Windows Defender Virus Test Failure

Steve C · 30 Apr 2019

I saw this post on the forum to this web site to test whether Defender is correctly configured https://demo.wd.microsoft.com/

My laptop appears to be correctly configured bit doesn't block the test downloads for Cloud Delivered Protection and Block at First Sight. My desktop PC does block these files.

Is there a way of resetting Defender short of doing a clean install to ensure that the virus protection is correctly configured?

Do you find that Defender doesn't block the above test files?

Bree · 30 Apr 2019

Steve C said:

...My laptop appears to be correctly configured bit doesn't block the test downloads for Cloud Delivered Protection and Block at First Sight... ...Do you find that Defender doesn't block the above test files?

What I see depends on which browser I use, only IE or Edge show the SmartScreen message...

Windows Defender Virus Test Failure-image.png

...for a browser like Firefox that doesn't use SmartScreen then I get an action centre notification of detection. Either way, validatecloud.exe is detected and blocked.

Steve C · 30 Apr 2019

I found Edge blocks validatecloud.exe but both Edge and Chrome allow download of the Block at First test file wdtestfile.exe

win10freak · 30 Apr 2019

For Block at First Sight to work you need have it set in Group Policy.

NMI · 30 Apr 2019

win10freak said:

For Block at First Sight to work you need have it set in Group Policy.

It works for me, and I don't have it set in Group Policy.

You just need Real-time protection, Cloud-delivered protection and Automatic sample submission to be turned on at Settings, Update & Security, Windows Security, Virus & threat protection, Manage settings.

All three of those are on by default: To Turn On Block at First Sight Cloud Protection in Windows Defender

Steve C · 30 Apr 2019

NMI said:

It works for me, and I don't have it set in Group Policy.

You just need Real-time protection, Cloud-delivered protection and Automatic sample submission to be turned on at Settings, Update & Security, Windows Security, Virus & threat protection, Manage settings.

All three of those are on by default: To Turn On Block at First Sight Cloud Protection in Windows Defender

I have those set as default but the feature doesn't work against the test file I posted.

These files are allowed to be downloaded but are stopped by SmartScreen of you try to run them. Running a Defender check on the files does not trigger a virus alert. Defender does quarantine the standard EICAR test virus.

wdtestfile.exe
wdtestfile.exe

Are the MS test files in post 1 valid or is there something strange in my PC installation?

NMI · 30 Apr 2019

Steve C said:

I found Edge blocks validatecloud.exe but both Edge and Chrome allow download of the Block at First test file wdtestfile.exe

Steve C said:

I have those set as default but the feature doesn't work against the test file I posted.
These files are allowed to be downloaded but are stopped by SmartScreen of you try to run them. Running a Defender check on the files does not trigger a virus alert.

I agree with your findings.

Sorry if I misled by saying, "It works for me ...".

But I don't believe any Group Policy settings are required for "block at first sight" to work:

Confirm block at first sight is enabled with the Windows Security app

You can confirm that block at first sight is enabled in Windows Settings.
Block at first sight is automatically enabled as long as Cloud-based protection and Automatic sample submission are both turned on.

Enable Block at first sight

Steve C · 01 May 2019

NMI said:

I agree with your findings.

Sorry if I misled by saying, "It works for me ...".

But I don't believe any Group Policy settings are required for "block at first sight" to work:

Confirm block at first sight is enabled with the Windows Security app

You can confirm that block at first sight is enabled in Windows Settings.
Block at first sight is automatically enabled as long as Cloud-based protection and Automatic sample submission are both turned on.

Enable Block at first sight

I followed the test link and validatecloud.exe is downloaded without being quarantined. It is blocked if I try to run it. Defender is correctly configured in Settings. I made the settings in Group Policy as stated in the link but the same behaviour persists after a restart.

NMI · 01 May 2019

Steve C said:

I followed the test link and validatecloud.exe is downloaded without being quarantined. It is blocked if I try to run it. Defender is correctly configured in Settings. I made the settings in Group Policy as stated in the link but the same behaviour persists after a restart.

I thought you had said in post #3 that validatecloud.exe was correctly blocked. You don't mean wdtestfile.exe is still not blocked?

I presume you found the necessary path for "C:\Program Files\Windows Defender\MpCmdRun" -ValidateMapsConnection ?

And just to confirm how you started this thread; everything works as expected on you desktop PC but not on your laptop?

Steve C · 01 May 2019

NMI said:

I thought you had said in post #3 that validatecloud.exe was correctly blocked. You don't mean wdtestfile.exe is still not blocked?

I presume you found the necessary path for "C:\Program Files\Windows Defender\MpCmdRun" -ValidateMapsConnection ?

And just to confirm how you started this thread; everything works as expected on you desktop PC but not on your laptop?

Yes, I eventually found the correct path for the MpCmdRun command.

The behaviour is different in Chrome & Edge on my laptop. Chrome allows download of validatecloud.exe but the file is blocked by Smartscreen if you try to open it. Edge blocks the download using Smartscreen. My desktop PC quarantines the file on download using Chrome. I don't understand the different behaviour despite both PCs running the latest version of 1809 and having Defender configured the same way.