Defender BlockMsav.A!reg msmpeng.exe Revisited

dallas7 · January 30, 2021, 9:36pm

Windows 10 Pro 1909
GW 2.2.291 Elite

As this topic has been tagged (solved)

Glasswire is triggering off Windows 10 Defender (solved)

I’ll open this new one here…

Yesterday I dealt with Win32/BlockMsav.A!reg which was quarantined by Defender. During the mayhem, I did notice that GW changed its state to Block All.

Things are OK and my research turned up all sorts of discussions going back to 2017.

I did notice there was a related GW fix in v2.1.158, June 2019, with this thread in the forum:

Trojan:Win32/BlockMsav.A!reg threat detected

That piqued my curiosity and that got me to find these two rules in Defender Firewall (there are no other rules for msmpeng.exe):

{GlassWire.out.app_-1617379985.profile_1.mode_2},GlassWire,All,Yes,Allow,No,c:\programdata\microsoft\windows defender\platform\4.18.1911.3-0\msmpeng.exe,Any,Any,Any,Any,Any,Any,Any,Any,Any,

{GlassWire.in.app_-1617379985.profile_1.mode_2},GlassWire,All,Yes,Allow,No,c:\programdata\microsoft\windows defender\platform\4.18.1911.3-0\msmpeng.exe,Any,Any,Any,Any,Any,Any,Any,Any,Any,Any,

However, the current platform is
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2011.6-0

As well, that app_-1617379985 “Antimalware Service Executable” rule is under Inactive Apps. Per Alerts (1), from Feb 7, 2020. Which is about the time I built and configured this system.

So I wonder if maybe the issue fixed in v2.1.158 might have reborn itself or if it’s just another Microsoft whoopsie as it’s been reported over the years (and all sorts of other speculation).

One way or the other, I’m perplexed by GW’s way of handling msmpeng.exe.

What’s up with all that? Can that path be fixed?? Thanks!

Ken_GlassWire · January 31, 2021, 12:37pm

@dallas7

I will share with our team so they can analyze what’s going on. Thanks for posting these details so we can improve GlassWire and sorry for the problem.

dallas7 · January 31, 2021, 9:07pm

Thanks. Note that I’m not pointing to GW solely as the cause.

Ultimately, looking forward to finding out how GW handles msmpeng.exe. And what might be done about the platform path.

These might help. Let me know if additional info is needed.
DefenderCaptureForGW01 DefenderCaptureForGW02 DefenderCaptureForGW03

Ken_GlassWire · February 1, 2021, 4:54pm

@dallas7

Both of the rules you mentioned that are added by GlassWire are “allow” rules. This is rule is to avoid a malware notice by Windows Defender.

Is that your question, or did our team misunderstand?

Ken_GlassWire · February 2, 2021, 3:48pm

@Geri123

Are you using a secondary firewall with GlassWire, or just ours?

Could you click my name and privately message me your firewall block list in GlassWire? It will help me understand.

Ken_GlassWire · February 2, 2021, 4:27pm

@Geri123

Yes, I wanted a picture of it if you feel comfortable (click on my name here to message it to me privately). You can also email it if you prefer.
https://www.glasswire.com/contact/

I read about this other app you linked to above. It does mention Windows Firewall, so I think it might be responsible for this message you are receiving. We white list Windows Defender just to avoid this message, so unless Microsoft recently changed something then you should not get this message.

Also I just ran all Windows Updates and I cannot recreate this myself on Windows 10. Everything is correctly white listed for me so far.

Ken_GlassWire · February 2, 2021, 4:46pm

@Geri123

I responded to your message.

If you want to reset your firewall you should remove the other firewall app you have first, then go to add/remove programs and uninstall GlassWire.

Reboot

Go to the Windows Firewall control panel and choose “restore defaults”.

Install our latest version of GlassWire and check the “reset firewall” box.

The issue should disappear.

Ken_GlassWire · February 3, 2021, 6:34pm

I did not fully understand you guys previously, but I used our “Block all” mode today and I could recreate something similar to this. Our team is now investigating.

Ken_GlassWire · February 4, 2021, 1:24pm

Our team has been discussing this.

If “block all” mode causes you to have a severe alert from Windows Defender, then that’s a terrible user experience. Windows Defender even asks you to “reboot” to remove the rule and for me this notice would not go away until I actually rebooted.

However, if “block all” mode really does not block all, then what is it good for? What if I had some type of serious issue and I wanted to actually “block all” but then Windows Defender is white listed. Is that still really a “block all” mode?

I’m kind of leaning towards thinking that we should just white list Defender… but then it’s not really “block all” mode, if something is not blocked is it?

What is your opinion @dallas7 and @Geri123?

Ken_GlassWire · February 4, 2021, 4:37pm

That is how we feel also, but this big Windows Defender Trojan warning also is very annoying.

dallas7 · February 5, 2021, 2:54am

I understand that. What I I’m pointing out is the path is to a folder that no longer exists. It may or may not be contributing to this issue.

Now that I’m thinking about it more, when I run Thunderbird in a VeraCrypt container, I have to change from Ask To Connect to Click To Block. I’ve been having to do that for years.

Thunderbird in VeraCrypt & Rule Funk

I just got done closing out of TBird/VCrypt and I am now considering that when I was wanting to return to Ask To Connect, it is quite possible I overshot when moving from Click to Block and hit Block All by accident.

Well, fix that. IMHO, you can get rid of Block All altogether. Or maybe your Block All could be a function to disable the connection, as one can do in the Network and Internet\Network Connections Control Panel.

One way or the other, make the Block All button separate and distanced from the Ask To Connect/Click To Block selector.

dallas7 · February 14, 2021, 1:50am

Windows 10 Pro 20H2 (I updated from 1909 on the 9th.)
GW 2.2.291 Elite

Well, the jury is in.

I decided, for the first time since using GW on any system, to fish through the Inactive Apps and delete any app having a grayed out Open File Location.

I sorted alphabetically and the first I tried was for Antimalware Service Executable. I hit the x and bingo. Bocked: Win32/WDBlockFirewallRule.P Quarantined: Win32/BlockMsav.A!reg

After I restarted, and hit the x of first of the four of Microsoft Malware Protection Command Line Utility. Bingo. And ditto.

I restarted and I removed two “regular” apps, DukieTV and WinUtilities, without issue.

Sorry I can’t report better news.

Ken_GlassWire · February 14, 2021, 12:28pm

@dallas7

We have a test version 2.2.297 I’m sending out to people to test a fix for this issue. Please email us with a link to this thread if you’d like to try it.
https://www.glasswire.com/contact/

dallas7 · February 20, 2021, 9:11pm

Sorry for the delay. I verified the issue exists on my WIn10 test system.

I just emailed a request for 2.2.297 if it’s not too late.

Ken_GlassWire · February 20, 2021, 10:42pm

@dallas7

You were sent an even newer version, please check it.