- Mar 29, 2018
- 7,697
I don't see the point of the latter.Been thinking of swapping over to CD from DefenderUI.
I don't see the point of the latter.Been thinking of swapping over to CD from DefenderUI.
I don't see the point of the latter.
Thanks bothI'm using CD over DefenderUI because its one less program to install, even though they both pretty much do the same thing.
FWIW, I also use Interactive mode and I've started getting these warnings today (5x so far) for no apparent reason. I don't recall ever seeing this warning before. W10, fully patched. I'm guessing it could be a bug on MS end.I keep getting this block now Andy, anything to worry about? I assume its because I'm using the Interactive setting? Thanks.
Event[0]:
Time Created : 2024-10-25 7:46:09 AM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-25T12:46:09.878Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\taskhostw.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: taskhostw.exe -RegisterDevice -SettingChange
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.704.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
In the HIGH Protection Level this ASR rule is disabled because the block is triggered for many benign applications that try to enumerate running processes and attempt to open them with exhaustive permissions. In your case, some service based on DLL tries to change settings.
Did you install recently some new applications or Windows updates?FWIW, I also use Interactive mode and I've started getting these warnings today (5x so far) for no apparent reason. I don't recall ever seeing this warning before. W10, fully patched. I'm guessing it could be a bug on MS end.
The only thing I had installed recently was a digitally signed font (Newsreader) with SHA-256 of 8a08d13f8a6c0d51be379a60af84f945f65369a67e509ee3c3bdcc421254d7c1 and 796668611f80b64d5adf182fde3b6f29ed83b4e7cbec7b96937e84ac01364792 (both OK on Virus Total). I ran the offline Defender scan which reported nothing. I uninstalled the font anyway but am still getting this message:Did you install recently some new applications or Windows updates?
You have the same event (CmdLine: taskhostw.exe -RegisterDevice -SettingChange) as @Digmor Crusher, so either you shared the same malware or it is a false positive.
Event[0]:
Time Created : 10/26/2024 1:08:22 PM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-26T20:08:22.542Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\svchost.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline:
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.722.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
The only thing I had installed recently was a digitally signed font (Newsreader) with SHA-256 of 8a08d13f8a6c0d51be379a60af84f945f65369a67e509ee3c3bdcc421254d7c1 and 796668611f80b64d5adf182fde3b6f29ed83b4e7cbec7b96937e84ac01364792 (both OK on Virus Total). I ran the offline Defender scan which reported nothing. I uninstalled the font anyway but am still getting this message:Event[0]: Time Created : 10/26/2024 1:08:22 PM ProviderName : Microsoft-Windows-Windows Defender Id : 1121 Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Detection time: 2024-10-26T20:08:22.542Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\svchost.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.419.722.0 Engine Version: 1.1.24080.9 Product Version: 4.18.24080.9
This one is different, but there is no need to worry. Such events are common. The practical solution is to ignore them.
Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time, is it also same for you? @South ParkEvent[0]:
Time Created : 10/26/2024 1:08:22 PM
ProviderName : Microsoft-Windows-Windows Defender
Id : 1121
Message : Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
ConfigureDefender option: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Detection time: 2024-10-26T20:08:22.542Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\svchost.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline:
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.419.722.0
Engine Version: 1.1.24080.9
Product Version: 4.18.24080.9
Quite often these blocks will not impact app performance and can be ignored. OTOH, if the app isn't functioning then you may need to disable this rule, since exceptions are not allowed.Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time,
Thank you for clarify for me.Yes.
Noted.Quite often these blocks will not impact app performance and can be ignored. OTOH, if the app isn't functioning then you may need to disable this rule, since exceptions are not allowed.
I'm not sure because so many apps and services use svchost.exe, but you may want to check with Process Explorer or Process Hacker.I know lots of services using svchost.exe but is there a way to check which service using svchost.exe that cause the blocks?
look for command line flagI know lots of services using svchost.exe but is there a way to check which service using svchost.exe that cause the blocks?
I also was receiving at least one notification at computer start-up, and often one when starting Firefox. I ended up setting the rule to block rather than to warn and haven't noticed any problems, though almost all of my software is open-source portable apps or a few select portable freeware apps.Few month ago I don't think it have this message, only recently I noticed I also had this message whenever I turn on my pc and reached desktop screen about the same time as the detection time, is it also same for you? @South Park
@Andy Ful, is it still under the events are common and there is nothing to worry. The practical solution is to ignore them?
I did not install any new program.
As far as I know it only updates when Andy tweaks an existing version or makes a newer version , it does not update regularly like an AV does.
@Andy Ful Does Defender continue to receive updates solely through Windows Update, or can it now update on its own?