Regular prompts from Defender Firewall about OneDriveFile Co-authoring

Iron Contributor

I receive regular prompts from Defender Firewall about OneDrive File Co-authoring. (FileCoAuth.exe)
appdata\local\microsoft\onedrive\21.020.0128.0002\filecoauth.exe

The file is identified (by defender) as being from Microsoft although the location (in my appdata) makes me suspicious that it could be malware [surely this is bad practice] and the fact that defender keeps blocking it (you'd think the OneDrive teams would have a working relationship with the Windows & defender team) doesn't add to my confidence.
So questions:
1) Can anyone else confirm if this is really where MS keep this file? (what's wrong with program files etc.?)
2) Anyone know why defender keeps blocking it (My guess is that it's related to version updates and defender seeing a "new" app connection but why doesn't any update "deal" with issue? Especially as the defender dialgos often come up behind other open apps and go unnoticed for a while!
3) If other people aren't getting this, why am I?
[I have a lot of trouble with sync in Onedrive - which I have thus far put down to having 5 Microsoft 365 tenants and personal drive active at the same time and editing across licences]

 
7 Replies
Hi,

It really depends if you have a user or machine wide onedrive installation. In all tenants I have got a test vm , the FileCoAuth.exe is inside the program files folder instead of the local appdata.
I am not receiving any firewall prompt about it.

Did you specify additional firewall rules or other settings connected to it?
No - never did anything - not sure why it came up - or why the installation of onedrive didn;t set them.
MS resolved it. It turns out that the rule was no active in the public profile and occasionally I was losing Lam connectivity and switching temporarily to WiFI. had I ever left the building in the last 6 months I suppose I would have worked it out - but as the LAN came back on pretty quickly the issue would go away -on its own and hence the very intermittent nature (and the lack of anyone else with the same issue).

@Ian Cunningham 

 

so what does this mean on my laptop? Brand new laptop and do NOT want to do ANYTHING to harm it

 

GrammyZee_0-1626196580282.png

 

@Ian Cunningham, so it means I can grant access when defender blocks it?

@_GCA_ 

 

I have the same issue. Why does the default from MS suggest to checkmark the box to I allow use in public networks then say not recommended at the same time?