Windows 10: Issues with Defender/Ransomware protection

[German]In Windows 10 there is the Defender, which has an option to protect against ransomware. German blog readers Dekre and Markus contacted me the last days by email to point out inconsistencies.


Advertising

Defender ransomware protection blocks Outlook

Blog reader Dekre contacted me by email because he made an unusual observation. He wrote:

I have moved to Win10 for using my office software. I use MS Defender and wanted to activate the so-called ransomware protection. This is not a good idea. Activating this will cause defender to block Outlook.exe from Office 2013 and then there I can’t get e-mails. That has happened right after activation.

I have now switched it off (the ransomware protection) and it works again (Outlook).

Dekre asks: Can this be understood?

Problem: Defender signatures after domain join

And there is a second observation by blog reader Markus K. which I received by email a few days ago. It’s about the Defender signature updates for Windows clients that are members of a domain. Markus writes about it:

I noticed that updating the signatures of the Defender after a domain join does not always work well.

The only thing that catches your eye is the yellow triangle with call sign at the security center icon in the tray. Or if you do the whole thing in a try-catch block and then see that it doesn’t always work :).

If you look, the “tamper protection” is not active.

In the appendix are the things I asked for via PowerShell.
Worth mentioning:

Get-MPComputerStatus
– AntispywareSignatureLastUpdated
– AntivirusSignatureLastUpdated
– NISSignatureLastUpdated
Get-ComputerInfo
– WindowsInstallDateFromRegistry
– OsLocalDateTime
– OsLastBootUpTime

I have removed domains, user names etc. (hope I haven’t forgotten anything).

Funny also that with 1909 “usoclient startscan” doesn’t seem to do anything anymore. Also checked with Sysinternals strings… the switches still exist.

Something is rotten in the area of updates (Defender + WindowsUpdate), because normally the computers get both and the Defender signatures several times a day.

Here are the data that Markus sent along:

Get-MPComputerStatus
AMEngineVersion                 : 1.1.16600.7
AMProductVersion                : 4.18.1911.3
AMServiceEnabled                : True
AMServiceVersion                : 4.18.1911.3
AntispywareEnabled              : True
AntispywareSignatureAge         : 7
AntispywareSignatureLastUpdated : 14.01.2020 16:29:44
AntispywareSignatureVersion     : 1.307.2344.0
AntivirusEnabled                : True
AntivirusSignatureAge           : 7
AntivirusSignatureLastUpdated   : 14.01.2020 16:29:45
AntivirusSignatureVersion       : 1.307.2344.0
BehaviorMonitorEnabled          : True
ComputerID                      : C6D530CA-1F25-40C8-B961-D3BC9E11D735
ComputerState                   : 0
FullScanAge                     : 4294967295
FullScanEndTime                 :
FullScanStartTime               :
IoavProtectionEnabled           : True
IsTamperProtected               : False
IsVirtualMachine                : False
LastFullScanSource              : 0
LastQuickScanSource             : 2
NISEnabled                      : True
NISEngineVersion                : 1.1.16600.7
NISSignatureAge                 : 7
NISSignatureLastUpdated         : 14.01.2020 16:29:45
NISSignatureVersion             : 1.307.2344.0
OnAccessProtectionEnabled       : True
QuickScanAge                    : 0
QuickScanEndTime                : 21.01.2020 15:39:54
QuickScanStartTime              : 21.01.2020 15:26:50
RealTimeProtectionEnabled       : True
RealTimeScanDirection           : 0
PSComputerName                  :


