Advice Request Why are we even messing with anything other than WD these days?

[Andy Ful]

http://download.comodo.com/cis/download/installs/2000/partners/cmd_fw_installer.exe taken directly from here, steps to reproduce the problem: When I ran the installer for the first time, WD sent a notification that a PUA was detected, I ignored it because when I tell WD to remove the threat, the installer breaks, as in it will get to a black box with "Please wait" and then the installer just seemingly terminates itself. After installing CF and playing around with it, I went back to WD and told it remove the threat, and it goes in the loop that I told you in my original comment, I uninstall CF, same thing, and basically I from here I did everything I did in my original comment and still haven't found a solution besides adding it as an allowed threat. Maybe I'm doing something wrong...

The installer was first blocked by SmartScreen in Edge. I have chosen to keep it, WD has scanned it without alert. I have run the installer without adjusting the options. So, some bloatware was installed (Comodo Dragon). Everything is OK no alerts from WD. I will try to install it once again with enabled WD PUA protection (via ConfigureDefender).

 

[TheBlueCreeper512]

The installer was first blocked by SmartScreen in Edge. I have chosen to keep it, WD has scanned it without alert. I have run the installer without adjusting the options. So, some bloatware was installed (Comodo Dragon). Everything is OK no alerts from WD. I will try to install it once again with enabled WD PUA protection (via ConfigureDefender).

That's strange, I downloaded the installer from Edge as well and SmartScreen didn't block it, and I had PUA detection enabled as well for SmartScreen in Edge. Also I only installed the firewall and unchecked the boxes for the Yahoo home page and COMODO Secure DNS thing. I also installed it in Windows 10 Pro with the May 2020 update. So I toggled PUA protection from Windows Security instead of ConfigureDefender or gpedit.

 

[Andy Ful]

That's strange, I downloaded the installer from Edge as well and SmartScreen didn't block it, and I had PUA detection enabled as well for SmartScreen in Edge. Also I only installed the firewall and unchecked the boxes for the Yahoo home page and COMODO Secure DNS thing. I also installed it in Windows 10 Pro with the May 2020 update. So I toggled PUA protection from Windows Security instead of ConfigureDefender or gpedit.

Repeated the test with disabled SmartScreen in Edge (it disables PUA protection in Edge too), but enabled PUA in WD (Used ConfigureDefender with HIGH Protection Level). I restarted Windows to apply ConfigureDefender settings. After this, I used Edge to download the CF installer. The installer was downloaded without any alerts. Next I used the PUA test (Feature Settings Check - Potentially Unwanted Applications | AMTSO) to be sure if the PUA protection works. It worked as it can be seen from the Edge screenshot:

Next, I have run the CF installer and it worked without issues. So it seems that:

1. WD was somewhat spoiled in your system and works strangely.
2. WD reacts correctly to some background process not related to the CF installer.

Edit.
If you need help then you can PM me and send the Defender Security Log from ConfigureDefender.

 

[SeriousHoax]

The two DLLs detected by WD were a part of the CF installer, if CF detects a PUA in its in own installer and tries to sandbox, well that would be counter intuitive... And even after uninstalling and deleting the installer and reboot and a repair upgrade with the Media Creation Tool, WD still detects the DLL files, the funny thing is is that when I run a custom scan, and choose any where besides my AppData\Local\Temp folder, it still detects the two nonexistent threats, the only way I got rid of the issue was just putting the detection as an allowed threat.

This is a very common, annoying bug of Windows Security. I've faced it countless times. I thought Microsoft fixed it but it still appears now and then. Just cause one user faced it installing a certain program doesn't mean another user will face it also for that particular scenario. That's why Andy can't reproduce it on his end. It's so random.
Often rebooting solves this problem. If it doesn't then turn off Tamper protection from Windows Security then remove all the files located in this folder, "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" then turn on Tamper protection.

 

[Nightwalker]

I am running Microsoft Defender + Malwarebytes Premium 4 (just web protection ON) and I have to say that it is running like a dream in my Ryzen machine, no slowdown whatsoever and browsing speed is the best that I have ever seen.

It has been a no false positives, no stupid pop-ups (looking at you Bitdefender auto-pilot), no javascript injection, no MITM experience for now.

I will probably stay as a Kaspersky user, but it is getting harder and harder to justify the acquisition of a security solution considering what Microsoft is offering for free and by default.

 

[blackice]

I am running Microsoft Defender + Malwarebytes Premium 4 (just web protection ON) and I have to say that it is running like a dream in my Ryzen machine, no slowdown whatsoever and browsing speed is the best that I have ever seen.

