Event ID 1008 — Microsoft Antimalware Engine Spyware Removal

Applies To: Windows Server 2008 R2

During a Windows Defender scan, the Microsoft Antimalware Engine quarantines or removes any spyware or potentially unwanted software detected on the computer. When spyware or other potentially unwanted software is quarantined, it is moved to an isolated folder on the computer.

As new definitions are released, items in quarantine can be scanned again to see if the spyware or other potentially unwanted software can be cleaned and released from quarantine. When spyware or other potentially unwanted software is removed, it is deleted from the computer.

Event Details

Resolve

Fix issues with removing spyware or other potentially unwanted software

To determine how to fix this error condition, examine the error code reported in the event message text.

The event message can report the following error codes:

• ERR_MP_BAD_INPUT_DATA (0x8050800C)
• ERR_MP_FULL_SCAN_REQUIRED (0x80508024)
• ERR_MP_MANUAL_STEPS_REQUIRED (0x80508025)
• ERR_MP_NO_MEMORY (0x80508007)
• ERR_MP_NOT_FOUND (0x80508019)
• ERR_MP_REMOVE_LOW_MEDIUM_DISABLED (0x80508027)
• ERR_MP_REMOVE_NOT_SUPPORTED (0x80508026)

ERR_MP_BAD_INPUT_DATA (0x8050800C)

This error code indicates that an internal error has occurred. You should restart your computer.

ERR_MP_FULL_SCAN_REQUIRED (0x80508024)

This error code indicates that a Windows Defender full scan is required.

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To run a full scan by using Windows Defender:

1. Click Start, point to All Programs, and then click Windows Defender.
2. Click the down arrow next to Scan, and then click Full Scan.
3. Check that the full scan completed successfully.

ERR_MP_MANUAL_STEPS_REQUIRED (0x80508025)

This error code indicates that additional steps are required to completely remove the spyware or other potentially unwanted software that was detected on your computer. The Windows Defender History will tell you the name of the spyware or other potentially unwanted software that was not fully removed. For more information about additional steps, see the Microsoft Malware Protection Center (https://go.microsoft.com/fwlink/?LinkId=99353), and search the encyclopedia for the name of the spyware or other potentially unwanted software.

ERR_MP_NO_MEMORY (0x80508007)

This error code indicates that your computer is low on resources. You should free up some memory on your computer.

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To free up memory on your computer:

1. Right-click the taskbar, and then click Task Manager.
2. Click the Applications tab and make sure that the status of all tasks is Running. If any tasks have the status Not responding, you can end the task by clicking End Task.
3. Click the Processes tab.
4. Click Memory and investigate processes that are using a lot of memory.
5. If there are no tasks with a status of not responding or processes that are using a lot of memory, you should restart the computer to free up memory.

ERR_MP_NOT_FOUND (0x80508019)

This error code indicates that a file or location included in the scan does not exist. This can happen if you try to quarantine spyware or other potentially unwanted software that no longer exists on the computer. You should run a full scan by using Windows Defender to ensure that you are using the latest scan results.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To run a full scan by using Windows Defender:

1. Click Start, point to All Programs, and then click Windows Defender.
2. Click the down arrow next to Scan, and then click Full Scan.
3. Check that the full scan completed successfully.

ERR_MP_REMOVE_LOW_MEDIUM_DISABLED (0x80508027)

Windows Defender requires a genuine copy of Windows. Windows Defender will validate that your copy of Windows is genuine before installation. Furthermore, Windows Defender will remove only Severe threats for computers running copies of Windows that are not genuine. Low, Medium, and High threats will be detected but not removed unless your copy of Windows is genuine.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To ensure that your computer is genuine:

1. Click Start, and then click Internet.
2. Type https://go.microsoft.com/fwlink/?LinkId=99354 in the address bar, and then press ENTER.
3. Click Validate Windows.

ERR_MP_REMOVE_NOT_SUPPORTED (0x80508026)

During a scan, Windows Defender detected spyware or other potentially unwanted software contained within a file archive, such as a .zip file. You should identity whether or not the file is spyware or other potentially unwanted software and remove it from the archive manually.

Verify

When Windows Defender takes an action on spyware or other potentially unwanted software, an entry is created in the Windows Defender History. To verify that the spyware or other potentially unwanted software was successfully removed from your computer, you should verify that an entry was created in the Windows Defender History and that the appropriate action was taken.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To verify that the spyware or other potentially unwanted software was successfully removed:

1. Click Start, point to All Programs, and then click Windows Defender.
2. Click History.
3. Under Programs and Actions, verify that the Action Taken column says Remove.
4. Verify that the Status column says Succeeded.
5. Close Windows Defender.

Note: If you clicked Ignore or Always Allow for the action in the Windows Defender alert, the Action Taken column will display either Ignore or Always Allow.

Related Management Information

Microsoft Antimalware Engine Spyware Removal

Core Security