Microsoft Security Intelligence Update KB2267602 Explained

If you have noticed “Security Intelligence Update for Microsoft Defender Antivirus – KB2267602” appearing repeatedly in Windows Update, you are not experiencing an error or update loop. KB2267602 is Microsoft’s rolling antivirus signature update mechanism: the KB number is permanent and fixed, while the internal version number (e.g., 1.445.476.0) changes every time Microsoft ships new malware definitions — which happens multiple times per day. This guide explains exactly what KB2267602 is, why it keeps appearing, and how to install, verify or roll back the update.

What Is Security Intelligence Update KB2267602?

KB2267602 is the Knowledge Base identifier assigned by Microsoft to the Security Intelligence Update (formerly called Definition Update) for Microsoft Defender Antivirus. Unlike standard Windows patches, which use a KB number to identify a specific, one-time fix, KB2267602 is a continuously updated package — the same KB number is used every time Microsoft publishes new threat signatures to keep Defender current against the latest malware, ransomware and other threats.

Why the same KB number appears repeatedly

Microsoft’s update infrastructure uses KB2267602 as a named update stream rather than a versioned patch. Each publication is a new set of malware signatures and detection logic, but all are published under the same KB identifier. The version number after the KB name — such as “Version 1.445.476.0” or “Version 1.447.102.0” — identifies the specific signature build. The version number increments in the format: [generation].[daily_build].[build_variant].[sub].

According to Microsoft’s official Defender update documentation, Defender periodically downloads dynamic security intelligence updates, and “security intelligence updates occur on a scheduled cadence which you can configure using a policy.” The update also uses cloud-delivered protection (MAPS — Microsoft Advanced Protection Service) which runs continuously in the background regardless of the KB update schedule.

What the version numbers mean

Each KB2267602 package carries a version number in the format 1.XXX.YYYY.Z. The most commonly seen range in 2025–2026 is between 1.390.x and 1.450.x. A higher number simply means a more recent signature build with newer malware detections. Engine updates are included with security intelligence updates and released on a monthly cadence — so a monthly update will increment both the signature and engine version numbers together.

System Center Endpoint Protection users receive functionally equivalent updates under KB2461484 rather than KB2267602 — both packages contain the same underlying signature data delivered through different update channels.

Is KB2267602 safe? Why does it keep coming back?

KB2267602 is completely safe and is a first-party Microsoft security update. Its repetitive appearance in Windows Update is by design: as Microsoft publishes new threat signatures (sometimes several times per 24 hours), Windows Update will surface the latest version for installation. If the update appears repeatedly with different version numbers, Defender is working correctly and receiving current threat intelligence. If the same version repeatedly fails to install, that indicates an installation error — see the troubleshooting section below.

KB2267602 versus KB4052623: understanding the difference

Users frequently confuse KB2267602 with KB4052623, Microsoft Defender’s monthly platform update. The distinction is important:

• KB2267602 (Security Intelligence Update): Contains virus and malware signature definitions. Released multiple times daily. Small file size (a few MB). Does not change the Defender engine or platform version. Installs silently without requiring a reboot in most cases.
• KB4052623 (Platform Update): Updates the Microsoft Defender Antivirus engine and platform binaries. Released monthly. Larger file. May require a reboot. Changes the platform version number (e.g., 4.18.x.x).

To check your current installed versions, open Windows PowerShell and run Get-MpComputerStatus. The output shows AntivirusSignatureVersion (your current KB2267602 version), AMEngineVersion (the engine version from KB4052623), and AMProductVersion (the platform version). Comparing AntivirusSignatureVersion against the latest version listed on Microsoft’s Security Intelligence update page confirms whether your Defender definitions are current.

Enterprise environments managing Defender through Microsoft Intune, Configuration Manager (SCCM) or Windows Server Update Services (WSUS) should configure separate approval policies for KB2267602 signature updates versus KB4052623 platform updates. Security intelligence updates should typically be auto-approved to all devices on the same day; platform updates benefit from a staged rollout (pilot group → broad deployment) to validate compatibility with endpoint configurations.

Installing and Troubleshooting KB2267602

In the vast majority of cases, KB2267602 installs automatically via Windows Update without any user action. However, there are scenarios where you may need to install it manually, verify the current installed version, or troubleshoot a failed installation.

How to manually update Defender signatures

To force Microsoft Defender Antivirus to download and install the latest signatures immediately, open an elevated Command Prompt (right-click → Run as administrator) and run:

MpCmdRun.exe -SignatureUpdate

If you want to pull directly from Microsoft’s Malware Protection Center rather than your configured update source:

MpCmdRun.exe -SignatureUpdate -MMPC

You can also trigger an update from the Windows Security app: open Windows Security → Virus & threat protection → Protection updates → Check for updates. The Microsoft Security Intelligence download page also provides direct download links for offline environments where Windows Update access is restricted.

Common installation errors and fixes

The most frequently reported installation error for KB2267602 is 0x80070643 — a generic Windows Update installation failure that most often means the Defender service cannot write to its definitions directory. Steps to resolve:

1. Open Services (Win + R → services.msc), locate Windows Defender Antivirus Service and ensure it is Running.
2. Run Windows Update Troubleshooter: Settings → Update & Security → Troubleshoot → Windows Update.
3. From an elevated command prompt, run sfc /scannow to check for corrupted system files, then retry the update.
4. Clear the Defender signature cache: MpCmdRun.exe -RemoveDefinitions -DynamicSignatures, then rerun the signature update command.

A less common but documented issue is KB2267602 apparently disabling Wi-Fi or network adapters after installation — this has been reported in Microsoft’s Q&A forum and is typically caused by a network driver conflict with the new Defender engine version, resolved by updating network adapter drivers and rebooting.

How to roll back a security intelligence update

If a specific KB2267602 version causes problems (application conflicts, performance degradation, false positive detections), you can roll back signatures using MpCmdRun.exe:

# Remove all signatures and revert to inbox version:
MpCmdRun.exe -RemoveDefinitions -All

# Remove only dynamically downloaded signatures (keeps base definitions):
MpCmdRun.exe -RemoveDefinitions -DynamicSignatures

# Roll back only the engine version:
MpCmdRun.exe -RemoveDefinitions -Engine

After rolling back, Windows Update will re-offer the latest version within the normal update cycle. If you need to stay on a specific signature version temporarily, configure your update policy to defer Security Intelligence updates via Group Policy: Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Security Intelligence Updates → Define the number of days before spyware definitions are considered out of date.