Controlled folders Windows 10 with AppGuard running bug?

  • Thread starter ForgottenSeer 69673
  • Start date
Status
Not open for further replies.
5

509322

Thread author
Today I noticed something strange on my pc. I went into Windows Defender Security Center and clicked on Ransomware Protection ( controlled folders). I tried enabling it and it would enable for about a second, then switch back off. What I found is with Appguard set to lockdown, I could not enable it. I then put Appguard in Protected mode and had no problem enabling controlled folders.Also putting Appguard in install mode allows me to enable controlled folders.
Also it you have controlled folders enabled while in lockdown mode, you can not disable it again.

Using version 4 lifetime.

Because of a special case, Locked Down mode is running the Windows Security processes as Guarded and in Privacy Mode. The Guarding of those processes is the reason you cannot modify settings, update signatures manually, install new modules via Windows Update, etc. Normally, Locked Down mode will not even allow Microsoft signed processes to launch from User Space, but as I said, there is a special case.

Protected mode allows Microsoft processes to launch from User Space (e.g. ProgramData) - but the Trusted Publisher List settings for Microsoft are applied. That means the Windows Security process will run Memory Guarded.

Version 4 does not, and will not be made by AppGuard LLC, to support Microsoft's movement of Windows 10 security services from Program Files to ProgramData. Essentially, Microsoft moved all security processes from System Space to User Space on Windows 10 back in Oct 2017. Furthermore, starting with Windows 10 1803, Microsoft deleted a security process running from ProgramData. So everyone will have to keep an eye on Microsoft's unilateral changes because they are not going to notify anyone about such changes.

https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform

The user hotfixes in versions 4.X and 5.2.X are easy enough... they are just simple policy exceptions:

For Locked Down mode:

For Windows 10 1803, make the following exceptions in User Space (except for the mpengine.exe - which was removed from ProgramData on 1803):

Cap3.PNG

For Protected mode:

Set MEMORY to OFF in the Trusted Publisher List for Microsoft.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
But I have always run Appguard in locked down mode. Oh well....
I will venture another guess why you didn't have problems before: maybe you were using a 3rd party AV before?
The blocks from Windows Defender will show up only if you are using Windows Defender as your active AV, AFAIK.
 
Last edited:
  • Like
Reactions: harlan4096
F

ForgottenSeer 69673

Thread author
I will venture another guess why you didn't have problems before: maybe you were using a 3rd party AV before?
The blocks from Windows Defender will show up only if you are using Windows Defender as your active AV, AFAIK.

Are you still using Appguard?
 
F

ForgottenSeer 69673

Thread author
Thank you Lockdown for this info. Still baffels me as to why they made the move. Guessing they were thinking it is a safer move.
 
F

ForgottenSeer 69673

Thread author
I have two folders in the Platform folder with different dates and also my Platform folders both still contain mpengine.exe

ScreenHunter_100 May. 11 12.02.jpg
ScreenHunter_101 May. 11 12.02.jpg
 
F

ForgottenSeer 69673

Thread author
I also have same files in Programs folder. Now I an really cornfused.

ScreenHunter_104 May. 11 12.10.jpg
 
5

509322

Thread author
What is MsMpengine used for then?

There is mpengine.ese and MsMpEngine.exe. mpengine.exe was used to perform scans and cleanup. MsMpEngine.exe = Windows Defender.

Look more carefully at the file names and what is installed on your system...

Look carefully at what is running on the system using Task Manager > Details tab or Process Explorer\Process Hacker\etc.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top