Windows Defender Threat

Every so often I get a hit in Windows Defender that detects Trojan:Win32/BlockMsav.A!reg

In the affected item, I followed the reg value HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B05DB137-5B46-488A-A02F-FFD65D77E257} which apparently is v2.30|Action=Block|Active=TRUE|Dir=Out|App=c:\program files\windows defender\mpcmdrun.exe|Name={Glasswire.app.out_58}|Desc=GlassWire|EmbedCtxt=GlassWire|

Maybe someone can interpret this for me as Windows Defender is not blocked in GlassWire.

@garycurtin

If you go to our top left GlassWire menu and choose “About”, what version does it say you have?

Sorry, should have included that. GlassWire Elite 2.1.167 running on Windows 10 Home 1903 18362.535

Firewall is ON, with Ask to Connect.

I have been through the blocked applications, clicking on each one, but none of them are the exe that is mentioned in the registry value. There has been no pop-up asking to allow the exe either.

1 Like

Gary- anything from VirusTotal on that executable? I ran a search there, just on mpcmdrun.exe and there were no results.

Have you by chance used the command line to manage Windows Defender? It may not be related, just a hunch.

This is an old problem that keeps returning - there’s six existing topics.

It often occurs because GlassWire users block a Windows Defender program. That happens in this topic:

However, in my original post I said that Windows Defender was NOT blocked.

No, bulk standard Windows setup, no changes made to Defender with command line or otherwise. mpcmdrun.exe is apparently part of the malware feature in Windows Defender. But that is not blocked.

1 Like

Sorry, I wasn’t saying that was your problem so I should have prefixed it with a “FYI”.

I now get this same threat in Windows Defender every week.

Threat detected: Trojan:Win32/BlockMsav.A!reg
Alert level: Severe

It varies; sometimes the affected item is msmpeng.exe, sometimes it is mpcmdrun.exe

To repeat what I wrote previously: Defender is NOT blocked by GlassWire. There are no Windows components blocked except for Speech Runtime Executable.

@garycurtin

I think this could be a left over problem with a previous version of GlassWire we had. I’d recommend doing this:

Uninstall GlassWire in add/remove programs
Go to the Windows Firewall control panel and choose “restore defaults”
REBOOT - IMPORTANT
Install our latest software from www.glasswire.com and choose the “restore defaults” and “reset firewall” options.

Now use GlassWire regularly and the issue should be gone. Even if you tried this previously I recommend giving it another shot and I think it will solve your issue.

If the problem comes back please see if you have any other firewall apps installed. Perhaps they are making that rule that is causing the false positive.

OK, I have done that exactly and look forward to seeing what happens after a few weeks.

It is just so inconvenient every time when doing a reinstall and resetting everything. Not only all the applications that I had allowed/blocked need to be redone, but all my usage statistics are lost. ;-(

If it wasn’t such a useful application, I would probably be looking for something else. :wink:

2 Likes