Hi, Something changed today, my Simple Software Restriction Policy is blocking Windows Defender Updates. I have already allowed files in "c:\ProgramData\Microsoft\Windows Defender" to run, and Windows Defender updates have been working previously. I did a File Explorer search for 'modified:08/02/2017" but wasn't able to find anything, or maybe I missed something. If I change the SSRP ini file to "includeDLLs=0" then it works, so it should be a DLL file that is the offender.
No. About the only thing I did was whitelist executables to SRP that run from the Downloads or AppData folder; they're usually blocked by default.
Found the solution. One has to whitelist 'GapaEngine.DLL=1" and 'MPEngine.DLL=1' in the Custom Policies section. Windows Defender creates NEW folders within 'ProgramData\Microsoft\Windows Defender\Definition Updates' which may contain new copies of these DLLs. And it looks like SSRP is too slow to figure out that they are within the whitelisted folder 'ProgramData\Microsoft\Windows Defender\Definition Updates' And since these are New Folders created During Windows Update with random looking folder names, we cannot create a whitelist item using the full path, so we can only specify the DLL file name. Windows 10 Pro SRP does not have this problem. And all that needs to be done is whitelist 'ProgramData\Microsoft\Windows Defender\Definition Updates'
I have the following rule in SRP in Local Security Policy (it may be a little risky because if the malware have the same name then it won't be stopped at least by SRP but it will be intercepted by my other layers so it's not a big deal for me): %temp%\mpam*-*.exe => to unrestricted I am using this topic to point this out because of the issue described here => https://social.technet.microsoft.co...ssues-with-windows-defender?forum=winserverGP I tested many rules and the one above seems to work as it should. The rule is working even if the following rule is applied to protect the subfolders as well to disallowed => %temp%\*\*.exe Regards, Georgi
No problem for me getting the updates on Windows Pro with Windows 10 Creators Update installed, just recently. I run as Admin, because I wouldn't have clue as to how to set up a "Software Restriction Policy". It sounds to complicated, for me.
Yup. AppLocker is way too complicated for me and I'm afraid if I use the default rules, I risk getting locked out of Windows. No such problem with SSRP.
Hi DoesntMatter, Does the mpam*-*.exe get downloaded when you use the Windows Update method to update Defender ? Or is it downloaded when you use Windows Defender itself to do updates? Because I am using the Windows Update method and I don't see that file.
Hi lunarlander, The rule is created to allow the user to update WD manually through the program. There are no problems to update WD through Windows Update without creating any rules if CryptoPrevent protection is enabled or if any rules in Local Security Policy (SRP) are applied to prevent *.exe files to run from the %temp% folders. But I can speak only for SRP and not for SSRP. Regards, Georgi
With SSRP any program you want to run from otherwise blacklisted locations can be added to custom policy section of the software.ini that ships with SSRP. Remember to unlock it to install/uninstall/update software.
Hi Georgi, I just tried to update Defender in Win 10 Home using Windows Defender. And I don't see any mpam inside \AppData\Local\Temp or \Windows\Temp . Inside \Windows\Temp I only found a cryptic folder name ending in .Sigs . Instead I saw a cryptic folder name within \ProgramData\Microsoft\Windows Defender\Definition Updates with the DLL I mentioned just like as if it were updated using Windows Update !
Hi lunarlander, Same here. I just checked and it seems that mpam files are no longer created if WD is updated via MS Update or manually. Probably MS recently changed the way how WD updates are applied and the exclusion rule in SRP is no longer needed. (it was needed a few months ago but not anymore). I disabled it as well. And since the rule in SRP for Programdata restrict only executables to run from the main folder (and not the subfolders) => %programdata%\*.exe I don't need to create an exception for WD anymore. I won't include the subfolders to enhance the protection since a lot of legit files (including Battle.net agent) start from subfolders in the %programdata% but CIS will take care of them. Regards, Georgi
Unlike Applocker, its basically set and forget. If you find something was blocked by policy, add the full path line to CustomPolicies in the software.ini file and activate the new policy. It should then run and you're done. Easy-peasy.
Have someone of you tried Hard_Configurator by Andy Full? It's a nice, simple and powerful tool. Tweak and forget!