Glasswire is triggering off Windows 10 Defender (solved)

@Ken_GlassWire I’m on a Windows 10 machine. Firewall is set to “Ask to connect”.

When doing a clean insteall, I indeed restored the firewall defaults (I checked all the possible options in the installer).

1 Like

@Ken_GlassWire I’m sorry but this is really getting out of hand, I have Windows Defender triggering multiple times a day now:
image

Do you have any information?

Thanks.
Regards

I can assure everyone that this new version does not trigger Defender. It’s been several days now with no issues. I had a new install of windows pro 10 and one install of the newest Glasswire.

If people are having issues even when installing they click the check box “clean install” and “reset firewall” then there must be something lingering behind from an old installment. Possibly registry issue.

1 Like

@JHefile

I’m glad to hear it’s fixed!

Ok. I did an install with the option “clean install” and “reset firewall”, but I could still see some Glasswire rules in the Windows firewall listing. So I did remove any specific rule by doing “Restore default policy”.

All seems to have been reset in Glasswire. So it’s really a clean start.

I’ll see if the issue arise again :slight_smile:

1 Like

Still fixed here.
I think part of their attempt to fix this was to not let you block ‘Microsoft Malware protection’ and ‘Antimalware Service Executable’ via firewall.

I am hesitant to say this is the total reason it is fixed. I recall other versions causing a false positive even when not blocking anything.

Either way it’s fixed now and I cannot block those two listing. I don’t want to block them so I am good to go.

1 Like

Just to confirm that it is fixed indeed. No more alert in more than 10 days.

Thanks for your support!

1 Like

Hi,

The same issue is happening again with the latest versions of Windows and Glasswire. Please let me know if there is a way to export the firewall rules, otherwise, I cannot simply uninstall the Glasswire because of many rules that I’ve created in it.
Microsoft Windows [Version 10.0.18362.145]
GlassWire 2.1.152

Our QA always tests for any Windows Defender issues before launching new versions. Also, our entire team uses Windows Defender and we haven’t been able to recreate this. GlassWire did have an issue with this in 2018, but we made changes so it shouldn’t happen again.

We’ll check and see if we can recreate the issue. If anyone else is having this issue please reply to this thread also with details of your Windows version also, thanks.

I have shared this with our team and they may have more questions.

I also see you are not using our latest GlassWire version. Our latest version is 2.1.157.

Thanks for your quick reply. I’m upgrading to the latest version. I’ll keep you posted if I face the issue again.

1 Like

I always have at least one PC using the Windows 10 default AV with GlassWire and I have never had any of the false-positive problems reported in this forum. I wonder why: can you tell from the rule if it is created by GlassWire or the user?

I was once able to recreate this with a very old version of GlassWire before we made some changes to make sure this would not happen again. So far I haven’t seen any other reports about this with our latest software so I’m hoping this was just an anomaly…

Our QA is currently investigating the issue carefully with different Windows versions to try to recreate the issue.

One way this issue could re-appear is if the user used the older version we had (that did have this issue). In this case the old firewall rules could theoretically still exist and they could cause this issue to re-occur even with our latest software. If that’s the case, the solution would be to uninstall GlassWire in add/remove programs, then go to the “Windows Firewall” window and choose “restore defaults”. Then reboot the PC - an important step.

Now reinstall our latest software using the “clean install” and “reset firewall” options where they are both checked. The issue should not be able to re-occur once you take these steps. @Adel

I was able to recreate this false positive from Windows Defender. We are working on implementing some new changes, then we’ll release an update.

It seems Microsoft changed something lately so we now have to make some more changes ourselves too.

If you are in “Ask to connect” mode, or if you block the “Antimalware Service Executable” then do a Windows Defender scan, you will see this false positive. You can then “Allow” it, and you should have no problems while we work on releasing an update with a change to solve this.

Everyone, please upgrade to our latest GlassWire software. This issue is now solved.
https://www.glasswire.com/download/

Version 2.1.158 - (June 13, 2019)

Hash # 560465EED8F83CE983A9C4E5261E6B5C54BA4C824E44B0E46032FE24E480FA50

  • Fixed a bug that could cause a Windows Defender false positive Trojan:Win32/BlockMsav.A!reg. If you are experiencing this issue please be sure you’re using our latest software.
  • Fixed some incorrect French language translations.

If you continue to have this issue uninstall GlassWire in add/remove programs, then go to your Windows Firewall control panel and choose “restore defaults”. Now reboot - IMPORTANT!

Next reinstall our software with the “clean install” and “reset firewall” options checked. The issue should not happen again.

1 Like

Just a small thing to add in a future version to further prevent this happening: GlassWire will still try to block MS Defender if it is in “Inactive Apps” and you clear them which results in the “Threat Detected” message.

Adding a system to the clearing inactive apps function to check for and skip “Antimalware Service Executable” should prevent this from happening.

@Thinking

Nobody has ever reported or noticed this before. I will share with the team and we’ll try to reproduce and fix it.

Nice catch!

@Thinking

So the Antimalware Service Executable goes to “inactive” then you deleted it from there by clicking the small “x” next to it. Then it re-appears in “Ask to connect” and you can block it?

Or how exactly does this work? I thought I understood you previously, but now I am not 100% sure I understand how to reproduce this issue.

“Antimalware Service Executable” has been “inactive” for me for a while now. Just now I updated to the new version of GlassWire (2.2.201 -> 2.2.210) (I selected reset Firewall if it matters) then after a minute or so of it running (Checking if a certain bug had been fixed, which it was) I decided to clear out my Inactive Apps and maybe a couple seconds after that I got a Windows Defender notification with the warning about the firewall rules trying to block Defender.

I actually just now tried to once again clear the inactive apps (it is still in there) and didn’t get the notification, when it first happened I selected the option to “remove” the threat and it told me it failed to do so (maybe GlassWire already changed it back?) and it could be possible that it simply refuses to detect a threat twice? I have already seen weird behavior like this with certain applications that are detected as malware like some Nirsoft tools.

So the Antimalware Service Executable goes to “inactive” then you deleted it from there by clicking the small “x” next to it.

There is no small X next to it as intended (It also shows the shield and checkmark icon where the firewall flame would normally be), I only clicked the X next to “Inactive Apps” which clears all of them.

Then it re-appears in “Ask to connect” and you can block it?

Nope, it remained there in Inactive Apps. and didn’t ask to connect although based on the fact that it doesn’t seem to connect, at least visible to GlassWire, it might just not have been detected trying to do so and it’s a visual bug.

1 Like

Update: I actually haven’t been able to recreate it myself anymore.

  • I removed the Firewall Rules relating to msmpeng.exe and switching blocking modes (recreates firewall rules if missing) hasn’t produced an msmpeng.exe rule that is blocking

  • I also reinstalled GlassWire 2.2.210 with Firewall reset selected and it still won’t happen.

I am unsure if it is because of something Windows Defender did (it certainly didn’t remove the original blocking rules, I had to do it myself) or if the issue was just something related to the rules transitioning from 2.2.201 version to 2.2.210.

I checked the firewall entries that were detected by Windows Defender and they were all related to msmpeng.exe . Before I cleaned them up there were both rules that allowed and blocked internet access to the various versions of msmpeng.exe.

Edit: Just to clarify: Those rules that were blocking msmpeng.exe came from Glasswire.

1 Like