Inconsistent Controlled file access behaviour 1809 LTSC


  1. Posts : 228
    Win 10 1809 LTSC
       #1

    Inconsistent Controlled file access behaviour 1809 LTSC


    Dont want to pollute the tutorial thread with this problem, seems to be one of many apparent bugs I have come across.

    But here is the description of the problem.

    So today I started looking into this feature, I had noticed it was already turned on for a while on the default settings, didnt need to toggle the widget, but since I had defender off for several weeks in practice it has only been on for maybe a week.

    So I wasnt sure if it was working at all, so I enabled it for my user profile folder know that many apps constantly write to that location, and sure enough it didnt take long to start seeing notifications.

    However I have noticed two clear problems. Both apparent in audit mode.

    Audit mode can only be accessed via group policy, the security applet toggle is just a basic on and off.

    So looking at the documentation on Microsoft's website and the description inside group policy, the way this feature should work is there is a predefined list of whitelisted applications, I expect for user conveniance, they dont want users been hassled having to whitelist explorer, notepad etc. But this whitelist is not limited to Microsoft binaries like UAC, it does include 3rd party applications as well.

    After I had added my user profile folder to the protection list very quickly I received prompts from dumeter service, vivaldi web browser and powershell.

    From the logs, powershell was for updating its command history. Vivaldi was for updating the recent files location, but it would also be for the browser profile if I hadnt moved it off my user profile folder.

    So there is a few problems I have noticed.

    When I enabled audit mode after I realised that is a more sensible approach to seeing what applications would be affected, two things were happening.

    1 - After a period of time, the logs were reporting blocked access instead of "would be blocked", and I got the blocked notifications as well. I checked in group policy still on audit, and security applet was still forced in the off position saying settings managed by organisation. So this problem is kind of like the anti tamper weirdness that 1809 currently has.
    2 - Once this starts happening vivaldi suddenly is not whitelisted anymore, start getting notifications and log entries for it, if I push it back to block mode sure enough its still in the whitelist.

    I do have a working theory as to what is going on, basically defender is still actively updated on 1809 LTSC, but the security applet is not been updated along with it, possibly along with other OS support files, and I feel it may have got to the point the two are not fully compatible with each other anymore (remember all the anti tamper weirdness posted in tutorial thread for LTSC). I am now finding myself questioning the LTSC decision, as in theory it should be a more stable build of windows, but I expect Microsoft are treating it as an afterthought compared to the latest consumer versions. Most bugs I have found are defender/security related, I found one last week where the defender log is not honouring timezone settings, so it was showing a time one hour in the future on its log. Yes I did screenshot it lol. (attached at bottom, check the definition update time and compare to clock at bottom right)

    Not sure what I am going to do at this point on the windows build, as I dont like the idea of feature updating windows on an annual basis, maybe 21H2 LTSC will be much better (at least for couple of years before defender gets too detached again) so will see.

    LOG snippets below.

    the 22:15:49 I had switched from audit to blocked back to audit again which made it audit again, after that setting was not changed and can see on the next occurence when back at pc just after midnight it started blocking evem though its still in audit mode. Also vivaldi remains in whitelist whilst this is occuring.

    Code:
    PS C:\Windows\system32> Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.ID -eq "1123" -or $_.ID -eq "1124" -or $_.ID -eq "1127"}   ProviderName: Microsoft-Windows-Windows DefenderTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------30/04/2021 00:04:03           1123 Warning          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...30/04/2021 00:03:47           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 22:15:49           1124 Information      C:\Program Files\Vivaldi\Application\vivaldi.exe would have been...29/04/2021 22:15:19           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 22:08:36           1124 Information      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe would ...29/04/2021 21:52:33           1123 Warning          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...29/04/2021 21:52:10           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:14:09           1123 Warning          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...29/04/2021 21:02:36           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:02:36           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:00:13           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:00:13           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 20:38:59           1124 Information      C:\Program Files\Vivaldi\Application\vivaldi.exe would have been...29/04/2021 20:38:59           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 20:27:18           1124 Information      C:\Program Files\Vivaldi\Application\vivaldi.exe would have been...
    Inconsistent Controlled file access behaviour 1809 LTSC-backtothefitirewindowsdefender.png

    - - - Updated - - -

    An update, I discovered if I turn this off in the security applet, then enable audit mode, the mode sticks, so I expect its another anti tamper protection. So it does behave in audit mode providing it was already turned off before enabling it.

    - - - Updated - - -

    Another update, it actually still is all over the place, after some sleep and using PC again, I noticed I got another is blocked notification (still in audit mode) so checked the logs.

    here is latest entries.

    Code:
    TimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------30/04/2021 13:49:41           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 13:17:20           1124 Information      C:\Program Files (x86)\MPC-HC Repack\mpc-hc64.exe would have bee...30/04/2021 11:30:25           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 10:38:29           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 05:25:23           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 03:09:09           1124 Information      C:\Program Files\KeePass Password Safe\KeePass.exe would have be...30/04/2021 02:58:13           1124 Information      C:\Program Files (x86)\BrokenURL\BrokenUrl.exe would have been b...30/04/2021 02:54:39           1123 Warning          C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...
    I noticed a pattern, it was ignoring audit for vivaldi.exe, but running rest of applications in audit mode. Audit/Block/Off is a global setting, not per application. I then restarted vivaldi and powershell, I think the issue is that the applications only apply the new settings on a new launch.
      My Computer


  2. Posts : 228
    Win 10 1809 LTSC
    Thread Starter
       #2

    What may be the final update before marking as resolved, since restarting the programs in question, audit is now sticking. The only issue left is that the whitelist for block mode doesnt work in audit mode but not really an issue.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 10:44.
Find Us




Windows 10 Forums