It has been a no false positives, no stupid pop-ups (looking at you Bitdefender auto-pilot), no javascript injection, no MITM experience for now.

I do wish more AVs would web filter like Malwarebytes. I did get office to finally reproduce the pop ups, they aren’t as frequent on my machine for whatever reason. But, supposedly they are working on a fix. Seems like marketing got their hands on the programmers’ time.

 

[oldschool]

This is a very common, annoying bug of Windows Security. I've faced it countless times.

Like WSC protection history crashing intermittently, or when log is very full. It works better since setting it to clear after 7 days instead of 30. Unfortunately, no way to clear or limit CFA protection history.

 

[SeriousHoax]

Like WSC protection history crashing intermittently, or when log is very full. It works better since setting it to clear after 7 days instead of 30. Unfortunately, no way to clear or limit CFA protection history.

I haven't faced this protection history crashing bug in a while. It's probably fixed now. Have you faced it lately?

 

[TheBlueCreeper512]

This is a very common, annoying bug of Windows Security. I've faced it countless times. I thought Microsoft fixed it but it still appears now and then. Just cause one user faced it installing a certain program doesn't mean another user will face it also for that particular scenario. That's why Andy can't reproduce it on his end. It's so random.
Often rebooting solves this problem. If it doesn't then turn off Tamper protection from Windows Security then remove all the files located in this folder, "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" then turn on Tamper protection.

Thanks, normally I don't like messing around in program directories but it seems like the only way.

 

[oldschool]

I haven't faced this protection history crashing bug in a while. It's probably fixed now. Have you faced it lately?

Only occasionally, usually if I check directly via WSC and not when via WD notification --> WSC.

 

[Protomartyr]

I haven't faced this protection history crashing bug in a while. It's probably fixed now. Have you faced it lately?

I faced this bug a week ago while I was re-evaluating my system before making my monthly system image backup. MacriumService.exe (Macrium Reflect Free) would constantly populate in the protection history causing it to crash. Had to add it to the ASR exclusion list.

I'm still on 1909 though so it might be fixed in 2004.

 

[TheBlueCreeper512]

This is a very common, annoying bug of Windows Security. I've faced it countless times. I thought Microsoft fixed it but it still appears now and then. Just cause one user faced it installing a certain program doesn't mean another user will face it also for that particular scenario. That's why Andy can't reproduce it on his end. It's so random.
Often rebooting solves this problem. If it doesn't then turn off Tamper protection from Windows Security then remove all the files located in this folder, "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" then turn on Tamper protection.

THANK YOU SO MUCH! It fixed the bug! Although I'm still not sure if it's a bug or like @Andy Ful said something related to a background process repeatedly trying to inject the DLLs in the Temp folder, maybe WD was trying to do it's job but kept failing to remove or quarantine the DLL files. In any case, I don't think an installer for a firewall/antivirus program should be using DLL files that are also present in PUA installers...

UPDATE: If anybody is curious the two files detected by WD in the CF installer were named fusion.dll and fusion.dll.tmp, here's the VT results: VirusTotal
(Note the two DLLs had the same detection and the SHA256 hash, so I only posted one link because the two VT results are essentially the same.)
UPDATE 2: As I understand it the fusion.dll is used by many PUA/bundler installers.

 

[simmerskool]

Next I used the PUA test (Feature Settings Check - Potentially Unwanted Applications | AMTSO) to be sure if the PUA protection works.

sidenote of interest: running eset nod32 on host pc, but tested WD+H_C on win10_vm, and the PUA download was stopped by eset on host pointing to vmnat.

 

[Andy Ful]

THANK YOU SO MUCH! It fixed the bug! Although I'm still not sure if it's a bug or like @Andy Ful said something related to a background process repeatedly trying to inject the DLLs in the Temp folder,...

If clearing the WD history helped to solve your problem, then we probably talked about two different things. From your posts, I understood that WD is detecting these DLLs even after refreshing the Windows. If so, then you should see the WD alert about detection without looking at WD Security Center. But it seems that WD did not detect these DLLs any more (no WD detection alert), but simply there was a problem with WD history.

 

[TheBlueCreeper512]

If clearing the WD history helped to solve your problem, then we probably talked about two different things. From your posts, I understood that WD is detecting these DLLs even after refreshing the Windows. If so, then you should see the WD alert about detection without looking at WD Security Center. But it seems that WD did not detect these DLLs any more (no WD detection alert), but simply there was a problem with WD history.

