Windows 10: Microsoft Defender Ransomware Protection Block Powershell.exe

windows Defender block this App Protecd Folder: %system%\CatRoot

-Chome.exe
-MRT.exe
-powershell.exe
-takeown.exe

********** And ***********
-mscorsvw.exe (windows Defender block this App Protecd Folder:%system%\config\systemprofile)
-attrib.exe (windows Defender block this App Protecd Folder:%system%\inetsrv\config\schema)
-icacls.exe (windows Defender block this App Protecd Folder:%system%\inetsrv)



ProcessorAMD Ryzen 5 4600H with Radeon Graphics 3.00 GHz
Installed RAM16.0 GB (15.4 GB usable)
System type64-bit operating system, x64-based processor


EditionWindows 10 Home Single Language
Version20H2
Installed on‎2/‎5/‎2021
OS build19042.789
ExperienceWindows Feature Experience Pack 120.2212.551.0

:)

 

Allow rundll32.exe in Windows 10 ransomware protection settings?

When trying to import photos from my phone, Windows' ransomware protection (controlled folder access) blocked rundll32.exe from writing to my Pictures photo.

Would it be OK to put rundll32.exe on the list of allowed apps, or is there (can there be) malware/ransomware that uses rundll32.exe to do its thing?

I don't know enough about what rundll32.exe can or can't do in order to sensibly judge the risks I'm taking by allowing it to write to the Users folders...

 

Malware and ransomware protection

You might also want to have a look at:

• https://www.microsoft.com/en-us/wdsi/help
• Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid Them.
  
• Ransomware FAQ - Windows Defender Security Intelligence
• Ransomware Avoidance
  
• How to remove ransomware the right way: A step-by-step guide
  

 

Which programs have tried to access protected folders blocked by Windows ransomware defender?

In short: Is it possible to list programs that Windows has denied access to a protected folder?

I recently enabled the Ransomware protection functionality in Windows Defender, adding a series of folders to the Controlled Folder Access list. Some of these folders are under Git version control (via Github Desktop), or synchronised using Syncthing (via SyncTrayzor). I've added the canonical versions of git.exe and syncthing.exe within C:/Program Files to the Allowed App list, but I now receive messages telling me that windows has blocked attempts to access files in protected folders by C:/Users/.../git.exe and C:/Users/.../syncthing.exe.

Annoyingly, the ellipsis hides most of the path to the executable file. A windows search of my user directory eventually turns up a number of copies of git.exe, and it's not immediately clear which of these was trying to edit the files. Ransomware protection's limited user interface means it takes ages to add each file individually, and this seems like a poor security choice: a smart attacker might entitle their malware git.exe to trick me into allowing access.

How can I see the full path of the blocked file (particularly after the notification prompt has disappeared from my screen)?

I can't see anything relevant in the Windows event log.