windows defender
24 TopicsHigh CPU usage by Antimalware Service Executable (Windows Defender) on every login
Hello, I am experiencing a persistent issue with Windows Defender. The background process Antimalware Service Executable (MsMpEng.exe) consumes extremely high CPU usage every time I log in, making the system nearly unusable. The only temporary workaround I have found is disabling real-time protection, which immediately stops the high CPU usage. However, I do not want to permanently disable protection for security reasons. Here is what I have already tried and what did not help: Reducing Windows Defender CPU usage from 20 percent to 5 percent did not help, the process still uses most of the CPU. Excluding my drives from scanning did not help, I excluded both drives I use but Defender still appears to be scanning something in the background. Removing Windows Defender entirely seems like the only effective solution, but I understand this is not recommended since it is a built-in system component and could cause system issues. For several months now, my routine has been logging in and manually turning off real-time protection just to be able to use my system, which is not a sustainable or secure solution. Is there any way to resolve this issue while keeping Windows Defender enabled? Any guidance or recommended troubleshooting steps would be greatly appreciated.12KViews1like4CommentsA false detection of Windows 10 Defender for my exe file suddenly occurred again
I have an .exe file that I created myself. I submitted it to Microsoft Security Intelligence webpage and it was approved as a false detection a few months ago. Today, That false detection suddenly happened and caused a lot of inconveniences to my users who using this file. So, what's the reason? Why did this detection happened again? And how can I report it and get it done forever?1KViews0likes4CommentsNew-AntiPhishPolicy Parameters Don't seem to work properly
I'm making a script to automate the process of setting up EOP automatically for our customers everything works fine, except the part with the anti-phishing policy. When running the command New-AntiPhishPolicy with a variety of parameters (see Original command) i get the error "-ParameterX" is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again (For full error see Error Example). When the parameters that cause the error are removed from the script i end up with only eight working parameters (See Working parameters). When i create the policy in the GUI all Parameters i use below are available. I also tried different accounts i first tried via delegated acces, i then tried to run the same command with the global admin but no luck either. Security license used in the tenant: Defender for O365 (subscription 1) Original command: New-AntiPhishPolicy -Name $AntiPhishPolicyName -ImpersonationProtectionState automatic ` -EnableTargetedUserProtection $true ` -EnableMailboxIntelligenceProtection $true ` -EnableTargetedDomainsProtection $true ` -EnableOrganizationDomainsProtection $true ` -EnableMailboxIntelligence $true ` -EnableFirstContactSafetyTips $true -EnableSimilarUsersSafetyTips $true ` -EnableSimilarDomainsSafetyTips $true ` -EnableUnusualCharactersSafetyTips $true ` -TargetedUserProtectionAction Quarantine ` -TargetedUserQuarantineTag $quarantinepolicy ` -MailboxIntelligenceProtectionAction Quarantine ` -MailboxIntelligenceQuarantineTag $quarantinepolicy ` -TargetedDomainProtectionAction Quarantine ` -TargetedDomainQuarantineTag $quarantinepolicy ` -AuthenticationFailAction Quarantine ` -SpoofQuarantineTag $quarantinepolicy ` -EnableSpoofIntelligence $true ` -EnableViaTag $true ` -EnableUnauthenticatedSender $true ` -EnableSuspiciousSafetyTip $true ` -PhishThresholdLevel 2 ` -MakeDefault ` -TargetedDomainsToProtect $Customerdomains Working Parameters: New-AntiPhishPolicy -Name $AntiPhishPolicyName ` -ImpersonationProtectionState automatic ` -EnableTargetedUserProtection $true ` -EnableMailboxIntelligenceProtection $true ` -EnableTargetedDomainsProtection $true ` -EnableOrganizationDomainsProtection $true ` -EnableMailboxIntelligence $true ` -EnableFirstContactSafetyTips $true Error Example: -EnableSimilarUsersSafetyTips : The term '-EnableSimilarUsersSafetyTips' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:9 char:2 + -EnableSimilarUsersSafetyTips $true ` + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (-EnableSimilarUsersSafetyTips:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException -EnableSpoofIntelligence : The term '-EnableSpoofIntelligence' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:20 char:2 + -EnableSpoofIntelligence $true ` + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (-EnableSpoofIntelligence:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException1.4KViews0likes1CommentStart-MpScan -ScanType FullScan ignores ExclusionExtension preference
