Windows 10: Sudden Defender CFA "blocked" notification. Nothing blocked.

Why would I get a "Protected folder access blocked" notification from Defender when I open an xls under the conditions listed below?

The app is EXCEL.EXE, the folder is D:\Documents\Stuff.

1. I've accessed the same xls in that same folder many many times in the past and gotten no "blocked" notification so apparently it has not been necessary to add EXCEL.EXE to the CFA "allowed app" list in the past.

2. D:\Documents has always been on the CFA protected folders list.

3. Even though the message said access was blocked, the xls opened fine.

I have made no changes since this happened. I did not add Excel.exe to the allowed list, but I can now open the xls without any Defender notifications coming up.

Sure I can ignore the incident, but any ideas about what happened?

Windows 10 Pro 19042.685
Office 2019

:)

 

Windows Defender Blocking

CFA is a new Windows Defender anti-ransomware feature, and if you feel that you don’t need ransomware protection, then you can just follow the steps in this article to turn off CFA:

Allow a blocked app in Windows Security

However, that Microsoft article is purporting to tell us how to:

“Add an app to the list of safe or allowed apps to prevent them from being blocked.”

When in fact it's really only telling us how to turn off CFA – which will allow your friendly apps access to protected folders to be sure; but right along with unfriendly apps, malware, ransomware, and data wipers –
so it’s important to understand how logically distorted this particular article is.
Turning off CFA is not allowing an app through CFA; and it’s not allowing an app through the WDSC; it’s just turning off CFA – which means that nothing will be blocked. If nothing is blocked, then nothing can be “allowed”.

The Microsoft article that actually describes how to allow a blocked app through CFA is right here:

Virus & threat protection in Windows Security

When you see one of these Unauthorized Changes Blocked notifications; follow these simple steps to allow the program through
Controlled Folder Access:

1. Click on the notifications icon at the far right in the taskbar.

2. Write down the file path provided in the notification.

3. Click on the notification, and then on the Add button (+).

4. Navigate to the file identified in the notification, and then select and “open” it.

The file path in the Unauthorized Changes Blocked notification tends to be truncated – although there’s usually enough of it there to locate the app without any trouble if you just assume that it’s in the Program Files or Program Files
(x86) directory. If the file path is truncated to the point where you can’t locate the blocked app in the file-picker dialog; then open
Event Viewer; navigate to the Windows Defender Operational
log; and locate the blocking event (Event ID 1123):

1. Right-click on the Start button and select Event Viewer.

2. Navigate to Applications and Services
> Microsoft > Windows
> Windows Defender > Operational


3. Filter for (or just look for): Event ID
1123

Generally speaking, CFA should be turned off whenever you’re installing any new application, and then turned back on again once the installation is complete.

Additional information can be found here:

Windows Defender is blocking too much saying it viruses

If CFA starts blocking apps when you haven’t enabled it, this might be the effect of a compatibility bug that seems to be activating CFA in the presence of some third-party AV apps. In this case, the first thing to try would be disabling the third-party
AV to see if this activates Windows Defender. If so, then toggle CFA on, and then back off again – and then enable the third-party AV in order to turn Defender back off. If that doesn’t work, then you’ll probably have to uninstall, and then reinstall the third-party
AV app.

Additionally, some third-party AV apps that are capable or running in tandem with Defender (in its real-time mode) might cause problems with CFA. For example, we’re not sure if the anti-exploit protection packaged with Malwarebytes Premium is fully
compatible with Windows Defender’s CFA.

If CFA is acting erratically in the absence of a third-party AV app then follow these troubleshooting steps

1. Remove any undetected malware by scanning with several third-party malware-removal apps, starting with Malwarebytes Free:

https://answers.microsoft.com/en-us...al-tools/d824b9af-ebd8-4c47-94e2-8ee6c544c100

2. Remove any antimalware remnants by running the cleanup utilities for any preinstalled or previously installed AV apps:

https://answers.microsoft.com/en-us...al-tools/2bcb53f7-7ab4-4ef9-ab3a-6aebfa322f75

3. Run the standard Windows 10 system integrity checks:

https://answers.microsoft.com/en-us...em-files/bc609315-da1f-4775-812c-695b60477a93

 

Defender Blocking An APPLEIEDAV File Repeatedly

You should be able to verify the file’s signature by right-clicking on it and selecting
Properties.

