you should restart the computer to free up memory.

ERR_MP_NOT_FOUND (0x80508019)

This error code indicates that a file or location included in the scan does not exist. This may happen if you try to quarantine spyware or other potentially unwanted software that no longer exists on the computer. You should run a full scan by using Windows Defender to ensure that you are using the latest scan results.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To run a full scan by using Windows Defender:

  1. Click Start, point to All Programs, and then click Windows Defender.
  2. Click the down arrow next to Scan, and then click Full Scan.
  3. Ensure that the full scan completed successfully.

ERR_MP_REMOVE_LOW_MEDIUM_DISABLED (0x80508027)

Windows Defender requires a genuine copy of Windows. Windows Defender will validate that your copy of Windows is genuine before installation. Furthermore, Windows Defender will only remove only Severe threats for computers running copies of Windows that are not genuine. Low, Medium, and High threats will be detected but not removed unless your copy of Windows is genuine.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To ensure that your computer is genuine:

  1. Click Start, and then click Internet.
  2. Type https://go.microsoft.com/fwlink/?LinkId=99354 in the address bar, and then press ENTER.
  3. Click Validate Windows.

ERR_MP_REMOVE_NOT_SUPPORTED (0x80508026)

During a scan, Windows Defender detected spyware or other potentially unwanted software contained within a file archive, such as a .zip file. You should identify whether or not the file is spyware or other potentially unwanted software and remove it from the archive manually.

Verify

When Windows Defender takes an action on spyware or other potentially unwanted software, an entry is created in the Windows Defender History. To verify that the spyware or other potentially unwanted software was successfully removed from your computer, you should verify that an entry was created in the Windows Defender History and that the appropriate action was taken.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To verify that the spyware or other potentially unwanted software was successfully removed:

  1. Click Start, point to All Programs, and then click Windows Defender.
  2. Click History.
  3. Under Programs and Actions, verify that the Action Taken column says Remove.
  4. Verify that the Status column says Succeeded.
  5. Close Windows Defender.

Note: If you clicked Ignore or Always Allow for the action in the Windows Defender alert, the Action Taken column will display either Ignore or Always Allow.

Real-Time Protection Spyware Removal

Core Security