Behavior:Win32/WDBlockFirewallRule.P

Had this exact warning appear as well for myself. I have ask to connect enabled. Today once I plugged in my ethernet cable after an update earlier the first connect popped up and then defender appeared.

For troubleshooting I was able to see that Msmpeng had a 'first connection’s dialog at the exact same time windows defender started screaming. To troubleshoot I copied an active block registry key at the location of the warning and placed the full path to the msmpeng.exe file and immediately windows defender popped up with the exact same issue found. Is it possible that glasswire is adding it as a block while waiting for confirm and windows defender deletes the regkey immediately?

+1. Same detection here. Glasswire version 2.2.291. My firewall has never been set to “block all”.

I see that I’m not alone here. Same thing just popped up. I was running Glasswire 2.2.2xx. (2.2.241 maybe?) I’m updating to the latest version right now. I run ask-to-connect mode and Windows updated earlier today.

@Ken_GlassWire Does glasswire have some hidden backdoor and now it flipped out? who are you selling us out to? CIA ?

I had this same issue a few years back. Now it is here again.

@Ken_GlassWire are there any updates from the devs on this problem?

I also received today the alert garycurtain posted, yesterday I installed Western Digital drive util, I figured it was this trying to phone home. I guess now from the quantity of people reporting in a short time span this is not the case…?

Same issue appeared here:
Status: Latest patch Tuesday worked fine. The popup from Defender just appeared after the latest update today, 12:07 CET. Running Glasswire version 2.2.268 (thought I had already updated to the 2.2.291 (and seen some or the pertaining interface changes, but maybe Defender ripped already something out? The processs or key listed by Defender are gone (after a reboot requested by Defender)).
My Ransomware protection is on. Recently regular things flagged by the Ransomware protection increased after Windows Updates, i.e., they were running fine before.
Also running, not lately updated, the WD Drive Utilities for a Passport backup disk.

Hope this info helps the developers.
Cheers and happy hunting!

I just recreated the issue on my own PC. Our team is now actively working on this. Thanks for your reports.

Everyone that has this issue, please email me with a link to this thread. Click the contact link below. We may send you a testing version to see if the issue is solved if you want to help us.
https://www.glasswire.com/contact/

That way we can confirm the issue is fixed before releasing the update.

Also, just to be clear this is a false positive of some type due to our firewall rules so we need to adjust how they work a bit. This has happened before in the past if the “Antimalware Executable” is blocked by GlassWire, so that’s why we white list that specific app to avoid this. But it seems Microsoft made some other changes with this latest update, so we need to adjust something again so you guys won’t get this notice.

Very useful, thank you for taking the time to post this.

As mentioned previously, if anyone wants to test our fix immediately when it’s available please email us with this forum link as the subject. Our email link is below.

I have sent out a testing version to around 10 people who emailed us to test.

Thanks for sending this report so we could put out a quick fix. The issue is caused by a change to Windows Defender and how it behaves if we temporarily block Windows Defender when in “ask to connect” mode. We have made a change that should remove this false positive with Defender.

If you also want to try the fix, please email me with a link to this thread as your subject.
https://www.glasswire.com/contact/

@Geri123

This is very helpful, thank you for testing. For some reason my PC does not have this real-time inspection service. Our team is investigating.

@Geri123

Very useful, thank you.

Same notification here from Windows Defender pid redirects to my VPN Cliënt.

Event[0]:

Date: 2021-02-12 Time: 23:17:55.127
Event ID: 1119
(Error when taking action on malware or PUA)

User Name: NT AUTHORITY\SYSTEM
Computer:
Description:
Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:

Name: Behavior:Win32/WDBlockFirewallRule.P
ID: 2147773266
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_pid:4116:1937012556366723; process:_pid:4116,ProcessStart:132572801352940558; regkeyvalue:_HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9F8A3DDC-E5AE-40E6-B67D-ADE097DAD325}
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: C:\Windows\System32\svchost.exe
Action: Remove
Action Status:  To finish removing malware and other potentially unwanted software, restart the device. 
Error Code: 0x8007054f
Error description: An internal error occurred. 
Security intelligence Version: AV: 1.331.599.0, AS: 1.331.599.0, NIS: 1.331.599.0
Engine Version: AM: 1.1.17800.5, NIS: 1.1.17800.5

Event[1]:

Date: 2021-02-12 Time: 23:17:49.020
Event ID: 1116
(Detected malware or PUA)

User Name: NT AUTHORITY\SYSTEM
Computer:
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:

Name: Behavior:Win32/WDBlockFirewallRule.P
ID: 2147773266
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_pid:4116:1937012556366723; process:_pid:4116,ProcessStart:132572801352940558; regkeyvalue:_HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9F8A3DDC-E5AE-40E6-B67D-ADE097DAD325}
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: C:\Windows\System32\svchost.exe
Security intelligence Version: AV: 1.331.599.0, AS: 1.331.599.0, NIS: 1.331.599.0
Engine Version: AM: 1.1.17800.5, NIS: 1.1.17800.5

@Niorun May I ask your VPN client type?

Please email us if you want the testing version that solves this.
https://www.glasswire.com/contact/

I am using NordVPN with the NordLynx protocol.

@Niorun

In your case the false positive may be related to Nord. I have had customers tell us they do make changes to the Windows Firewall.

Today i received it again, now without NordVPN and the pid tells me its also svchost.exe

502×515

Event[0]:

Date: 2021-02-14 Time: 09:09:28.235
Event ID: 1116
(Detected malware or PUA)

User Name: NT AUTHORITY\SYSTEM
Computer:
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:

ID: 2147773266
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_pid:4108:1937012556366723; process:_pid:4108,ProcessStart:132577056014013524; regkeyvalue:_HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{885A9B0A-148D-409F-8292-642C452CAA55}
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: C:\Windows\System32\svchost.exe
Security intelligence Version: AV: 1.331.968.0, AS: 1.331.968.0, NIS: 1.331.968.0
Engine Version: AM: 1.1.17800.5, NIS: 1.1.17800.5

I will contact you for the fix.