Can I configure windows defender to never quarantine files

Page 1 of 3 123 LastLast

  1. Posts : 3
    w7/10
       #1

    Can I configure windows defender to never quarantine files


    Hello,


    I am using w10 1903 x64 - I was wondering if there is a way without setting up exclusions to configure Windows defender to never quarantine any file and only block access and just prompt the user how to proceed?

    I am all for active scanning but not automatic quarantine actions.



    Also just wanted to share this nugget of info if you want to see the list of files that have been quarantined via cli run:



    Code:
    "C:\Program Files\Windows Defender\mpcmdrun.exe"  -restore -listall



    Thanks.
      My Computer


  2. Posts : 8,622
    Mac OS Catalina
       #2

    It would still allow an infection to continue and spread if malware. The whole idea of quarantine is to not allow a mass infection. It would be like allowing someone with a disease like Small Pox, Measles or Dyptheria to be around others and infect them if they are susceptible to becoming infected.
      My Computer


  3. Posts : 24,545
    10 Home x64 (21H2) (10 Pro on 2nd pc)
       #3

    Welcome to TenForums @fester13579

    Thanks for that 'nugget', running it told me that a couple of PUPs from some recent testing I did were still in quarantine, despite the Windows Security app assuring me there was nothing held in quarantine. I restored them then permanently deleted them. BTW, you need to use a Command prompt (Admin) in order to run that command.


    Do you have Pro? If so, there is a group Policy that can do that. Open gpedit and look in Administrative templates > Windows components > Windows Defender Antivirus. When enabled the 'Turn off routine remediation' policy will make Defender prompt the user with a choice of actions.

    https://docs.microsoft.com/en-us/win...nder-antivirus

    It's not clear what registry settings this policy changes (or whether they would work in Home) perhaps @Brink knows.
      My Computers


  4. Posts : 3
    w7/10
    Thread Starter
       #4

    I found that setting this registry key may do the trick for me. It is what is set via the 'Turn off routine remediation' group policy you mentioned. I will try this for a while and verify that it keeps working..

    Thanks.



    Code:
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    "DisableRoutinelyTakingAction"=dword:00000001
      My Computer


  5. Posts : 24,545
    10 Home x64 (21H2) (10 Pro on 2nd pc)
       #5

    Yes, that's the one. I've been looking at how it changes Defender in W10 Pro. There's little difference to see, apart from Defender not automatically quarantining a file shortly after detection. It still blocks all access to it though.
      My Computers


  6. Posts : 3
    w7/10
    Thread Starter
       #6

    I have a follow up question…

    Without the registry setting we discussed…. So using the normal default behavior. DisableRoutinelyTakingAction = 0 or just delete the key


    If I create a test EICAR that gets quarantined and then I restore it using the command line:

    Code:
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -restore -filepath "C:\Users\dev\Music\AV_Test_Virus.txt"
    It gets restored as expected, but I have no exclusions set so when I reboot and rescan that folder I get a message stating ‘items skipped during scan’.

    Can I configure windows defender to never quarantine files-0706.jpg

    Does the MpCmdRun restore action create some type of exclusion list (white list) of its own that is not part of users exclusions in the defender GUI of which I have none? And if it does is this a temporary cache of exclusions or permanent?

    I've rebooted multiple times and tried to re scan the path and/or the file and each time it gets skipped from the quarantine action.
      My Computer


  7. Posts : 24,545
    10 Home x64 (21H2) (10 Pro on 2nd pc)
       #7

    fester13579 said:
    Does the MpCmdRun restore action create some type of exclusion list (white list) of its own that is not part of users exclusions in the defender GUI of which I have none? And if it does is this a temporary cache of exclusions or permanent?
    The answer to the first part of you question is 'Yes'. I repeated your steps, with the same results. Then I used this command with the following result:

    Code:
    C:\WINDOWS\system32>"C:\Program Files\Windows Defender\MpCmdRun.exe" -checkexclusion -path C:\TEMP\eicartest.txt
    C:\TEMP\eicartest.txt [\Device\HarddiskVolume2\TEMP\eicartest.txt] is excluded. Exit code is 0.
    
    C:\WINDOWS\system32>


    I'm still working on an answer to the second part of your question, starting here...

    https://docs.microsoft.com/en-us/win...nder-antivirus



    Edit: the exclusions are stored here, but permissions are such that you cannot modify or delete them.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths


    ...still working on it...


    Edit2:
    Success

    It is not just permissions that deny you access, it is also the new 'Tamper protection' feature in Defender for 1903.

    Turn off 'Tamper protection' in Defender's 'Virus & threat protection' settings. Take ownership of the TemporaryPaths key and grant Administrators full access. Delete the registry value for the excluded eicar test file. Set the owner back to SYSTEM. Turn 'Tamper protection' back on.

