Andy Ful

Level 46
Verified
Trusted
Content Creator
Then I dont know what it could be, I have disabled all startup items(not windows ones of course) I have disabled windows defender, still the same powershell and install message..
You cannot disable WD. Please enable WD, reboot and check if real-time protection is enabled. Next, you should test the Administrator PowerShell with Get-MpPreference cmdlet.
 

Andy Ful

Level 46
Verified
Trusted
Content Creator
Turned off and turned on windows defender, rebooted, launched powershell as admin, still the same message.
Then, your PowerShell is not fully functional (still restricted or corrupted). It cannot run the standard Windows built-in cmdlet.:(
What method have you used to disable WD?
Why do you think that using 3 days old system restore point can help you?
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
I turned off the real time protection, and its worth trying to use the restore point.
Turning off WD real-time protection does not disable WD. Turning off WD real-time protection, via Windows Security Center, cannot spoil anything in WIndows. By the way, what is your Windows version? Is it ver 1903 like in your thread?
If so, then maybe you should look at your OSArmor, SysHardener and Voodooshield settings.

Well I have made a variant as in Chess, I have H_C installed, but instead of WD I use Emsisot. What do you think @Andy Ful.:giggle:
It is normal. @Sunshine-boy used such a setup without a problem. Just be certain that Emsisoft does not block H_C executables - it should not (I sent them H_C executables for whitelisting).
If you will have any problem, then PM me.:giggle:(y)
 
Last edited:
Turning off WD real-time protection does not disable WD. Turning off WD real-time protection, via Windows Security Center, cannot spoil anything in WIndows. By the way, what is your Windows version? Is it ver 1903 like in your thread?
If so, then maybe you should look at your OSArmor, SysHardener and Voodooshield settings.


It is normal. @Sunshine-boy used such a setup without a problem. Just be certain that Emsisoft does not block H_C executables - it should not (I sent them H_C executables for whitelisting).
If you will have any problem, then PM me.:giggle:(y)
I uninstalled all of them, didnt work, and im on 1903
 

Raiden

Level 13
Verified
Content Creator
SysHardener does not undo its settings when you uninstall it, maybe you have some tweaks left from SH, and they are still on your system?
You are correct.

Syshardener doesn't automatically reset everything if you uninstall it. You first have to click "restore selected" or whatever it's called. It will prompt you to reboot, then you can uninstall it after the reboot. If you don't click the restore option in Syshardener, it won't restore your settings back to default afaik.
 
Last edited:

Robbie

Level 28
Verified
Content Creator
I use ConfigureDefender AT HIGH SETTINGS. It blocks all links that I click on Outlook, which brings me trouble at work. How to whitelist this without disabling protection for all Office apps? Defender shows a rule which blocks the Opera Browser executable launched from Outlook.



 

Andy Ful

Level 46
Verified
Trusted
Content Creator
I use ConfigureDefender AT HIGH SETTINGS. It blocks all links that I click on Outlook, which brings me trouble at work.
Could you please post the entries from the ConfigureDefender Log (use <Defender Security Log> in ConfigureDefender)?

Edit.
I do not know Spanish but it seems that the rule "Block Office communication applications from creating child processes" has been triggered. This will block running applications from Outlook.
As @oldschool pointed out, you can make ASR exclusions for legitimate applications blocked by this rule (like Opera launcher).
 
Last edited:

Robbie

Level 28
Verified
Content Creator
Could you please post the entries from the ConfigureDefender Log (use <Defender Security Log> in ConfigureDefender)?

Edit.
I do not know Spanish but it seems that the rule "Block Office communication applications from creating child processes" has been triggered. This will block running applications from Outlook.
As @oldschool pointed out, you can make ASR exclusions for legitimate applications blocked by this rule (like Opera launcher).
Fantastic, thank you.

Yes, indeed this was the rule being triggered. I already had thought about ASR exclusions, but I was excluding outlook.exe, not opera launcher. I did so, and now I face no issues at all. Thank you and thanks everybody who commented on the matter.
 
Last edited:

Reldel1

Level 1
The new Edge Development version, Version 78.0.268.1 (Official build) dev (64-bit), failed the update re-start process because the Configure Defender exploit guard setting "Block executable files from running unless they meet a prevalence, age or trusted list criteria" prevented the update restart. For whatever reason the "ON" setting had to be disabled in Configure Defender in order to complete the update AND then to allow Version 78.0.268.1 desktop link to open Development Edge. I am now running with the "Block executable files" setting disabled and Edge updates and opens correctly.
 

oldschool

Level 34
Verified
@Reldel1 - Did you try adding MicrosoftEdgeUpdate.exe to ConfigureDefender ASR exlcusions? BTW: I'm also wondering if you have any custom Exploit Guard rule(s) in place in the WSC>App and browser control>Exploit protection>settings>Program settings?

@DeepWeb - I suppose you're referring to making general scan exclusions in WSC>Virus and threat protection settings">Exclusions>Add or remove exclusions. You may add these in any of the available ways, by file, folder, etc. These are for exclusions from any scanning, e.g. another security software. What you exclude is up to you.

Exclusions made via ConfigureDefender>Exploit Guard>ASR>Manage ASR exclusions are exclusions from ASR rules specifically, except for 3 rules. with *****. Add these type of exclusions usually with .exe files. Use caution when adding these.

@Reldel1 @DeepWeb I know UI is poorly designed for navigating WSC. And the problem is compounded with exploit guard settings in Virus and threat protection and in App and browser control. The latter I would say are a way to fine tune application of exploit rules, AFAIK.

In total, there are 3 types of exclusions: from file scanning, from application of ASR rules and finally excluding files to (really allowing apps access to) Controlled Folder Access.

Hope this helps. Sorry I can't help with M$'s poor GUI in WSC!
 

Reldel1

Level 1
@Reldel1 - Did you try adding MicrosoftEdgeUpdate.exe to ConfigureDefender ASR exlcusions? BTW: I'm also wondering if you have any custom Exploit Guard rule(s) in place in the WSC>App and browser control>Exploit protection>settings>Program settings?
I have added only a couple of rules to allow programs in Exploit Guard, usually not necessary though.

Edge Dev. has been updating without error for months with both Hard Config and Config Defender installed so I imagine Microsoft has changed something again within Edge Dev. Below is a log from Config Defender to show action that blocked update and opening of Edge.
Event[71]:
*****************************************
*****************************************
Date: 2019-09-10 Time: 16:25:19.850
Event ID: 1121
(Blocked by ASR rule)
*****************************************
*****************************************
User Name: NT AUTHORITY\SYSTEM
Computer: StudioXPS8700
Description:
Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 01443614-cd74-433a-b99e-2ecdc07bfc25
ConfigureDefender option: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Detection time: 2019-09-10T20:25:19.849Z
User: StudioXPS8700\Reldel
Path: C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe
Process Name: C:\Windows\explorer.exe
Security intelligence Version: 1.301.970.0
Engine Version: 1.1.16300.1
Product Version: 4.18.1908.5

Event[70]:
*****************************************
*****************************************
Date: 2019-09-10 Time: 16:25:26.335
Event ID: 1121
(Blocked by ASR rule)
*****************************************
*****************************************
User Name: NT AUTHORITY\SYSTEM
Computer: StudioXPS8700
Description:
Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 01443614-cd74-433a-b99e-2ecdc07bfc25
ConfigureDefender option: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
Detection time: 2019-09-10T20:25:26.334Z
User: StudioXPS8700\Reldel
Path: C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe
Process Name: C:\Windows\System32\RuntimeBroker.exe
Security intelligence Version: 1.301.970.0
Engine Version: 1.1.16300.1
Product Version: 4.18.1908.5
 

Andy Ful

Level 46
Verified
Trusted
Content Creator
I have added only a couple of rules to allow programs in Exploit Guard, usually not necessary though.

Edge Dev. has been updating without error for months with both Hard Config and Config Defender installed so I imagine Microsoft has changed something again within Edge Dev. Below is a log from Config Defender to show action that blocked update and opening of Edge.
...
They probably forgot to whitelist the new Edge build and update the ASR module.
You can add an exclusion (file path) to ASR rules from ConfigureDefender. Although this exclusion will be applied for most ASR rules too, the blocked executable is in a not-writable folder, and excluding Edge should not lower ASR protection.
You can also disable this ASR rule temporarily, restart Windows, next update & run Edge Dev, and finally Enable ASR rule again.
Generally, this ASR rule can produce false positives during software updates. That is why it is disabled in ConfigureDefender HIGH Protection level.
 
Last edited: