Win 10 Windows Defender updates and SRP

Discussion in 'other anti-malware software' started by lunarlander, Aug 2, 2017.

  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    158
    Hi,

    Something changed today, my Simple Software Restriction Policy is blocking Windows Defender Updates.

    I have already allowed files in "c:\ProgramData\Microsoft\Windows Defender" to run, and Windows Defender updates have been working previously.

    I did a File Explorer search for 'modified:08/02/2017" but wasn't able to find anything, or maybe I missed something.

    If I change the SSRP ini file to "includeDLLs=0" then it works, so it should be a DLL file that is the offender.
     
    Last edited: Aug 2, 2017
  2. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    I have SSRP. I've never had an issue with WD updating.
     
  3. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    158
    Hi Norman

    Do you have includeDLLs=1 ?
     
  4. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    No.

    About the only thing I did was whitelist executables to SRP that run from the Downloads or AppData folder; they're usually blocked
    by default.
     
  5. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    158
    Found the solution. One has to whitelist 'GapaEngine.DLL=1" and 'MPEngine.DLL=1' in the Custom Policies section. Windows Defender creates NEW folders within 'ProgramData\Microsoft\Windows Defender\Definition Updates' which may contain new copies of these DLLs. And it looks like SSRP is too slow to figure out that they are within the whitelisted folder 'ProgramData\Microsoft\Windows Defender\Definition Updates' And since these are New Folders created During Windows Update with random looking folder names, we cannot create a whitelist item using the full path, so we can only specify the DLL file name.

    Windows 10 Pro SRP does not have this problem. And all that needs to be done is whitelist 'ProgramData\Microsoft\Windows Defender\Definition Updates'
     
    Last edited: Aug 3, 2017
  6. doesntmatter

    doesntmatter Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    37
    Location:
    Bulgaria
    I have the following rule in SRP in Local Security Policy (it may be a little risky because if the malware have the same name then it won't be stopped at least by SRP but it will be intercepted by my other layers so it's not a big deal for me):

    %temp%\mpam*-*.exe => to unrestricted

    I am using this topic to point this out because of the issue described here => https://social.technet.microsoft.co...ssues-with-windows-defender?forum=winserverGP

    I tested many rules and the one above seems to work as it should. :)

    The rule is working even if the following rule is applied to protect the subfolders as well to disallowed => %temp%\*\*.exe

    Regards,
    Georgi
     
    Last edited: Aug 5, 2017
  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,436
    No problem for me getting the updates on Windows Pro with Windows 10 Creators Update installed, just recently. I run as Admin, because I wouldn't have clue as to how to set up a "Software Restriction Policy". It sounds to complicated, for me. :)
     
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,712
    Download and install this if you want. Easy peasy.

    https://iwrconsultancy.co.uk/softwarepolicy
     
  9. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    Yup. AppLocker is way too complicated for me and I'm afraid if I use the default rules, I risk getting locked out of Windows.
    No such problem with SSRP.
     
  10. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    158
    Hi DoesntMatter,

    Does the mpam*-*.exe get downloaded when you use the Windows Update method to update Defender ? Or is it downloaded when you use Windows Defender itself to do updates? Because I am using the Windows Update method and I don't see that file.
     
  11. doesntmatter

    doesntmatter Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    37
    Location:
    Bulgaria
    Hi lunarlander,

    The rule is created to allow the user to update WD manually through the program. There are no problems to update WD through Windows Update without creating any rules if CryptoPrevent protection is enabled or if any rules in Local Security Policy (SRP) are applied to prevent *.exe files to run from the %temp% folders. But I can speak only for SRP and not for SSRP.

    Regards,
    Georgi
     
  12. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    With SSRP any program you want to run from otherwise blacklisted locations can be added to custom policy section of the
    software.ini that ships with SSRP.

    Remember to unlock it to install/uninstall/update software.
     
  13. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    158
    Hi Georgi,

    I just tried to update Defender in Win 10 Home using Windows Defender. And I don't see any mpam inside \AppData\Local\Temp or \Windows\Temp . Inside \Windows\Temp I only found a cryptic folder name ending in .Sigs .

    Instead I saw a cryptic folder name within \ProgramData\Microsoft\Windows Defender\Definition Updates with the DLL I mentioned just like as if it were updated using Windows Update !
     
  14. doesntmatter

    doesntmatter Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    37
    Location:
    Bulgaria
    Hi lunarlander,

    Same here. I just checked and it seems that mpam files are no longer created if WD is updated via MS Update or manually. Probably MS recently changed the way how WD updates are applied and the exclusion rule in SRP is no longer needed. (it was needed a few months ago but not anymore). I disabled it as well. And since the rule in SRP for Programdata restrict only executables to run from the main folder (and not the subfolders) => %programdata%\*.exe I don't need to create an exception for WD anymore. :) I won't include the subfolders to enhance the protection since a lot of legit files (including Battle.net agent) start from subfolders in the %programdata% but CIS will take care of them. :)

    Regards,
    Georgi
     
  15. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,436
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,159
    Confirmed - I also have such a path rule and haven't run into problems since. DLLs are included.
     
  17. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296

    Unlike Applocker, its basically set and forget. If you find something was blocked by policy, add the full path line to CustomPolicies in the software.ini file and activate the new policy. It should then run and you're done. Easy-peasy.
     
  18. tonino

    tonino Registered Member

    Joined:
    Jan 2, 2017
    Posts:
    58
    Location:
    somewhere
    Have someone of you tried Hard_Configurator by Andy Full? It's a nice, simple and powerful tool.
    Tweak and forget!
     
Loading...