Advertising


Get-Date
Mittwoch, 22. Januar 2020 11:31:18

Get-ComputerInfo

WindowsBuildLabEx                                       : 18362.1.amd64fre.19h1_release.190318-1202
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : Enterprise
WindowsInstallationType                                 : Client
WindowsInstallDateFromRegistry                          : 15.01.2020 10:30:19
WindowsProductId                                        : 00329-10181-55688-####
WindowsProductName                                      : Windows 10 Enterprise
WindowsRegisteredOrganization                           :
WindowsSystemRoot                                       : C:\Windows
WindowsVersion                                          : 1909
BiosCharacteristics                                     : {7, 11, 12, 15…}
BiosBIOSVersion                                         : {LENOVO – 12C0, M1AKT2CA, American Megatrends – 5000C}
BiosBuildNumber                                         :
BiosCaption                                             : M1AKT2CA
BiosCodeSet                                             :
BiosCurrentLanguage                                     : en|US|iso8859-1
BiosDescription                                         : M1AKT2CA
BiosEmbeddedControllerMajorVersion                      : 1
BiosEmbeddedControllerMinorVersion                      : 9
BiosFirmwareType                                        : Uefi
BiosIdentificationCode                                  :
BiosInstallableLanguages                                : 3
BiosInstallDate                                         :
BiosLanguageEdition                                     :
BiosListOfLanguages                                     : {en|US|iso8859-1, fr|FR|iso8859-1, zh|CN|unicode}
BiosManufacturer                                        : LENOVO
BiosName                                                : M1AKT2CA
BiosOtherTargetOS                                       :
BiosPrimaryBIOS                                         : True
BiosReleaseDate                                         : 22.11.2017 01:00:00
BiosSeralNumber                                         : S4DZ8393
BiosSMBIOSBIOSVersion                                   : M1AKT2CA
BiosSMBIOSMajorVersion                                  : 3
BiosSMBIOSMinorVersion                                  : 0
BiosSMBIOSPresent                                       : True
BiosSoftwareElementState                                : Running
BiosStatus                                              : OK
BiosSystemBiosMajorVersion                              : 1
BiosSystemBiosMinorVersion                              : 32
BiosTargetOperatingSystem                               : 0
BiosVersion                                             : LENOVO – 12C0
CsAdminPasswordStatus                                   : Disabled
CsAutomaticManagedPagefile                              : True
CsAutomaticResetBootOption                              : True
CsAutomaticResetCapability                              : True
CsBootOptionOnLimit                                     :
CsBootOptionOnWatchDog                                  :
CsBootROMSupported                                      : True
CsBootStatus                                            : {0, 0, 0, 0…}
CsBootupState                                           : Normal boot
CsChassisBootupState                                    : Safe
CsChassisSKUNumber                                      : Default string
CsCurrentTimeZone                                       : 60
CsDaylightInEffect                                      : False
CsDescription                                           : AT/AT COMPATIBLE
CsDomainRole                                            : MemberWorkstation
CsEnableDaylightSavingsTime                             : True
CsFrontPanelResetStatus                                 : NotImplemented
CsHypervisorPresent                                     : False
CsInfraredSupported                                     : False
CsInitialLoadInfo                                       :
CsInstallDate                                           :
CsKeyboardPasswordStatus                                : Enabled
CsLastLoadInfo                                          :
CsManufacturer                                          : LENOVO
CsModel                                                 : 10MUS3KM00
CsNetworkAdapters                                       : {Ethernet, VirtualBox Host-Only Network}
CsNetworkServerModeEnabled                              : True
CsNumberOfLogicalProcessors                             : 4
CsNumberOfProcessors                                    : 1
CsProcessors                                            : {Intel(R) Core(TM) i5-7500T CPU @ 2.70GHz}
CsOEMStringArray                                        : {LENOVO ThinkCentre Embedded Controller -[M1ACT09A-1.09]-,
                                                          LENOVO ThinkCentre BIOS Boot Block Revision 1.2C, Lenovo
                                                          Service Engine Not Supported, INVALID…}
CsPartOfDomain                                          : True
CsPauseAfterReset                                       : -1
CsPCSystemType                                          : Desktop
CsPCSystemTypeEx                                        : Desktop
CsPowerManagementCapabilities                           :
CsPowerManagementSupported                              :
CsPowerOnPasswordStatus                                 : Disabled
CsPowerState                                            : Unknown
CsPowerSupplyState                                      : Safe
CsPrimaryOwnerContact                                   :
CsResetCapability                                       : Other
CsResetCount                                            : -1
CsResetLimit                                            : -1
CsRoles                                                 : {LM_Workstation, LM_Server, NT, Potential_Browser…}