    Now a scan won't skip the file and I get this on checking exclusions:

    Code:
    C:\WINDOWS\system32>"C:\Program Files\Windows Defender\MpCmdRun.exe" -checkexclusion -path C:\TEMP\eicartest.txt
    C:\TEMP\eicartest.txt [\Device\HarddiskVolume2\TEMP\eicartest.txt] is not excluded. Exit code is 1.
    (still haven't found out if that exclusion was permanent though, from the registry key name, possibly not)
    Last edited by Bree; 02 Oct 2019 at 19:54.
      My Computers


  8. Posts : 36
    Windows 10 Pro, 20H2, 19042.867
       #8

    Hello @Bree o/

    Sorry for reviving a year old thread (シ_ _)シ
    Bree said:
    Thanks for that 'nugget', running it told me that a couple of PUPs from some recent testing I did were still in quarantine, despite the Windows Security app assuring me there was nothing held in quarantine. I restored them then permanently deleted them. BTW, you need to use a Command prompt (Admin) in order to run that command.
    How did you restore them permanently? I got some trojan's taking shelter in quarantine, when I restored them to a single folder & deleted them the original copies are still present in quarantine, it did not delete the files in windows quarantine ;-;.

    Bree said:
    The answer to the first part of you question is 'Yes'. I repeated your steps, with the same results. Then I used this command with the following result:

    Code:
    C:\WINDOWS\system32>"C:\Program Files\Windows Defender\MpCmdRun.exe" -checkexclusion -path C:\TEMP\eicartest.txt
    C:\TEMP\eicartest.txt [\Device\HarddiskVolume2\TEMP\eicartest.txt] is excluded. Exit code is 0.
    This problem still exits in 2004, 19041.508 build (#`Д)

    Bree said:

    Edit2:
    Success :party:

    It is not just permissions that deny you access, it is also the new 'Tamper protection' feature in Defender for 1903.

    Turn off 'Tamper protection' in Defender's 'Virus & threat protection' settings. Take ownership of the TemporaryPaths key and grant Administrators full access. Delete the registry value for the excluded eicar test file. Set the owner back to SYSTEM. Turn 'Tamper protection' back on.
    I did all the steps above(turned off tamper protection, took ownership of temporary key folder & granted full access to both administrators & my account to which I gave ownership), but still I was not able delete the value(s), I keep getting the error "unable to delete all specified values." even though I'm deleting a single value.

    Also tried THIS by specifying the days to purge 0 &1 day, but the trojan's are still not deleted ;~;.

    I'm planning to move to kaspersky security cloud after deleting the files in quarantine, Any help would be much appreciated :D

    - - - Updated - - -

    Technewbie said:
    I did all the steps above(turned off tamper protection, took ownership of temporary key folder & granted full access to both administrators & my account to which I gave ownership), but still I was not able delete the value(s)
    Lol I don't know why or how but after clean boot(to check whether I can delete then, which also failed btw) & booting back in normal startup all the registry values of the exclusions are gone. My uneducated guess is that since the folder name is temporarypaths the values should have been deleted after a set number of reboots or something to do with clean boot or turining on & off Tamper protection :).
    Code:
    C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0>MpCmdRun.exe -CheckExclusion -path f:\experiments\spsetup132.exe
    f:\experiments\spsetup132.exe [\Device\HarddiskVolume3\Experiments\spsetup132.exe] is not excluded. Exit code is 1.
    This only leaves the 11.39GB of trojan files :P that need to be removed from quarantine before another security flaw like AVGater pop up ^^;
    Attached Thumbnails Attached Thumbnails Can I configure windows defender to never quarantine files-annoying-error-message-_-.png   Can I configure windows defender to never quarantine files-full-control-but-useless..jpg   Can I configure windows defender to never quarantine files-gone.-reduced-atoms.jpg  
      My Computer


  9. Posts : 13,933
    Windows 10 Pro X64 21H1 19043.1503
       #9

    Following up on the "nugget" from post #1. This is all the things mpcmdrun can do:

    Code:
    "C:\Program Files\Windows Defender\mpcmdrun.exe"  -restore -listall
    No quarantined items.
    
    C:\Users\ztruk>"C:\Program Files\Windows Defender\mpcmdrun.exe" /?
    Microsoft Antimalware Service Command Line Utility (c) 2006-2018 Microsoft Corp
    Use this tool to automate and troubleshoot Microsoft Antimalware Service
    
    Usage:
    MpCmdRun.exe [command] [-options]
    
    Command Description
       -? / -h                                    Displays all available options
                                                  for this tool
       -Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]]
             [-Timeout <days>]
             [-Cancel]
                                                  Scans for malicious software
       -Trace [-Grouping #] [-Level #]            Starts diagnostic tracing
       -GetFiles                                  Collects support information
       -GetFilesDiagTrack                         Same as Getfiles but outputs to
                                                  temporary DiagTrack folder
       -RemoveDefinitions [-All]                  Restores the installed
                                                  signature definitions
                                                  to a previous backup copy or to
                                                  the original default set of
                                                  signatures
                          [-Engine]               Restore the installed engine to
                                                  the previous version saved
                          [-DynamicSignatures]    Removes only the dynamically
                                                  downloaded signatures
       -SignatureUpdate [-UNC | -MMPC]            Checks for new definition updates
       -Restore  [-ListAll | [[-Name <name>] [-All] | [-FilePath <filePath>]] [-Path <path>]]  Restore or list
                                                                   quarantined item(s)
       -AddDynamicSignature [-Path]               Loads a dynamic signature
       -ListAllDynamicSignatures                  List the loaded dynamic signatures
       -RemoveDynamicSignature [-SignatureSetID]  Removes a dynamic signature
       -CheckExclusion -path <path>               Checks whether path is excluded
    
    Additional Information:
    
    Support information will be in the following directory:
    C:\ProgramData\Microsoft\Windows Defender\Support
    
       -Scan [-ScanType value]
            0  Default, according to your configuration
            1  Quick scan
            2  Full system scan
            3  File and directory custom scan
    
               [-File <path>]
                    Indicates the file or directory  to be scanned, only valid for custom scan.
    
