Controlled folders Windows 10 with AppGuard running bug?

[ForgottenSeer 69673]

Today I noticed something strange on my pc. I went into Windows Defender Security Center and clicked on Ransomware Protection ( controlled folders). I tried enabling it and it would enable for about a second, then switch back off. What I found is with Appguard set to lockdown, I could not enable it. I then put Appguard in Protected mode and had no problem enabling controlled folders.Also putting Appguard in install mode allows me to enable controlled folders.
Also it you have controlled folders enabled while in lockdown mode, you can not disable it again.

Using version 4 lifetime.

 

[_CyberGhosT_]

Sounds like a conflict there, if your running AppGuard let it do it's thing and not enable the Win 10 protection for that. would run the appguard protection and leave the defender option off. JMHO
PeAcE

 

[ForgottenSeer 69673]

Sounds like a conflict there, if your running AppGuard let it do it's thing and not enable the Win 10 protection for that. would run the appguard protection and leave the defender option off. JMHO
PeAcE

Yes but as I said in Protected mode, I can make the change. Not everybody runs in locked down mode.

 

[Ink]

I don't use AG, but I think "Lockdown" is working as intended.

Definition of LOCKDOWN - "an emergency measure or condition in which people are temporarily prevented from entering or leaving a restricted area or building during a threat of danger"

 

[XhenEd]

@ticklemefeet
Are there any blocks from AppGuard related to Windows Defender? If so, can you post them here?

 

[Deleted member 178]

No issue here with Appguard and Controlled folders (on 3 systems) ,

Today I noticed something strange on my pc. I went into Windows Defender Security Center and clicked on Ransomware Protection ( controlled folders). I tried enabling it and it would enable for about a second, then switch back off. What I found is with Appguard set to lockdown, I could not enable it. I then put Appguard in Protected mode and had no problem enabling controlled folders.Also putting Appguard in install mode allows me to enable controlled folders.
Also it you have controlled folders enabled while in lockdown mode, you can not disable it again.

Using version 4 lifetime.

No issue here with Appguard and Controlled folders (on 3 systems). However i didn't tried with v4, will do later.

 

[illumination]

Same here, no issue with Appguard 5 and control folders when it was used. I did however have to allow AG through Controlled Folder Access last time i used it.

 

[Deleted member 178]

Controlled Folders introduce too many conflicts, the tools is useless and badly implemented, you must whitelist almost all your apps and even Windows' system processes.
Anyway, you don't need it with Appguard, because AG has Protected Folders features.

 

[shmu26]

Like @Umbra said, Controlled Folders is a poorly implemented feature. I have noticed that sometimes it will silently block things that it shouldn't. Maybe that is happening with Appguard.
Try adding Appguard processes to the exceptions, and see if that helps, like @illumination said.

 

[ForgottenSeer 69673]

@ticklemefeet
Are there any blocks from AppGuard related to Windows Defender? If so, can you post them here?

I get these blocks all the time.

05/08/18 14:31:31 Prevented process <mpcmdrun.exe | c:\windows\system32\svchost.exe> from launching from <c:\programdata\microsoft\windows defender\platform\4.14.17639.18041-0>.

 

[XhenEd]

I get these blocks all the time.

05/08/18 14:31:31 Prevented process <mpcmdrun.exe | c:\windows\system32\svchost.exe> from launching from <c:\programdata\microsoft\windows defender\platform\4.14.17639.18041-0>.

Still having issues even after implementing exceptions for AppGuard in Controlled Folders?

 

[_CyberGhosT_]

Controlled Folders introduce too many conflicts, the tools is useless and badly implemented, you must whitelist almost all your apps and even Windows' system processes.
Anyway, you don't need it with Appguard, because AG has Protected Folders features.

For sure, and this is why I suggested what did, I was hoping you would see this and reply seeing your more familiar with AG than I am.

 

[shmu26]

I get these blocks all the time.

05/08/18 14:31:31 Prevented process <mpcmdrun.exe | c:\windows\system32\svchost.exe> from launching from <c:\programdata\microsoft\windows defender\platform\4.14.17639.18041-0>.

If this block is from the Appguard log, it indicates that you have not made the proper exceptions in Appguard for Windows Defender. You should exclude mpcmdrun.exe and all the other WD processes from User Space. Preferably, do it with a wildcard, to cover future updates. For this particular process, you could exclude the following path from User Space:
c:\programdata\microsoft\windows defender\platform\*\mpcmdrun.exe

 

[Deleted member 178]

Still having issues even after implementing exceptions for AppGuard in Controlled Folders?

because MS(tupid) decided that WD processes look cool in user-space...

 

[shmu26]

If this block is from the Appguard log, it indicates that you have not made the proper exceptions in Appguard for Windows Defender. You should exclude mpcmdrun.exe and all the other WD processes from User Space. Preferably, do it with a wildcard, to cover future updates. For this particular process, you could exclude the following path from User Space:
c:\programdata\microsoft\windows defender\platform\*\mpcmdrun.exe

@ticklemefeet, don't forget -- after adding your exclusions -- to make sure that they are set to "No".
Please double-check that is set to userspace: No.

 

[ForgottenSeer 69673]

because MS(tupid) decided that WD processes look cool in user-space...

I know right? Why they do this baffles me. Funny thing is I been using appguard for along time and never saw these until a few weeks ago, along with filecoauth.exe although it does not show in activity report.

 

[shmu26]

I know right? Why they do this baffles me. Funny thing is I been using appguard for along time and never saw these until a few weeks ago, along with filecoauth.exe although it does not show in activity report.

I will guess that you started seeing these when you switched to locked down mode.

As long as you are in regular mode, all those processes will run, because they are signed by MS.
However, Windows Defender's ability to protect you will still be crippled, unless you either make the necessary exceptions, or turn off memory protection for MS.

 

[ForgottenSeer 69673]

I will guess that you started seeing these when you switched to locked down mode.

But I have always run Appguard in locked down mode. Oh well....

 

[shmu26]

But I have always run Appguard in locked down mode. Oh well....

Beats me. I only know what I know, and that's not much.

 

[illumination]

It is hard telling not having hands on V4 and also not knowing the program to the depths that @Lockdown does.

I utilize Lock Down Mode as a on demand mostly on this system, when i'm not researching in unknown territory, it is placed in Protected Mode for usability on this shared system. I do have all the main vulnerable processes blocked/disabled, as well as a few others, and the couple applications i do have on the system, are in guarded apps. The trusted publisher list is narrowed down, and this coupled with SEPC for times i need to lower protection and covering the network, works for me. It works hand in hand quite well.

I probably did not see any issues as i set up the system in protected mode, then only used Lock Down Mode occasionally, although during them times, i had no issues, other then needing to place AG in Controlled Folder Access. I did not keep Controlled folders enabled, i had just done so out of curiosity.