mpsigstub.exe alert keeps coming back

i have an alert everytime my pc starts because of this process wich is a windows defender process. i keep on saying “trusted application” or “windows process” but the alert comes back because the path in wich this prog is installated is changing at every defender update.

How can i solve my problem ? ???

no way to get rid of this… >:( can’t you help me ?

I presume you are not running Defence+ in Safe Mode

If not try this


Please change C:\ if this is not right drive letter for you.


Hi cvsa,

I have something you could try.

Go to Defence+/Advanced/Computer security policy and click on “Add” then either select from running processes or browse to C:\Windows\System32\mpsigstub.exe->and double click it so it is in the application path.
Now where the application path is delete Windows\System32 and replace it with a * so you end up with
C:*\mpsigstub.exe then APPLY
Now double click that entry in computer security policy and give it the pre-defined policy “Windows system application” then APPLY

I have not used this so am not sure if it works but it`s worth trying.


? is used for drive letter * should work as a wildcard.

ok, I’ll try this :wink:

I have the same problem as cvsa. With me D+ always pops in when MSE is updating. I’ve applied Dennis and Matty’s idea and I’ll see if it works.
One question though: why are the capital letters different (snapshots)? Is it exactly the same file?


[attachment deleted by admin]

I shouldn't think that the lack of capitilization should matter. That being said...
MpMSigStub.exe is the Microsoft Malware Protection Signature Update Stub, which is only 190KB. A stub exists basically to attach something to a program by creating a consistent place for the application modules to call.

In this case, it’s probably used to provide a set of hooks into code embedded within the definitions files that might change regularly.


The quotes are from MSE’s forum moderators; in case someone finds it helpful.



I’ve just tried an update with the new Defense+ setup (see Dennis and Matty’s posts) and it worked.


I am having this same problem, or annoyance. While the above may work (I mean using c:*\MpSigStub.exe) doesn’t that mean that if I accidently download malware called MpSigStub.exe to my c:\ drive, that defense+ will happily allow it to run? It seems to me something has to be worked out with Microsoft to either

  1. Run this from a fixed location
  2. Sign it from Microsoft (if that is already done, then why is it popping up, since MS is a trusted vendor).

Or am I missing something obvious here in my assessment of the risk? (Of course I just dismissed the window that defence+ popped up to see if there is something obvious :slight_smile: )

Yes, using the C:*\MPSigStub.exe will allow a virus with the same name to run. But if you limit the access to just what MPSigStub and MPMiniSigStub need, then all the virus could do is mess up Windows Defender.
No direct access to the keyboard, memory, the screen, or the disk and only run, message, or link to it’s own modules.

By the way, here is full info on how MPSigStub works: