Recently a colleague of mine asked me what happens in the file system when a malicious file is «quarantined».
The answer varies widely and as this is the «secret sauce» for many antivirus vendors, most of the time it is not overly documented how they do the voodoo they do. Seems like something that might make for a good blog or two so I sat down and did a few tests.
This post is going to cover what happened on my Windows 8 VM when I turned Windows Defender against a vicious EICAR.TXT file!
I chose to beat up on Windows Defender mostly because it is free and has a huge market share. Nothing personal.
So first things first: I grabbed the EICAR file and saved it to C:\temp.
Then I grabbed a copy of the $MFT to take a look at the this file’s record. Looks like this:
There is a lot going on in there but I just wanted to focus on a few things. If you are lost, read this.
NEXT, I turned on Windows Defender real-time protection. It was recommended.
Then a whole bunch of stuff happened.
Let’s start with $MFT record number 27152. So I quickly dumped the $MFT again and here’s what I got:
So what changed? Pretty much everything accept the $MFT record number.
The sequence number is increment by 4, indicating that there were numerous changes to the file. Specifically the rename and move to a new parent folder.
Lets take a closer look at the USNJrnl-$J to get an idea what happened:
So in short Windows Defender deleted the original file. The MFT record number was up for grabs so it was picked up by a newly created file C:\ProgramData\Microsoft\Windows Defender\Scans\History\RemCheck\5A7D7B64F11FF203E09434276A974A97
So where did my EICAR file go? Windows Defender puts quarantined files C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\. Mine was saved C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\50\50761523FA79FDF68E04707959836D1F6DBA9969.
Let’s take a look at that:
For those that don’t know, Windows Defender and Microsoft Security Essentials Quarantine files have a magic number of 0B AD 00. Clever.
Looking at the histogram of the data, it is pretty obvious that it was stored using some kind of encryption.
After doing a bit more digging, it turns out that Windows Defender uses a hard coded RC4 key to encrypt quarantine files.
A colleague of my pointed me at the this cool script from Cuckoo
Here is the relevant chuck of their code that I bastardized for this blog post:
# Copyright (C) 2015 KillerInstinct, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import struct
import hashlib
from binascii import crc32
def mse_ksa():
# hardcoded key obtained from mpengine.dll
key = [0x1E, 0x87, 0x78, 0x1B, 0x8D, 0xBA, 0xA8, 0x44, 0xCE, 0x69,
0x70, 0x2C, 0x0C, 0x78, 0xB7, 0x86, 0xA3, 0xF6, 0x23, 0xB7,
0x38, 0xF5, 0xED, 0xF9, 0xAF, 0x83, 0x53, 0x0F, 0xB3, 0xFC,
0x54, 0xFA, 0xA2, 0x1E, 0xB9, 0xCF, 0x13, 0x31, 0xFD, 0x0F,
0x0D, 0xA9, 0x54, 0xF6, 0x87, 0xCB, 0x9E, 0x18, 0x27, 0x96,
0x97, 0x90, 0x0E, 0x53, 0xFB, 0x31, 0x7C, 0x9C, 0xBC, 0xE4,
0x8E, 0x23, 0xD0, 0x53, 0x71, 0xEC, 0xC1, 0x59, 0x51, 0xB8,
0xF3, 0x64, 0x9D, 0x7C, 0xA3, 0x3E, 0xD6, 0x8D, 0xC9, 0x04,
0x7E, 0x82, 0xC9, 0xBA, 0xAD, 0x97, 0x99, 0xD0, 0xD4, 0x58,
0xCB, 0x84, 0x7C, 0xA9, 0xFF, 0xBE, 0x3C, 0x8A, 0x77, 0x52,
0x33, 0x55, 0x7D, 0xDE, 0x13, 0xA8, 0xB1, 0x40, 0x87, 0xCC,
0x1B, 0xC8, 0xF1, 0x0F, 0x6E, 0xCD, 0xD0, 0x83, 0xA9, 0x59,
0xCF, 0xF8, 0x4A, 0x9D, 0x1D, 0x50, 0x75, 0x5E, 0x3E, 0x19,
0x18, 0x18, 0xAF, 0x23, 0xE2, 0x29, 0x35, 0x58, 0x76, 0x6D,
0x2C, 0x07, 0xE2, 0x57, 0x12, 0xB2, 0xCA, 0x0B, 0x53, 0x5E,
0xD8, 0xF6, 0xC5, 0x6C, 0xE7, 0x3D, 0x24, 0xBD, 0xD0, 0x29,
0x17, 0x71, 0x86, 0x1A, 0x54, 0xB4, 0xC2, 0x85, 0xA9, 0xA3,
0xDB, 0x7A, 0xCA, 0x6D, 0x22, 0x4A, 0xEA, 0xCD, 0x62, 0x1D,
0xB9, 0xF2, 0xA2, 0x2E, 0xD1, 0xE9, 0xE1, 0x1D, 0x75, 0xBE,
0xD7, 0xDC, 0x0E, 0xCB, 0x0A, 0x8E, 0x68, 0xA2, 0xFF, 0x12,
0x63, 0x40, 0x8D, 0xC8, 0x08, 0xDF, 0xFD, 0x16, 0x4B, 0x11,
0x67, 0x74, 0xCD, 0x0B, 0x9B, 0x8D, 0x05, 0x41, 0x1E, 0xD6,
0x26, 0x2E, 0x42, 0x9B, 0xA4, 0x95, 0x67, 0x6B, 0x83, 0x98,
0xDB, 0x2F, 0x35, 0xD3, 0xC1, 0xB9, 0xCE, 0xD5, 0x26, 0x36,
0xF2, 0x76, 0x5E, 0x1A, 0x95, 0xCB, 0x7C, 0xA4, 0xC3, 0xDD,
0xAB, 0xDD, 0xBF, 0xF3, 0x82, 0x53
]
sbox = range(256)
j = 0
for i in range(256):
j = (j + sbox[i] + key[i]) % 256
tmp = sbox[i]
sbox[i] = sbox[j]
sbox[j] = tmp
return sbox
def rc4_decrypt(sbox, data):
out = bytearray(len(data))
i = 0
j = 0
for k in range(len(data)):
i = (i + 1) % 256
j = (j + sbox[i]) % 256
tmp = sbox[i]
sbox[i] = sbox[j]
sbox[j] = tmp
val = sbox[(sbox[i] + sbox[j]) % 256]
out[k] = val ^ data[k]
return out
def mse_unquarantine(f):
with open(f, "rb") as quarfile:
data = bytearray(quarfile.read())
fsize = len(data)
if fsize < 12 or data[0] != 0x0B or data[1] != 0xad or data[2] != 0x00:
return None
sbox = mse_ksa()
outdata = rc4_decrypt(sbox, data)
#prints
with open("unquar-with-meta.bin", "wb") as f:
f.write(outdata)
# MSE stores metadata like the original filename in a separate file,
# so due to our existing interface, we can't restore the original name
# from just the ResourceData file. Later we may allow uploading pairs
# of files, match them up by name, and then associate that data here
# for the final submission
headerlen = 0x28 + struct.unpack("<I", outdata[8:12])[0]
origlen = struct.unpack("<I", outdata[headerlen-12:headerlen-8])[0]
if origlen + headerlen = fsize:
with open("unquar.bin", "wb") as f:
f.write(outdata[headerlen:])
mse_unquarantine("50761523FA79FDF68E04707959836D1F6DBA9969")Looks like this:
I might dig a little deeper on this but this is all for now. Hope this helps.
What is Windows Defender Definition Updates?
Read more
Overview
Windows Defender Definition Updates is published by Windows.
You can find out more about Windows Defender Definition Updates at its official website
or at Windows’s website.
How do I clean Windows Defender Definition Updates?
Windows Defender Definition Updates may store excess, temporary data on your computer that can take up valuable space.
It may also store private data such as passwords or browsing history in the registry or on the file system.
The easiest way to erase this data is by downloading AppCleaner, it is 100% free and about 1MB in size.
A portable version is also available.
Clean Windows Defender Definition Updates
with AppCleaner
If you want to clean Windows Defender Definition Updates manually, you can follow the steps outlined below.
There are two locations in the file system where Windows Defender Definition Updates stores data that can be cleaned.
Files
To clean your file system from files stored by Windows Defender Definition Updates and to gain free disk space, examine the following file system locations.
First of all, open a command prompt window:
-
Hit the Windows key , usually located in the lower left of your keyboard between the
Ctrl and Alt keys. - Windows XP/Vista/7: Click Run…
- Type cmd
- Hit Enter
Now list all the files stored by Windows Defender Definition Updates that can be cleaned:
-
Type dir /s %ALLUSERSPROFILE%/Microsoft/Windows Defender/Definition Updates/*
- Windows XP: Type dir /s %ALLUSERSPROFILE%\Application Data/Microsoft/Windows Defender/Definition Updates/*
-
Type dir /s %LOCALAPPDATA%/VirtualStore/ProgramData/Microsoft/Windows Defender/Definition Updates/*
- Windows XP: Type dir /s %USERPROFILE%\Local Settings\Application Data/VirtualStore/ProgramData/Microsoft/Windows Defender/Definition Updates/*
Once you have identified the files stored by Windows Defender Definition Updates that you want to clean, delete them using the del command or Windows Explorer.
Реализация DI в PHP
Jason-Webb 13.05.2025
Когда я начинал писать свой первый крупный PHP-проект, моя архитектура напоминала запутаный клубок спагетти. Классы создавали другие классы внутри себя, зависимости жостко прописывались в коде, а о. . .
Обработка изображений в реальном времени на C# с OpenCV
stackOverflow 13.05.2025
Объединение библиотеки компьютерного зрения OpenCV с современным языком программирования C# создаёт симбиоз, который открывает доступ к впечатляющему набору возможностей. Ключевое преимущество этого. . .
POCO, ACE, Loki и другие продвинутые C++ библиотеки
NullReferenced 13.05.2025
В C++ разработки существует такое обилие библиотек, что порой кажется, будто ты заблудился в дремучем лесу. И среди этого многообразия POCO (Portable Components) – как маяк для тех, кто ищет. . .
Паттерны проектирования GoF на C#
UnmanagedCoder 13.05.2025
Вы наверняка сталкивались с ситуациями, когда код разрастается до неприличных размеров, а его поддержка становится настоящим испытанием. Именно в такие моменты на помощь приходят паттерны Gang of. . .
Создаем CLI приложение на Python с Prompt Toolkit
py-thonny 13.05.2025
Современные командные интерфейсы давно перестали быть черно-белыми текстовыми программами, которые многие помнят по старым операционным системам. CLI сегодня – это мощные, интуитивные и даже. . .
Конвейеры ETL с Apache Airflow и Python
AI_Generated 13.05.2025
ETL-конвейеры – это набор процессов, отвечающих за извлечение данных из различных источников (Extract), их преобразование в нужный формат (Transform) и загрузку в целевое хранилище (Load). . . .
Выполнение асинхронных задач в Python с asyncio
py-thonny 12.05.2025
Современный мир программирования похож на оживлённый мегаполис – тысячи процессов одновременно требуют внимания, ресурсов и времени. В этих джунглях операций возникают ситуации, когда программа. . .
Работа с gRPC сервисами на C#
UnmanagedCoder 12.05.2025
gRPC (Google Remote Procedure Call) — открытый высокопроизводительный RPC-фреймворк, изначально разработанный компанией Google. Он отличается от традиционых REST-сервисов как минимум тем, что. . .
CQRS (Command Query Responsibility Segregation) на Java
Javaican 12.05.2025
CQRS — Command Query Responsibility Segregation, или разделение ответственности команд и запросов. Суть этого архитектурного паттерна проста: операции чтения данных (запросы) отделяются от операций. . .
Шаблоны и приёмы реализации DDD на C#
stackOverflow 12.05.2025
Когда я впервые погрузился в мир Domain-Driven Design, мне показалось, что это очередная модная методология, которая скоро канет в лету. Однако годы практики убедили меня в обратном. DDD — не просто. . .
Recently a colleague of mine asked me what happens in the file system when a malicious file is «quarantined».
The answer varies widely and as this is the «secret sauce» for many antivirus vendors, most of the time it is not overly documented how they do the voodoo they do. Seems like something that might make for a good blog or two so I sat down and did a few tests.
This post is going to cover what happened on my Windows 8 VM when I turned Windows Defender against a vicious EICAR.TXT file!
I chose to beat up on Windows Defender mostly because it is free and has a huge market share. Nothing personal.
So first things first: I grabbed the EICAR file and saved it to C:\temp.
Then I grabbed a copy of the $MFT to take a look at the this file’s record. Looks like this:
There is a lot going on in there but I just wanted to focus on a few things. If you are lost, read this.
NEXT, I turned on Windows Defender real-time protection. It was recommended.
Then a whole bunch of stuff happened.
Let’s start with $MFT record number 27152. So I quickly dumped the $MFT again and here’s what I got:
So what changed? Pretty much everything accept the $MFT record number.
The sequence number is increment by 4, indicating that there were numerous changes to the file. Specifically the rename and move to a new parent folder.
Lets take a closer look at the USNJrnl-$J to get an idea what happened:
###When I created the EICAR File and Added the EICAR string to it.###
2015-11-03 03:03:23.186 ref_num = 27152-96 eicar.txt File_Create,Close
2015-11-03 03:03:23.231 ref_num = 27152-97 eicar.txt File_Create,Data_Extend,Close
2015-11-03 03:06:48.274 ref_num = 27152-97 eicar.txt Data_Extend,Data_Truncation,Close
### This is Windows Defender Deleting the File. ###
2015-11-03 03:07:20.379 ref_num = 27152-97 eicar.txt Object_ID_Change,Close
2015-11-03 03:09:43.529 ref_num = 27152-97 eicar.txt Basic_Info_Change,Data_Overwrite,File_Delete,Close
###Since this Record Number is up for grabs, it is reused for a different file ###
2015-11-03 03:09:43.534 ref_num = 27152-98 5A7D7B64F11FF203E09434276A974A97 File_Create,Data_Extend,CloseSo in short Windows Defender deleted the original file. The MFT record number was up for grabs so it was picked up by a newly created file C:\ProgramData\Microsoft\Windows Defender\Scans\History\RemCheck\5A7D7B64F11FF203E09434276A974A97
So where did my EICAR file go? Windows Defender puts quarantined files C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\. Mine was saved C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\50\50761523FA79FDF68E04707959836D1F6DBA9969.
Let’s take a look at that:
For those that don’t know, Windows Defender and Microsoft Security Essentials Quarantine files have a magic number of 0B AD 00. Clever.
Looking at the histogram of the data, it is pretty obvious that it was stored using some kind of encryption.
After doing a bit more digging, it turns out that Windows Defender uses a hard coded RC4 key to encrypt quarantine files.
A colleague of my pointed me at the this cool script from Cuckoo
Here is the relevant chuck of their code that I bastardized for this blog post:
# Copyright (C) 2015 KillerInstinct, Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import os
import struct
import hashlib
from binascii import crc32
def mse_ksa():
# hardcoded key obtained from mpengine.dll
key = [0x1E, 0x87, 0x78, 0x1B, 0x8D, 0xBA, 0xA8, 0x44, 0xCE, 0x69,
0x70, 0x2C, 0x0C, 0x78, 0xB7, 0x86, 0xA3, 0xF6, 0x23, 0xB7,
0x38, 0xF5, 0xED, 0xF9, 0xAF, 0x83, 0x53, 0x0F, 0xB3, 0xFC,
0x54, 0xFA, 0xA2, 0x1E, 0xB9, 0xCF, 0x13, 0x31, 0xFD, 0x0F,
0x0D, 0xA9, 0x54, 0xF6, 0x87, 0xCB, 0x9E, 0x18, 0x27, 0x96,
0x97, 0x90, 0x0E, 0x53, 0xFB, 0x31, 0x7C, 0x9C, 0xBC, 0xE4,
0x8E, 0x23, 0xD0, 0x53, 0x71, 0xEC, 0xC1, 0x59, 0x51, 0xB8,
0xF3, 0x64, 0x9D, 0x7C, 0xA3, 0x3E, 0xD6, 0x8D, 0xC9, 0x04,
0x7E, 0x82, 0xC9, 0xBA, 0xAD, 0x97, 0x99, 0xD0, 0xD4, 0x58,
0xCB, 0x84, 0x7C, 0xA9, 0xFF, 0xBE, 0x3C, 0x8A, 0x77, 0x52,
0x33, 0x55, 0x7D, 0xDE, 0x13, 0xA8, 0xB1, 0x40, 0x87, 0xCC,
0x1B, 0xC8, 0xF1, 0x0F, 0x6E, 0xCD, 0xD0, 0x83, 0xA9, 0x59,
0xCF, 0xF8, 0x4A, 0x9D, 0x1D, 0x50, 0x75, 0x5E, 0x3E, 0x19,
0x18, 0x18, 0xAF, 0x23, 0xE2, 0x29, 0x35, 0x58, 0x76, 0x6D,
0x2C, 0x07, 0xE2, 0x57, 0x12, 0xB2, 0xCA, 0x0B, 0x53, 0x5E,
0xD8, 0xF6, 0xC5, 0x6C, 0xE7, 0x3D, 0x24, 0xBD, 0xD0, 0x29,
0x17, 0x71, 0x86, 0x1A, 0x54, 0xB4, 0xC2, 0x85, 0xA9, 0xA3,
0xDB, 0x7A, 0xCA, 0x6D, 0x22, 0x4A, 0xEA, 0xCD, 0x62, 0x1D,
0xB9, 0xF2, 0xA2, 0x2E, 0xD1, 0xE9, 0xE1, 0x1D, 0x75, 0xBE,
0xD7, 0xDC, 0x0E, 0xCB, 0x0A, 0x8E, 0x68, 0xA2, 0xFF, 0x12,
0x63, 0x40, 0x8D, 0xC8, 0x08, 0xDF, 0xFD, 0x16, 0x4B, 0x11,
0x67, 0x74, 0xCD, 0x0B, 0x9B, 0x8D, 0x05, 0x41, 0x1E, 0xD6,
0x26, 0x2E, 0x42, 0x9B, 0xA4, 0x95, 0x67, 0x6B, 0x83, 0x98,
0xDB, 0x2F, 0x35, 0xD3, 0xC1, 0xB9, 0xCE, 0xD5, 0x26, 0x36,
0xF2, 0x76, 0x5E, 0x1A, 0x95, 0xCB, 0x7C, 0xA4, 0xC3, 0xDD,
0xAB, 0xDD, 0xBF, 0xF3, 0x82, 0x53
]
sbox = range(256)
j = 0
for i in range(256):
j = (j + sbox[i] + key[i]) % 256
tmp = sbox[i]
sbox[i] = sbox[j]
sbox[j] = tmp
return sbox
def rc4_decrypt(sbox, data):
out = bytearray(len(data))
i = 0
j = 0
for k in range(len(data)):
i = (i + 1) % 256
j = (j + sbox[i]) % 256
tmp = sbox[i]
sbox[i] = sbox[j]
sbox[j] = tmp
val = sbox[(sbox[i] + sbox[j]) % 256]
out[k] = val ^ data[k]
return out
def mse_unquarantine(f):
with open(f, "rb") as quarfile:
data = bytearray(quarfile.read())
fsize = len(data)
if fsize < 12 or data[0] != 0x0B or data[1] != 0xad or data[2] != 0x00:
return None
sbox = mse_ksa()
outdata = rc4_decrypt(sbox, data)
#prints
with open("unquar-with-meta.bin", "wb") as f:
f.write(outdata)
# MSE stores metadata like the original filename in a separate file,
# so due to our existing interface, we can't restore the original name
# from just the ResourceData file. Later we may allow uploading pairs
# of files, match them up by name, and then associate that data here
# for the final submission
headerlen = 0x28 + struct.unpack("<I", outdata[8:12])[0]
origlen = struct.unpack("<I", outdata[headerlen-12:headerlen-8])[0]
if origlen + headerlen = fsize:
with open("unquar.bin", "wb") as f:
f.write(outdata[headerlen:])
mse_unquarantine("50761523FA79FDF68E04707959836D1F6DBA9969")c:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
c:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpEngine.dll
c:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D45C13C3-59B3-4726-B82F-03461072F006}\mpengine.dll
c:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
c:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\MpEngine.dll
c:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D45C13C3-59B3-4726-B82F-03461072F006}\mpengine.dll
c:\Windows\WinSxS\amd64_windows-defender-am-engine_31bf3856ad364e35_6.3.9600.16384_none_efe9bba68a38095a\MpEngine.dll</p>Looks like this:
I might dig a little deeper on this but this is all for now. Hope this helps.
-
Hi,
Something changed today, my Simple Software Restriction Policy is blocking Windows Defender Updates.
I have already allowed files in «c:\ProgramData\Microsoft\Windows Defender» to run, and Windows Defender updates have been working previously.
I did a File Explorer search for ‘modified:08/02/2017″ but wasn’t able to find anything, or maybe I missed something.
If I change the SSRP ini file to «includeDLLs=0» then it works, so it should be a DLL file that is the offender.
-
I have SSRP. I’ve never had an issue with WD updating.
-
Hi Norman
Do you have includeDLLs=1 ?