Oh yeah another thing I forgot to mention, when the DLLs were still being detected and WD advised me to run a quick scan, the quick scan notification stated that "No new threats were found." But after the quick scan the DLLs were still detected, so does that mean that the detection was somehow a UI bug because the WD shield in the system tray still had a green checkmark or was the two DLLs considered "old threats" and the scan was only looking for "new threats".

 

[Andy Ful]

Oh yeah another thing I forgot to mention, when the DLLs were still being detected and WD
...

What was exactly the WD reaction? How did you recognize that the DLLs were detected? Did you see any WD alert when using the computer?

 

[TheBlueCreeper512]

What was exactly the WD reaction? How did you recognize that the DLLs were detected? Did you see any WD alert when using the computer?

The first time I ran the installer, WD immediately pushed a notification from App & browser control that said it detected a potentially unwanted app and to go to Windows Security for options.

UPDATE: I decided to try it again for experimental purposes, downloaded the installer from Edge Chromium wasn't blocked by SmartScreen, I run the installer, WD says PUA was detected, this time I tell WD to take proper actions to remove fusion.dll while the CF installer is installing the software, WD pushes another notification that says "Actions needed in Windows Defender. Microsoft Defender Antivirus has detected PUA:Win32/FusionCore in Fusion.dll, please restart your device." After successfully installing CF, I reboot, upon reboot, everything works fine, WD reports that the file has been removed and CF works just fine, I'll report back when anything else happens.

Also Microsoft seems to be going through an identity crisis when it comes to their built in antivirus, the notification I received said "Actions needed in Windows Defender." But it also mentions Microsoft Defender Antivirus in the same notification, worse yet when you look at the security providers in Windows Security, you'll see Windows Firewall, but clicking the link to open the app for the firewall leads you to the Firewall & network protection page in Windows Security, where it mentions the firewall as Microsoft Defender Firewall, and to confuse things even more, they still it label it as Windows Defender Firewall in the legacy control panel...

 

[Andy Ful]

...
Also Microsoft seems to be going through an identity crisis when it comes to their built in antivirus, the notification I received said "Actions needed in Windows Defender."

We differently understood the term detected by WD. When you see the notification "Actions needed in Windows Defender" it does not mean that WD actually detected something during the current Windows session. It only means that there are some not remediated events, and you can see this notification for a long time without detecting any new malware.

In your case, the problem occurred because you tried to remediate the event after it was already deleted from the temporary location by the installer. The non-existent file could not be removed or quarantined by WD, but only allowed. It is a kind of WD history bug related to non-existent files that were properly detected but not remediated by WD.

The interesting thing is that this installer can drop different DLLs on different computers.

 

[SeriousHoax]

sidenote of interest: running eset nod32 on host pc, but tested WD+H_C on win10_vm, and the PUA download was stopped by eset on host pointing to vmnat.

This is due to ESET's SSL scanning feature. It detected the PUA before it was downloaded on the system.

 

[truefacts]

If no one in your family have ever used 'default deny' how do you know it causes to many problems?

I didn't say they didn't try it. They did. It created lots of problems and uninstalled. it.

As for 'third party software causes to many problems' - Again in your opinion., KIS, ESET, F-Secure, Emsisoft etc has rarely if ever caused me any problems on multiple systems/people

Not opinion. Based upon real world experience. A fact.

Just search through forums like this one and the internet to find literally hundreds of posts by people reporting problems. This fact substantiates what I've posted and therefore makes what I posted a fact, not opinion. The fact is that 3rd party programs cause many more problems than do Microsoft native programs.

As for me I use very few built in MS modules regarding, search, ripping, disc maintainable, all audio-visual & Office for starters - My reason, most third party programs are far less complex, faster, and generally less hassle & in the case of Office vastly easier to maintain - WD comes in to the category above - I have 26 years experience in Windows to come to these conclusions - But still my opinion only.

That is your experience. However, like I said, just search the internet.

My reason, most third party programs are far less complex, faster, and generally less hassle & in the case of Office vastly easier to maintain

Search the internet.

WD comes in to the category above

Countless people here establish that this is indeed not the case. The simplicity and problem-free nature of WD is the reason of its immense popularity here. That fact also accounts for the immense popularity of Hard_Configurator, which proves that people do not need to use 3rd party security programs. No, Hard_Configurator is not a 3rd party security program. It is just a front-end for Windows security. It is all native Windows security.

Even leading industry experts agree that 3rd party security are very problematic for Windows.