Controlled Folder Access is a new Windows Defender
anti-ransomware feature, and if you don’t want ransomware protection, then you can dismiss these
Unauthorized Changes Blocked notifications just by turning off CFA:

Windows Defender Security Center > Virus & threat protection > Virus & threat protection settings > Controlled folder access

You can also continue to get notifications about unauthorized access events, but without having the access blocked, by setting CFA to
Audit Mode.

Right-Click on the Start button and launch
PowerShell (Admin); and then copy, paste, and enter this command:

Set-MpPreference -EnableControlledFolderAccess AuditMode

https://docs.microsoft.com/en-us/wi...guard/enable-controlled-folders-exploit-guard

To allow the program through Controlled Folder Access when you see the
Unauthorized Changes Blocked notification; follow these simple steps:

1. Click on the notifications icon at the far right in the taskbar.

2. Write down the program’s file path as provided in the notification.

3. Click on the notification, and then on the Add button (+).

4. Navigate to the file identified in the notification, and then select and
Open it.

The file path in the Unauthorized Changes Blocked notification tends to be truncated – although there’s usually enough of it there to locate the app without any trouble if you just assume that it’s in the Program Files or Program Files
(x86) directory. If the file path is truncated to the point where you can’t locate the blocked app in the file-picker dialog; then open
Event Viewer; navigate to the Windows Defender Operational
log; and locate the blocking event (Event ID 1123):

1. Right-click on the Start button and select Event Viewer.

2. Navigate to Applications and Services
> Microsoft > Windows
> Windows Defender > Operational


3. Filter for (or just look for): Event ID
1123

Generally speaking, CFA should be turned off whenever you’re installing any new application, and then turned back on again once the installation is complete.

Additional information can be found here:

Windows Defender is blocking too much saying it viruses

Troubleshooting Steps:

If CFA starts blocking apps when you haven’t enabled it, this might be the effect of a compatibility bug that seems to be activating CFA in the presence of some third-party AV apps. In this case, the first thing to try would be disabling the third-party
AV to see if this activates Windows Defender. If so, then toggle CFA on, and then back off again – and then enable the third-party AV in order to turn Defender back off. If that doesn’t work, then you’ll probably have to uninstall, and then reinstall, the
third-party AV app.

Additionally, some third-party AV apps that are capable or running in tandem with Defender (in its real-time mode) might cause problems with CFA. For example, Malwarebytes Premium might need to have its compatibility settings changed – and we’re not
sure if the anti-exploit protection packaged with Malwarebytes Premium is fully compatible with Windows Defender’s CFA.

If CFA is acting erratically in the absence of a third-party AV app, then follow these troubleshooting steps

1. Remove any undetected malware by scanning with several third-party malware-removal apps, starting with Malwarebytes Free:

List of Malware Removal Tools

2. Remove any antimalware remnants by running the cleanup utilities for any preinstalled or previously installed AV apps:

List of anti-malware product removal tools

3. Run the standard Windows 10 system integrity checks:

System file check (SFC) Scan and Repair System Files & DISM to fix things SFC cannot

 

Why does Controlled Folder Access block known Microsoft executables?

Hello all

I use Controlled Folder Access (CFA), and every so often I get a notification telling me that a Microsoft program has been blocked from making changes to memory. I am very happy with CFA, and I'm very able to add and remove programs from the "allowed" list.
That is not my question.

My question is: why are known Microsoft executables (which are part of Windows 10) being blocked? Surely CFA should know about Windows 10's own executables.

My usual response to this is just ignore it; everything carries on fine when I ignore it. In the screenshot below WmiPrvSE.exe is being blocked, and that's part of Windows 10 itself. This has happened a few times a day for the last week or so. I'm ignoring
the notifications and I expect them to go away eventually. And I expect to get notifications later about some other Windows 10 executable being blocked.

Another obvious question is: Can I do anything to "refresh" CFA's knowledge about which executables are legitimate Windows 10 programs. I don't want to add all these programs to the "allowed" list. I just think CFA ought to know which executables are part
of Windows 10 and are allowed, and that maybe I ought to be able to "remind" it.

So in summary:

• Why are Windows 10's own executables being blocked by CFA?
• Can I do anything to "remind" CFA about what it should know already?

Many thanks.