Advice Request Windows Security persistent block

Please provide comments and solutions that are helpful to the author of this topic.
Templarware

Templarware

Level 11
Thread author
Verified
Top Poster
Well-known
Mar 13, 2021
501
1
1,626
969
When updating Armoury Crate, Windows security started blocking Asio3_64.sys, ("The administrator has blocked access to this file"). There's a button on the notification to click "unblock", I click it but it doesn't make anything, the notification comes back a few seconds later, time and time again. Armoury Crate doesn't work because of that.
I'm using DefenderUI with Recommended settings, I thought that was the problem, but I switched to the Default settings and it didn't help. I tried adding the folder to the exclusions list and I even tried disabling everything in Windows Defender, still blocked. It's very weird...
Any ideias what can still be active and blocking the file?
 
  • Wow
Reactions: piquiteco
This could be due to a false positive by Windows Defender. You can try adding the file to the Exclusions list in Windows Security. Go to Settings > Update & Security > Windows Security > Virus & threat protection. Under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions. Here, add the file that's being blocked. If this doesn't work, it might be a good idea to contact Microsoft Support or Asus (as Armoury Crate is their software) for further assistance.
 
Templarware said:
When updating Armoury Crate, Windows security started blocking Asio3_64.sys, ("The administrator has blocked access to this file"). There's a button on the notification to click "unblock", I click it but it doesn't make anything, the notification comes back a few seconds later, time and time again. Armoury Crate doesn't work because of that.
I'm using DefenderUI with Recommended settings, I thought that was the problem, but I switched to the Default settings and it didn't help. I tried adding the folder to the exclusions list and I even tried disabling everything in Windows Defender, still blocked. It's very weird...
Any ideias what can still be active and blocking the file?
Click to expand...

The driver is probably blocked by Defender ASR rule and independently by Windows Core Isolation setting (Microsoft Vulnerable Driver Blocklist).
A similar issue is reported here:
www.elevenforum.com

Enable or Disable Microsoft Vulnerable Driver Blocklist in Windows 11

This tutorial will show you how to turn on or off the Microsoft Vulnerable Driver Blocklist for all users in Windows 10 and Windows 11. Starting with Windows 10 (KB5018482) and Windows 11 (KB5018483 and KB5018496), the Microsoft Vulnerable Driver Blocklist is enabled by default. The vulnerable...
www.elevenforum.com www.elevenforum.com

But I do not recommend disabling those settings without seriously checking why the driver was blocked. I installed Armoury Crate from Softpedia on a freshly updated Windows 11 Pro without any blocks (Defender on MAX settings and Core Isolation settings enabled).
 
Last edited:
  • Like
  • +Reputation
Reactions: piquiteco, Zero Knowledge, simmerskool and 4 others
Andy Ful said:
The driver is probably blocked by Defender ASR rule and independently by Windows Core Isolation setting (Microsoft Vulnerable Driver Blocklist).
A similar issue is reported here:
www.elevenforum.com

Enable or Disable Microsoft Vulnerable Driver Blocklist in Windows 11

This tutorial will show you how to turn on or off the Microsoft Vulnerable Driver Blocklist for all users in Windows 10 and Windows 11. Starting with Windows 10 (KB5018482) and Windows 11 (KB5018483 and KB5018496), the Microsoft Vulnerable Driver Blocklist is enabled by default. The vulnerable...
www.elevenforum.com www.elevenforum.com

But I do not recommend disabling those settings without seriously checking why the driver was blocked. I installed Armoury Crate from Softpedia on a freshly updated Windows 11 Pro without any blocks (Defender on MAX settings and Core Isolation settings enabled).
Click to expand...
Core isolation is disabled, because I've disabled SVM in the Bios for better performance.
I tried disabling vulnerable driver blocklist but kept getting the notification, maybe it was bugged...
My first installation was also without any blocks, the blocks started with the last Armoury Carte update.
 
  • Like
Reactions: piquiteco, Zero Knowledge, simmerskool and 1 other person
What is the SHA-256 file hash in VirusTotal?
Can you post the screenshot with the block alert?
Can you post the block event info from Event Viewer or DefenderUI?
 
Last edited:
  • Like
Reactions: piquiteco and simmerskool
Andy Ful said:
What is the SHA-256 file hash in VirusTotal?
Can you post the screenshot with the block alert?
Can you post the block event info from Event Viewer or DefenderUI?
Click to expand...
I've completely uninstalled Armoury Crrate using Revo Uninstaller and the official uninstall tool.

Sem título2.png
 
  • Like
Reactions: piquiteco, Andy Ful and simmerskool
Templarware said:
I've completely uninstalled Armoury Crrate using Revo Uninstaller and the official uninstall tool.

View attachment 288697
Click to expand...

This block can be bypassed in two ways:
  1. Adding the filepath to ASR exclusions (folderpath may not work).
  2. Disabling the ASR rule / Restart Windows / Install the app and driver / Enabling the ASR rule.
But I do not recommend using a vulnerable driver.
 
  • Like
  • +Reputation
Reactions: piquiteco, Parkinsond, simmerskool and 1 other person
Andy Ful said:
This block can be bypassed in two ways:
  1. Adding the filepath to ASR exclusions (folderpath may not work).
  2. Disabling the ASR rule / Restart Windows / Install the app and driver / Enabling the ASR rule.
But I do not recommend using a vulnerable driver.
Click to expand...
If I install other antivirus, will it disable vulnerable driver blocks?
 
Templarware said:
If I install other antivirus, will it disable vulnerable driver blocks?
Click to expand...
The vulnerable driver blocks related to the Microsoft Defender ASR rule will not work anymore. The blocks related to the Core Isolation setting will work with other AVs.
 
  • Like
  • +Reputation
  • Thanks
Reactions: simmerskool, piquiteco, Templarware and 2 others
n8chavez said:
You use Opera? Well, I can't help you then. Opera Presto, yes. Chinese Opera based on Chromium, no thanks.
Click to expand...
Yes, Opera GX is great. And besides that, all my hardware is from ASUS, so it would be a shame to use other generic third party RGB software.
 
Last edited:
Andy Ful said:
The vulnerable driver blocks related to the Microsoft Defender ASR rule will not work anymore. The blocks related to the Core Isolation setting will work with other AVs.
Click to expand...
Are they the same? Is there any way to know which one is blocking the files here?
 
Andy Ful said:
No.


It is clear from the alert (the name of the Defender ASR rule is visible):

View attachment 288745
Click to expand...
Ok. But I remember changing that rule to "Deficient" in DefenderUI and it still getting blocked. I don't remember if I restarted the PC though.
This rule is Off by default, maybe that's why nobody else is having this problem except me.
 
n8chavez said:
So is mine. But I'm not keeping a 3gb utility just for lights. Uninstall AC, then install OpenRGB.
Click to expand...
It's also the only way for you to configure your keyboard and mouse settings, as updating their drivers/firmware. Update the RGB firmware of the motherboard and all devices, etc.
3GB disk doesn't bother me at all if the CPU and Ram usage are low.
 

You may also like...