Windows Defender Threat

Every so often I get a hit in Windows Defender that detects Trojan:Win32/BlockMsav.A!reg

In the affected item, I followed the reg value HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B05DB137-5B46-488A-A02F-FFD65D77E257} which apparently is v2.30|Action=Block|Active=TRUE|Dir=Out|App=c:\program files\windows defender\mpcmdrun.exe|Name={Glasswire.app.out_58}|Desc=GlassWire|EmbedCtxt=GlassWire|

Maybe someone can interpret this for me as Windows Defender is not blocked in GlassWire.

@garycurtin

If you go to our top left GlassWire menu and choose “About”, what version does it say you have?

Sorry, should have included that. GlassWire Elite 2.1.167 running on Windows 10 Home 1903 18362.535

Firewall is ON, with Ask to Connect.

I have been through the blocked applications, clicking on each one, but none of them are the exe that is mentioned in the registry value. There has been no pop-up asking to allow the exe either.

1 Like

Gary- anything from VirusTotal on that executable? I ran a search there, just on mpcmdrun.exe and there were no results.

Have you by chance used the command line to manage Windows Defender? It may not be related, just a hunch.

This is an old problem that keeps returning - there’s six existing topics.

It often occurs because GlassWire users block a Windows Defender program. That happens in this topic:

However, in my original post I said that Windows Defender was NOT blocked.

No, bulk standard Windows setup, no changes made to Defender with command line or otherwise. mpcmdrun.exe is apparently part of the malware feature in Windows Defender. But that is not blocked.

1 Like

Sorry, I wasn’t saying that was your problem so I should have prefixed it with a “FYI”.