Had this exact warning appear as well for myself. I have ask to connect enabled. Today once I plugged in my ethernet cable after an update earlier the first connect popped up and then defender appeared.
For troubleshooting I was able to see that Msmpeng had a 'first connection’s dialog at the exact same time windows defender started screaming. To troubleshoot I copied an active block registry key at the location of the warning and placed the full path to the msmpeng.exe file and immediately windows defender popped up with the exact same issue found. Is it possible that glasswire is adding it as a block while waiting for confirm and windows defender deletes the regkey immediately?
I see that I’m not alone here. Same thing just popped up. I was running Glasswire 2.2.2xx. (2.2.241 maybe?) I’m updating to the latest version right now. I run ask-to-connect mode and Windows updated earlier today.
I also received today the alert garycurtain posted, yesterday I installed Western Digital drive util, I figured it was this trying to phone home. I guess now from the quantity of people reporting in a short time span this is not the case…?
Same issue appeared here:
Status: Latest patch Tuesday worked fine. The popup from Defender just appeared after the latest update today, 12:07 CET. Running Glasswire version 2.2.268 (thought I had already updated to the 2.2.291 (and seen some or the pertaining interface changes, but maybe Defender ripped already something out? The processs or key listed by Defender are gone (after a reboot requested by Defender)).
My Ransomware protection is on. Recently regular things flagged by the Ransomware protection increased after Windows Updates, i.e., they were running fine before.
Also running, not lately updated, the WD Drive Utilities for a Passport backup disk.
Hope this info helps the developers.
Cheers and happy hunting!
Everyone that has this issue, please email me with a link to this thread. Click the contact link below. We may send you a testing version to see if the issue is solved if you want to help us. https://www.glasswire.com/contact/
That way we can confirm the issue is fixed before releasing the update.
Also, just to be clear this is a false positive of some type due to our firewall rules so we need to adjust how they work a bit. This has happened before in the past if the “Antimalware Executable” is blocked by GlassWire, so that’s why we white list that specific app to avoid this. But it seems Microsoft made some other changes with this latest update, so we need to adjust something again so you guys won’t get this notice.
Very useful, thank you for taking the time to post this.
As mentioned previously, if anyone wants to test our fix immediately when it’s available please email us with this forum link as the subject. Our email link is below.
I have sent out a testing version to around 10 people who emailed us to test.
Thanks for sending this report so we could put out a quick fix. The issue is caused by a change to Windows Defender and how it behaves if we temporarily block Windows Defender when in “ask to connect” mode. We have made a change that should remove this false positive with Defender.
Same notification here from Windows Defender pid redirects to my VPN Cliënt.
Event[0]:
Date: 2021-02-12 Time: 23:17:55.127
Event ID: 1119
(Error when taking action on malware or PUA)
User Name: NT AUTHORITY\SYSTEM
Computer:
Description:
Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
For more information please see the following:
Name: Behavior:Win32/WDBlockFirewallRule.P
ID: 2147773266
Severity: Severe
Category: Suspicious Behavior
Path: behavior:_pid:4116:1937012556366723; process:_pid:4116,ProcessStart:132572801352940558; regkeyvalue:_HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9F8A3DDC-E5AE-40E6-B67D-ADE097DAD325}
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
User: NT AUTHORITY\SYSTEM
Process Name: C:\Windows\System32\svchost.exe
Action: Remove
Action Status: To finish removing malware and other potentially unwanted software, restart the device.
Error Code: 0x8007054f
Error description: An internal error occurred.
Security intelligence Version: AV: 1.331.599.0, AS: 1.331.599.0, NIS: 1.331.599.0
Engine Version: AM: 1.1.17800.5, NIS: 1.1.17800.5
User Name: NT AUTHORITY\SYSTEM
Computer:
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
User Name: NT AUTHORITY\SYSTEM
Computer:
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following: