New
#40
when i click the remove button it just goes back all of the items in the screen shot are the items i want to remove
when i click the remove button it just goes back all of the items in the screen shot are the items i want to remove
In that case it very well could be malware. It would be best to create a new thread for this in our AntiVirus, Firewalls and System Security forum area for more specialized help.
@Brink
An answer to why you might exclude something from Defender scans:
a) Legitimately: Sometimes there are train crashes when Defender examines itself
Therefore, you might temporarily add exceptions to [folders]:
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advance Threat Protection
and there may be some other special cases, if you know what you are doing & the risks involved.
b) You are a cunning malware writer, and you want to stop your victims from scanning your evil concoctions.
Even if you employ (a) as a matter of course, it is advisable to check exclusions periodically (in particular after any malware managed to get through)
I suppose it's possible the even the Defender files could be compromised, so from time to time re-enable the scans of Defender itself, and scan them. Just to be on the safe side.
{ Hint: You can set your favourite keys as 'favorites' in regedit, and use them just when you do a full scan }
As for (b), malwares often seek to hide from Defender by registering themselves as exclusions. Naughty malwares!
Often, but not always malwares have rather silly codified names, but sometimes the hide in plain sight as reasonable-looking things like "MySafetyScan" (please don't sue me!).
Third-party scanners, trustworthy online scanners, are less easily fooled. But do be careful to avoid fake scanners that just bring more malwares! { I currently use freewares ESET online, Emsisoft, Malwarebytes etc - your mileage may vary. And use adware scanners. }
There are two distinct ways in which Defender exclusions (files or folders) are registered:
1) as direct Defender exclusions
2) as 'Policy' exclusions (security, management)
Both can be solved with regedit, the registry editor (be careful !! - it's a good plan to back up the registry before proceeding !!).
{You will already know to [winkey], enter "regedit", etc, and to install regedit if you don't have it}
The former (1) are likely to be found in this registry key { burrow down carefully, checking for accuracy as you go! }
You will see the Defender settings exclusions there (the ones you see by going to Defender settings, exclusions).HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
If they look like/are malware, you can delete the entries, all except '(default)'. Be careful, double check !!
{Tip: you can use the standard ctrl-click to select one, & shift-click to select a range) Be careful, double check !! }
The latter (2) are more puzzling, since the Defender settings will not let you remove them.
You will see a message in RED: Some settings are managed by your organization
Musfiquer Rhman at https://answers.microsoft.com/en-us/...f-d6b1b7e1c256 solved this by
That's this key:In Regedit > HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows Defender > Exclusions > Paths
I have deleted all files except (default) and it solved my problem.
A little deeper, I see that some policy keys use "policy objects" (long dll codes in curly brackets), and it may be advisable to drill down into these to make sure they are legitimate. I haven't done so yet.HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
These keys, the list may not be complete:
When you're done, close regedit & reboot, then double-check everything again. And, of course, get Defender updates & run a scan.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{object}\Software\Policies\Microsoft\Windows Defender\Exclusions
HKEY_USERS\<S-1-5- etc. user code>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{object}\Software\Policies\Microsoft\Windows Defender\Exclusions
HKEY_USERS\<S-1-5- etc. user code>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{object}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions
Is there a way to exclude a registry entry through the exclusions mechanism?
I have disabled MsMpEng.exe from making outbound network requests via a firewall rule (don't worry, I disable the rule once in a while to allow Defender to update itself; I just don't want it consuming my bandwidth every single day!)
However, in every scan, Defender complains about the firewall rule, flagging it as a trojan:
I'd prefer to tell Defender not to mess with my firewall rule, which apparently boils down to a registry entry in the end; so if there's a mechanism to exclude a registry entry itself from the claws of Defender, that would be my saviour :)Code:Trojan:Win32/BlockMsav.A!reg Alert level: Severe Status: Quarantined Recommended action: Remove threat now. Category: Trojan Details: This program is dangerous and executes commands from an attacker. regkeyvalue: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{---ID removed---}
It may be out of scope, but any other alternatives for disabling MsMpEng.exe from arbitrarily accessing the network would also be highly appreciated :)
Hello fishytuna, and welcome to Ten Forums. :)
Does setting you network connection to be metered stop Windows Defender from automatically downloading and installing its definition updates for you?
Set Wireless Network as Metered or Non-Metered in Windows 10 Windows 10 Tutorials
Set Ethernet Connection as Metered or Unmetered in Windows 10 Windows 10 Tutorials
Thanks @Brink for the suggestion! Unfortunately I'm using a USB-tethered internet connection (which is hence treated as a wired connection by windows); AFAIK Windows doesn't allow wired connections to be marked as metered (have tried it on my own as well, with no luck; the "set as metered" switch automatically turns off as soon as I leave the connection settings page).
Even using option 2 below? You might also see if the USB tethered connection may show as something different than "Ethernet" in the registry with this option. Might also see if setting "Default" as metered may help.
Set Ethernet Connection as Metered or Unmetered in Windows 10 Windows 10 Tutorials
Sorry! Missed the link for the Ethernet guide from your previous post :)
Already tried the first option, which did not work
Will try the second option also (as soon as I get a chance to restart my computer )
Thanks!
However, I'd still prefer to go by the firewall approach if possible, because that would ensure that I would never encounter an unexpected Defender data fetch, even when I have connected to a completely new (not-yet-marked-as-metered) wireless/wired network :)
fwiw, i recently got a nasty virus that took quite a bit of elbow grease to finally remove completely... during the cleaning process i inadvertently stumbled on defender's exclude paths in the registry only to discover that the virus had made its own entries into the registry paths, which caused defender to ignore the virus when i ran defender scans.... needless to say i was shocked to discover this, i didn't know it was possible for a virus to do this, especially without admin permissions... so i would recommend checking these paths from time to time, just to be safe!
I often install Windows 10 on my test machines and need to add exclusions to Windows Defender for some programs, so i made a .reg file that should add that to the registry, but i get a warning, that i don't have sufficient privilegies.
Are there other ways to add exceptions to Defender or fast solutions to this without affecting the whole system, because it takes me a lot of time to do it all. ?