               [-DisableRemediation]
                    This option is valid only for custom scan.
                    When specified:
                      - File exclusions are ignored.
                      - Archive files are scanned.
                      - Actions are not applied after detection.
                      - Event log entries are not written after detection.
                      - Detections from the custom scan are not displayed in the user interface.
                      - The console output will show the list of detections from the custom scan.
    
               [-BootSectorScan]
                    Enables boot sector scanning; only valid for custom scan.
    
               [-Timeout <days>]
                    Timeout in days; maximum value is 30.
                    If this parameter is not specified, default value is 7 days for full scan and 1 day for all other scans.
    
               [-Cancel]
                    Try to cancel any ongoing quick or full scan.
    
          Return code is
          0    if no malware is found or malware is successfully remediated and no additional user action is required
          2    if malware is found and not remediated or additional user action is required to complete remediation or there is error in scanning.  Please check History for more information.
    
       -Trace [-Grouping value] [-Level value]
            Begins tracing Microsoft Antimalware Service's actions.
            You can specify the components for which tracing is enabled and
            how much information is recorded.
            If no component is specified, all the components will be logged.
            If no level is specified, the Error, Warning and Informational levels
            will be logged. The data will be stored in the support directory
            as a file having the current timestamp in its name and bearing
            the extension BIN.
    
            [-Grouping]
            0x1    Service
            0x2    Malware Protection Engine
            0x4    User Interface
            0x8    Real-Time Protection
            0x10   Scheduled actions
            0x20   WMI
            0x40   NIS/GAPA
            0x80   Windows Security Center
    
            [-Level]
            0x1    Errors
            0x2    Warnings
            0x4    Informational messages
            0x8    Function calls
            0x10   Verbose
            0x20   Performance
    
       -CaptureNetworkTrace -path <path>
           Captures all the network input into the Network Protection service and
           saves it to a file at <path>. Supply an empty path to stop tracing
           Note: The specified path must be writable by LocalService
           ex: C:\Users\Public\Downloads
    
       -GetFiles
            Gathers the following log files and packages them together in a
            compressed file in the support directory
    
            - Any trace files from Microsoft Antimalware Service
            - The Windows Update history log
            - All Microsoft Antimalware Service events from the System event log
            - All relevant Microsoft Antimalware Service registry locations
            - The log file of this tool
            - The log file of the signature update helper tool
    
       -GetFilesDiagTrack
            Same as GetFiles, but outputs the CAB file to the temp DiagTrack
            directory
    
       -RemoveDefinitions
            Restores the last set of signature definitions
    
            [-Engine]
            Restores the last saved engine
            Use this option to restore the previous engine.
    
            [-All]
            Removes any installed signature and engine files. Use this
            option if you have difficulties trying to update signatures.
    
            [-DynamicSignatures]
            Removes all Dynamic Signatures.
    
       -SignatureUpdate
            Checks for new definition updates
    
            [-UNC [-Path <path>]]
            Performs update directly from UNC file share specified in <path>
            If -Path is not specified, update will be performed directly from the
                 preconfigured UNC location
    
            [-MMPC]
            Performs update directly from Microsoft Malware Protection Center
    
       -Restore
            [-ListAll]
            List all items that were quarantined
    
            [-Name <name>]
            Restores the most recently quarantined item based on threat name
            One Threat can map to more than one file
    
            [-All]
            Restores all the quarantined items based on name
    
            [-FilePath <filePath>]
            Restores quarantined item based on file path
    
            [-Path]
            Specify the path where the quarantined items will be restored.
            If not specified, the item will be restored to the original path.
       -AddDynamicSignature -Path <path>
            Adds a Dynamic Signature specified by <path>
    
       -ListAllDynamicSignatures
            Lists SignatureSet ID's of all Dynamic Signatures added to the client
            via MAPS and MPCMDRUN -AddDynamicSignature
    
       -RemoveDynamicSignature -SignatureSetID <SignatureSetID>
            Removes a Dynamic Signature specified by <SignatureSetID>
    
       -CheckExclusion -path <path>
            Checks whether <path> is excluded. It can be either a path, or a file.
      My Computers


  10. Posts : 36
    Windows 10 Pro, 20H2, 19042.867
       #10

    Thanks for the info @Ztruker :D, but I don't see any command for deleting the quarantine files. Restoring them to a specific folder also just copies them, but doesn't move them out of quarantine, did I miss a command for removing them or is there a way to get rid of them..
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 02:19.
Find Us




Windows 10 Forums