-
No.
About the only thing I did was whitelist executables to SRP that run from the Downloads or AppData folder; they’re usually blocked
by default. -
Found the solution. One has to whitelist ‘GapaEngine.DLL=1″ and ‘MPEngine.DLL=1’ in the Custom Policies section. Windows Defender creates NEW folders within ‘ProgramData\Microsoft\Windows Defender\Definition Updates’ which may contain new copies of these DLLs. And it looks like SSRP is too slow to figure out that they are within the whitelisted folder ‘ProgramData\Microsoft\Windows Defender\Definition Updates’ And since these are New Folders created During Windows Update with random looking folder names, we cannot create a whitelist item using the full path, so we can only specify the DLL file name.
Windows 10 Pro SRP does not have this problem. And all that needs to be done is whitelist ‘ProgramData\Microsoft\Windows Defender\Definition Updates’
-
I have the following rule in SRP in Local Security Policy (it may be a little risky because if the malware have the same name then it won’t be stopped at least by SRP but it will be intercepted by my other layers so it’s not a big deal for me):
%temp%\mpam*-*.exe => to unrestricted
I am using this topic to point this out because of the issue described here => https://social.technet.microsoft.co…ssues-with-windows-defender?forum=winserverGP
I tested many rules and the one above seems to work as it should.
The rule is working even if the following rule is applied to protect the subfolders as well to disallowed => %temp%\*\*.exe
Regards,
Georgi -
Tarnak
Registered Member- Joined:
- Feb 5, 2007
- Posts:
- 5,432
No problem for me getting the updates on Windows Pro with Windows 10 Creators Update installed, just recently. I run as Admin, because I wouldn’t have clue as to how to set up a «Software Restriction Policy». It sounds to complicated, for me.
-
Download and install this if you want. Easy peasy.
https://iwrconsultancy.co.uk/softwarepolicy
-
Yup. AppLocker is way too complicated for me and I’m afraid if I use the default rules, I risk getting locked out of Windows.
No such problem with SSRP. -
Hi DoesntMatter,
Does the mpam*-*.exe get downloaded when you use the Windows Update method to update Defender ? Or is it downloaded when you use Windows Defender itself to do updates? Because I am using the Windows Update method and I don’t see that file.
-
Hi lunarlander,
The rule is created to allow the user to update WD manually through the program. There are no problems to update WD through Windows Update without creating any rules if CryptoPrevent protection is enabled or if any rules in Local Security Policy (SRP) are applied to prevent *.exe files to run from the %temp% folders. But I can speak only for SRP and not for SSRP.
Regards,
Georgi -
With SSRP any program you want to run from otherwise blacklisted locations can be added to custom policy section of the
software.ini that ships with SSRP.Remember to unlock it to install/uninstall/update software.
-
Hi Georgi,
I just tried to update Defender in Win 10 Home using Windows Defender. And I don’t see any mpam inside \AppData\Local\Temp or \Windows\Temp . Inside \Windows\Temp I only found a cryptic folder name ending in .Sigs .
Instead I saw a cryptic folder name within \ProgramData\Microsoft\Windows Defender\Definition Updates with the DLL I mentioned just like as if it were updated using Windows Update !
-
Hi lunarlander,
Same here. I just checked and it seems that mpam files are no longer created if WD is updated via MS Update or manually. Probably MS recently changed the way how WD updates are applied and the exclusion rule in SRP is no longer needed. (it was needed a few months ago but not anymore). I disabled it as well. And since the rule in SRP for Programdata restrict only executables to run from the main folder (and not the subfolders) => %programdata%\*.exe I don’t need to create an exception for WD anymore. I won’t include the subfolders to enhance the protection since a lot of legit files (including Battle.net agent) start from subfolders in the %programdata% but CIS will take care of them.
Regards,
Georgi -
Tarnak
Registered Member- Joined:
- Feb 5, 2007
- Posts:
- 5,432
I might give it try…just hope it is reversible, if I don’t want to stay with it.
-
Confirmed — I also have such a path rule and haven’t run into problems since. DLLs are included.
-
Unlike Applocker, its basically set and forget. If you find something was blocked by policy, add the full path line to CustomPolicies in the software.ini file and activate the new policy. It should then run and you’re done. Easy-peasy.
-
Have someone of you tried Hard_Configurator by Andy Full? It’s a nice, simple and powerful tool.
Tweak and forget!