Potential workaround would be to allow the -ScanPath parameter to accept a String[] of drive letters when performing a CustomScan. #EXAMPLE - Custom Windows Defender Scan on Multiple Drives with Exclusions #Requires -RunAsAdministrator Import-Module Defender Set-MpPreference -ExclusionExtension "*.iso,*.mp3,*.wav" Start-MpScan -ScanType CustomScan -ScanPath "C:,D:"Solved954Views0likes1CommentGet-MpPreference
I try the attached commands in powershell and I have no answer Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions by example seems to be ok -PS C:\WINDOWS\system32> (Get-Service windefend).Status Running1.8KViews0likes1CommentPowerShell script is triggering the AD alert when executing on any local server. as user or computer
Hello All, I have PowerShell script which generates the data from each local server. This script tested and its working fine but the challenge is it trigger the alert on AD server as "user of computer logged on to this computer from the network" , but script is executing on any server not on AD. Why this is happening I am not able to find out it. Is the AD level security configured or hardening which is creating this problem. Where I do find the exact cause of this. Can any one help me please. I am attaching the script here for the reference. ############################Script##################### $Computer = $env:ComputerName $OutputDir = "c:\temp\" $Name = ($OutputDir + $Computer + "_LocalUser.csv") out-file -filepath $Name $OutputFile = $Name Add-Content -Path $OutPutFile -Value "ComputerName;OS;IP;UserID;FullName;SID;UserType;PasswordLastSet;Enabled;UserMayChangePassword;PasswordNeverExpires;InteractiveLogon;AccessDetails;LastLogOn;TimeZone" $LocalUsers = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True" | Select-Object -ExpandProperty Name $localgroups = Get-WmiObject Win32_Group -Filter “LocalAccount=True” | Select-Object -ExpandProperty Name $groupsOutput = $null $IP = $(((ipconfig | findstr [0-9].\.)[0]).Split()[-1]) if($PSVersionTable.PSVersion.Major -gt 4){ foreach($localuser in $LocalUsers) { $Name = $localuser $FullName = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty FullName $SID = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty SID $UserType = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PrincipalSource $PasswordLastSet = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PasswordLastSet $Enabled = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty Enabled $UserMayChangePassword = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty UserMayChangePassword $PasswordNeverExpires = (Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PasswordExpires) -eq $null [Int]$i=0 $groupsOutput = "" $groups = (Get-LocalGroup | Where-Object { (Get-LocalGroupMember $_).name -eq "$Computer\$Name" }).Name foreach($group in $groups) { $i++ if($i -le 1) { $groupsOutput = -join ("$groupsOutput", "$group") } else { $groupsOutput = -join ("$groupsOutput", " / " ,"$group") } } $LastLogOn = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty LastLogOn $TimeZone = [regex]::Matches([System.TimeZoneInfo]::Local.DisplayName, '(?<=\()(.*)(?=\))').Value Add-Content -Path $OutPutFile -Value "$Computer;Windows;$IP;$Name;$FullName;$SID;$UserType;$PasswordLastSet;$Enabled;$UserMayChangePassword;$PasswordNeverExpires;;$groupsOutput;$LastLogOn;$TimeZone" } }else{ foreach($localuser in $LocalUsers) { $user = Get-WmiObject -query "SELECT * FROM Win32_UserAccount WHERE LocalAccount = 'True' and Name = ""$localuser""" $Name = $localuser $FullName = $user.FullName $SID = $user.SID $UserType = "Local" $PasswordLastSet = $(net user $Name| findstr /B /C:"Password last set") $PasswordLastSet = $PasswordLastSet.Substring(29) $Enabled = -not $user.Disabled $UserMayChangePassword = -not $user.PasswordChangeable $PasswordNeverExpires = -not $user.PasswordExpires $groupList = Get-CimInstance -ClassName Win32_UserAccount -Filter "Name='$name'" | Get-CimAssociatedInstance -Association Win32_GroupUser | Select-Object Name $groups = "" foreach($group in $groupList.Name){ $groups += $group + "," } $groups = $groups.Substring(0,$groups.Length-1) $LastLogOn = $(net user $Name| findstr /B /C:"Last logon") $LastLogOn = $LastLogOn.Substring(29) $TimeZone = [regex]::Matches([System.TimeZoneInfo]::Local.DisplayName, '(?<=\()(.*)(?=\))').Value $passwordNeverExpires = -not $user.passwordExpires Add-Content -Path $OutPutFile -Value "$Computer;Windows;$IP;$Name;$FullName;$SID;$UserType;$PasswordLastSet;$Enabled;$UserMayChangePassword;$PasswordNeverExpires;;$groups;$LastLogOn;$TimeZone" } }4.7KViews0likes12CommentsWindows Defender copy protection interferes with our product
Hello, I'm Maarten Tops from Utomik. Utomik is a gaming platform that downloads small parts of a game and runs out while downloading the rest of the game in the background. This is achieved through hooking the Windows API file system functions to create a virtual file system. The context for this question is the [CopyFile][1] function. Normally when a game calls this function our hook simply translates the paths provided and calls the actual Windows API with those. Lately a particular Windows Defender behavior is breaking this. When CopyFile is called multiple times by a game (between 5-7 times in our experience) the game suddenly loads MpDetoursCopyAccelerator.dll and another process (I'm guessing the Defender process) takes care of the actual copy. Because this other process is not operating in our virtual file system context the copy operation fails. This in turn can cause the game to produce an error message. After investigating this issue we found we could prevent this behavior by blocking the loading of the MpDetoursCopyAccelerator.dll file. The game will in that case simply use CopyFile again and everything works as intended. However we feel that working against specific security software in this way is not our preferred solution. Is there another way we can approach this issue? Thanks for your time, Maarten Tops Senior Software Developer Utomik [1]: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfile1.8KViews0likes3Commentsnew content after last match of a Pattern in XML file
Hi I am trying to use Powershell to add content to an XML file after the last match of a pattern I need to add the content from $OutTemp txt file "<!-- steve.cox - test3 -02/02/2022 11:01:36 --> <InstancePathId>USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\5B8207000061&0</InstancePathId> <!-- steve.cox - test4 - -02/02/2022 11:01:36 --> <InstancePathId>USBSTOR\DISK&VEN_TOSHIBA&PROD_SILICON-POWER&REV_PMAP\MSFTNAKTM1070837BA061C1622&0</InstancePathId>" To below the last </InstancePathId> line of the USB-Groups.XML File <Groups> <Group Id="{9b28fae8-72f7-4267-a1a5-685f747a7146}"> <!-- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData --> <MatchType>MatchAny</MatchType> <DescriptorIdList> <PrimaryId>RemovableMediaDevices</PrimaryId> <PrimaryId>CdRomDevices</PrimaryId> <PrimaryId>WpdDevices</PrimaryId> </DescriptorIdList> </Group> <Group Id="{65fa649a-a111-4912-9294-fb6337a25038}"> <MatchType>MatchAny</MatchType> <DescriptorIdList> <InstancePathId>USBSTOR\DISK&VEN_TOSHIBA&PROD_SILICON-POWER&REV_PMAP\MSFTNAKTM10708466023196668&0</InstancePathId> <InstancePathId>USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_0000\408D5C1EF726102179650693&0</InstancePathId> <InstancePathId>USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_3.0&REV_PMAP\60A44C42651BB2A04626FC36&0</InstancePathId> <InstancePathId>USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_EDGE&REV_1.26\20043514001B91029E82&0</InstancePathId> </DescriptorIdList> </Group> </Groups>" If I use " Function WritetoXML { $NewLines = Get-Content -Path $OutTemp | ?{$_.Trim() -ne ""} $New = Get-Content -Path $XMLPath | ForEach-Object { $_ If($_-match ('</InstancePathId>')) { $NewLines } } $New | Out-File -FilePath $XMLPath -Force Remove-Item $OutTemp }" it writes after each instance of '</InstancePathId>' but cannot work out how to get this to write to only after the last instanceSolved1.5KViews0likes4Comments