CsStatus                                                : OK
CsSupportContactDescription                             :
CsSystemFamily                                          : ThinkCentre M910q
CsSystemSKUNumber                                       : LENOVO_MT_10MU_BU_LENOVO_FM_ThinkCentre M910q
CsSystemType                                            : x64-based PC
CsThermalState                                          : Safe
CsTotalPhysicalMemory                                   : 17062850560
CsPhyicallyInstalledMemory                              : 16777216
CsWakeUpType                                            : PowerSwitch
CsWorkgroup                                             :
OsName                                                  : Microsoft Windows 10 Enterprise
OsType                                                  : WINNT
OsOperatingSystemSKU                                    : EnterpriseEdition
OsVersion                                               : 10.0.18363
OsCSDVersion                                            :
OsBuildNumber                                           : 18363
OsHotFixes                                              : {KB4532938, KB4513661, KB4516115, KB4517245…}
OsBootDevice                                            : \Device\HarddiskVolume2
OsSystemDevice                                          : \Device\HarddiskVolume4
OsSystemDirectory                                       : C:\Windows\system32
OsSystemDrive                                           : C:
OsWindowsDirectory                                      : C:\Windows
OsCountryCode                                           : 49
OsCurrentTimeZone                                       : 60
OsLocaleID                                              : 0407
OsLocale                                                : de-DE
OsLocalDateTime                                         : 22.01.2020 11:34:56
OsLastBootUpTime                                        : 21.01.2020 13:26:38
OsUptime                                                : 22:08:18.3972062
OsBuildType                                             : Multiprocessor Free
OsCodeSet                                               : 1252
OsDataExecutionPreventionAvailable                      : True
OsDataExecutionPrevention32BitApplications              : True
OsDataExecutionPreventionDrivers                        : True
OsDataExecutionPreventionSupportPolicy                  : OptIn
OsDebug                                                 : False
OsDistributed                                           : False
OsEncryptionLevel                                       : 256
OsForegroundApplicationBoost                            : Maximum
OsTotalVisibleMemorySize                                : 16662940
OsFreePhysicalMemory                                    : 12305504
OsTotalVirtualMemorySize                                : 19153308
OsFreeVirtualMemory                                     : 15262712
OsInUseVirtualMemory                                    : 3890596
OsTotalSwapSpaceSize                                    :
OsSizeStoredInPagingFiles                               : 2490368
OsFreeSpaceInPagingFiles                                : 2490368
OsPagingFiles                                           : {C:\pagefile.sys}
OsHardwareAbstractionLayer                              : 10.0.18362.387
OsInstallDate                                           : 15.01.2020 11:30:19
OsManufacturer                                          : Microsoft Corporation
OsMaxNumberOfProcesses                                  : 4294967295
OsMaxProcessMemorySize                                  : 137438953344
OsMuiLanguages                                          : {de-DE}
OsNumberOfLicensedUsers                                 : 0
OsNumberOfProcesses                                     : 152
OsNumberOfUsers                                         : 7
OsOrganization                                          :
OsArchitecture                                          : 64-Bit
OsLanguage                                              : de-DE
OsProductSuites                                         : {TerminalServicesSingleSession}
OsOtherTypeDescription                                  :
OsPAEEnabled                                            :
OsPortableOperatingSystem                               : False
OsPrimary                                               : True
OsProductType                                           : WorkStation
OsSerialNumber                                          : 00329-10181-55688-AA019
OsServicePackMajorVersion                               : 0
OsServicePackMinorVersion                               : 0
OsStatus                                                : OK
OsSuites                                                : {TerminalServices, TerminalServicesSingleSession}
OsServerLevel                                           :
KeyboardLayout                                          : de-DE
TimeZone                                                : (UTC+01:00) Amsterdam, Berlin, Bern, Rom, Stockholm, Wien
LogonServer                                             : \\AD2T
PowerPlatformRole                                       : Desktop
HyperVisorPresent                                       : False
HyperVRequirementDataExecutionPreventionAvailable       : True
HyperVRequirementSecondLevelAddressTranslation          : True
HyperVRequirementVirtualizationFirmwareEnabled          : False
HyperVRequirementVMMonitorModeExtensions                : True
DeviceGuardSmartStatus                                  : Off
DeviceGuardRequiredSecurityProperties                   :
DeviceGuardAvailableSecurityProperties                  :
DeviceGuardSecurityServicesConfigured                   :
DeviceGuardSecurityServicesRunning                      :
DeviceGuardCodeIntegrityPolicyEnforcementStatus         :
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus :


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *