Windows Defender copy protection interferes with our product

%3CLINGO-SUB%20id%3D%22lingo-sub-3191864%22%20slang%3D%22en-US%22%3EWindows%20Defender%20copy%20protection%20interferes%20with%20our%20product%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3191864%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20I'm%20Maarten%20Tops%20from%20Utomik.%20Utomik%20is%20a%20gaming%20platform%20that%20downloads%20small%20parts%20of%20a%20game%20and%20runs%20out%20while%20downloading%20the%20rest%20of%20the%20game%20in%20the%20background.%20This%20is%20achieved%20through%20hooking%20the%20Windows%20API%20file%20system%20functions%20to%20create%20a%20virtual%20file%20system.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20context%20for%20this%20question%20is%20the%20%5BCopyFile%5D%5B1%5D%20function.%20Normally%20when%20a%20game%20calls%20this%20function%20our%20hook%20simply%20translates%20the%20paths%20provided%20and%20calls%20the%20actual%20Windows%20API%20with%20those.%3CBR%20%2F%3ELately%20a%20particular%20Windows%20Defender%20behavior%20is%20breaking%20this.%20When%20CopyFile%20is%20called%20multiple%20times%20by%20a%20game%20(between%205-7%20times%20in%20our%20experience)%20the%20game%20suddenly%20loads%20MpDetoursCopyAccelerator.dll%20and%20another%20process%20(I'm%20guessing%20the%20Defender%20process)%20takes%20care%20of%20the%20actual%20copy.%20Because%20this%20other%20process%20is%20not%20operating%20in%20our%20virtual%20file%20system%20context%20the%20copy%20operation%20fails.%20This%20in%20turn%20can%20cause%20the%20game%20to%20produce%20an%20error%20message.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20investigating%20this%20issue%20we%20found%20we%20could%20prevent%20this%20behavior%20by%20blocking%20the%20loading%20of%20the%20MpDetoursCopyAccelerator.dll%20file.%20The%20game%20will%20in%20that%20case%20simply%20use%20CopyFile%20again%20and%20everything%20works%20as%20intended.%20However%20we%20feel%20that%20working%20against%20specific%20security%20software%20in%20this%20way%20is%20not%20our%20preferred%20solution.%20Is%20there%20another%20way%20we%20can%20approach%20this%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20time%2C%3CBR%20%2F%3EMaarten%20Tops%3CBR%20%2F%3ESenior%20Software%20Developer%3CBR%20%2F%3EUtomik%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%5B1%5D%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fapi%2Fwinbase%2Fnf-winbase-copyfile%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fapi%2Fwinbase%2Fnf-winbase-copyfile%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3191864%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Defender%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3193900%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20copy%20protection%20interferes%20with%20our%20product%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3193900%22%20slang%3D%22en-US%22%3EDoes%20it%20happen%20in%20case%20you%20disable%20the%20Microsoft%20Defender%3F%3CBR%20%2F%3EHow%20you%20developing%20your%20program%20%2C%20are%20you%20using%20C%2FC%2B%2B%3F%3CBR%20%2F%3EAre%20you%20Microsoft%20.NET%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3193924%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20copy%20protection%20interferes%20with%20our%20product%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3193924%22%20slang%3D%22en-US%22%3EThe%20problem%20does%20not%20happen%20when%20the%20Defender%20is%20disabled.%3CBR%20%2F%3EThe%20product%20(the%20virtual%20file%20system%20part)%20is%20C%2B%2B.%3C%2FLINGO-BODY%3E
New Contributor

Hello, I'm Maarten Tops from Utomik. Utomik is a gaming platform that downloads small parts of a game and runs out while downloading the rest of the game in the background. This is achieved through hooking the Windows API file system functions to create a virtual file system.

 

The context for this question is the [CopyFile][1] function. Normally when a game calls this function our hook simply translates the paths provided and calls the actual Windows API with those.
Lately a particular Windows Defender behavior is breaking this. When CopyFile is called multiple times by a game (between 5-7 times in our experience) the game suddenly loads MpDetoursCopyAccelerator.dll and another process (I'm guessing the Defender process) takes care of the actual copy. Because this other process is not operating in our virtual file system context the copy operation fails. This in turn can cause the game to produce an error message.

 

After investigating this issue we found we could prevent this behavior by blocking the loading of the MpDetoursCopyAccelerator.dll file. The game will in that case simply use CopyFile again and everything works as intended. However we feel that working against specific security software in this way is not our preferred solution. Is there another way we can approach this issue?

 

Thanks for your time,
Maarten Tops
Senior Software Developer
Utomik


[1]: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfile

3 Replies
Does it happen in case you disable the Microsoft Defender?
How you developing your program , are you using C/C++?
Are you Microsoft .NET?
The problem does not happen when the Defender is disabled.
The product (the virtual file system part) is C++.
I advise you to ask your question on:
https://docs.microsoft.com/en-us/answers/products/
They would be able to guide you on this issue.