Windows 10: a strange severe threat executing commands from an attack found suddenly in allowed list,...

Found this threat labeled as severe in my allowed listwhich I never allowed, I removed it from allowed list immediately and didn't find it in my protection history afterafter some digging I found the ID of the threat in regedit logs and when was it first enabled REPEATEDLY like 30 times between 7/21 and 7/22here's how it looks repeteadly during those 2 days in the logs:Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may&

:)

 

Windows defender: recurring message: threat severe, remediation incomplete

Facts

Several weeks from windows Defender Virus and Threat Protection a message about a severe security breach.

• Message: Remediation incomplete.
  
• Detected: Trojan:Script/Phonzy.A!ml
  
• Details: This program is dangerous and executes commands from an attacker.
  
• Affected Items: file: \Device\HarddiskVolumeShadowCopy18\Windows\SysWOW64\CDN4055\data.dll
  

Example of message frequency:

• 8/4/23 2 times 20.42 8.23
  
• 8/3/23 3 times 20.04 13.48 1.33
  
• 8/2/23 3 times 22.06 19.07 6.35
  
• 8/1/23 1 time 18.16
  
• …
  

Remediation steps taken:

• Windows Defender: Full scan: Results: NO issues.
  
• Windows Defender: Off-line full scan: Results: NO issues.
  
• Kapersky Rescue CD: Results: NO issues.
  

Then

Microsoft Safety Scanner 1.393.2062.0

Full scan

Scan Results:

The scan completed successfully and no viruses, spyware, and other potentially unwanted software were detected.

If you continue to experience issues, please ask the community, or submit a support case.

 

Windows defender false positive - forced to allow threat

Windows defender has started to identify C:\Windows\System32\mshta.exe as a threat [normally reported as a Trojan Powessere.G]. I use mshta.exe to run an hta custom MsgBox - I have been hoping to keep using my current CustomMsgBox tool [batch file calling a vbs-hta file] until later this year when I hope to have had enough time to replace it with a PowerShell alternative.

Windows defender's notification lets me "allow the threat" but that seems to me to be a bigger security hole than is necessary - it will now ignore a potentially real intrusion when all I want to run is a genuine Windows component. My immediate problem is fixed but I would prefer to fix the false positive using the exclusions list.

I cleared the 'Allowed threats history' so I could use the exclusions list instead. I added C:\Windows\System32\mshta.exe to the file exclusions list and I checked that it had taken properly by checking the exclusions list both in the UI & in the Registry. But the exclusion made no difference, it continued to detect and block the exe.

I have repeated the attempt several times [by clearing the allowed threats list & exclusions list beforehand] and the results are the same every time
- allowing the threat works,
- using the exclusions list has no effect.

I studied the relevant tutorial but have not spotted an error in what I have been doing - Add or Remove Windows Defender Exclusions

Does anybody with experience of using the exclusions list to counter false positives have any suggestions for me?

Denis

 

GPU-Z what command line parameter ?

Suggestion: /? (-?) and /help (-help) command-line arguments to show a list of all possible arguments in a small window. *Smile