3
Windows defender, something is wrong
Problem reported by Sabatino - 9/14/2021 at 2:45 AM
Submitted
I have been checking the activity of antivirus on sm for months now

windows defender has something that does not fit me


Before it gave me so many problems and the assistance advised me to install a new windows server with English localization (it was already planned and so I did it)
But the problems are not over, even after migrating to a new server the problems are not over ... false positives ...

However, here are some problems that I invite you to check on your installations

1) The installer (in my case version 7906) does not create the right exceptions for windows defender
In particular, it is not at all consistent with the provisions of this article (recently updated)

https://portal.smartertools.com/kb/a3249/windows-defender-and-virus-scanner-exceptions.aspx

and particularly this article (even before its update) plans to exclude the entire folder
Add-MpPreference -ExclusionPath "C: \ Program Files (x86) \ SmarterTools \ SmarterMail"

While the installer only excludes Add-MpPreference -ExclusionPath "C: \ Program Files (x86) \ SmarterTools \ SmarterMail \ service \ settings"

Okay, never mind so far, the exclusions are updated by hand.

The thing that worries me the most right now is the presence in the windows event log (Microsoft-Windows-Windows Defender / Operational)
of events like this:

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Script/Sabsik.TE.A!ml&threatid=2147780197&enterprise=0
 Name: Trojan: Script / Sabsik.TE.A! Ml
 ID: 2147780197
 Severity: Severe
 Category: Trojan
 Path: file: _C: \ Windows \ Temp \ cteng61405C9C8010.tmp
 Detection Origin: Local machine
 Detection Type: Concrete
 Detection Source: Real-Time Protection
 User: NT AUTHORITY \ SYSTEM
 Process Name: C: \ Program Files (x86) \ SmarterTools \ SmarterMail \ Service \ Cyren \ bin \ ctasd.exe
 Security intelligence Version: AV: 1.349.682.0, AS: 1.349.682.0, NIS: 1.349.682.0
 Engine Version: AM: 1.1.18500.10, NIS: 1.1.18500.10


According to assistance it happens when cryen detects the virus, while moving it to quarantine

Too bad I have nothing quarantined at that time.
Therefore? Was the message deleted without going into quarantine, or worse is it gone?


From the sm log I can't connect the two events. The lack of an antivirus log bothers me a lot.

Please check your windows log in (Microsoft-Windows-Windows Defender / Operational) and see if you also have the same situation.

Meanwhile, I opened yet another ticket hoping to finally understand something more.

The assistance is like washing your hands of windows defender, which can also be fine for me, as long as it does not limit the functionality of cyren and clamav

Thanks




8 Replies

Reply to Thread
0
Sébastien Riccio Replied
Personnally I had nothing but trouble leaving Windows Defender service running on our servers (I mean the real-time scan system-wide).

Even with exceptions, it still sometimes quarantined things it shouldn't. This can lead to corruption as it moves files to quarantine.

Our best (and only?) solution was to remove Windows Defender completly from the system.


Sébastien Riccio
System & Network Admin

1
Kyle Kerst Replied
Employee Post
I just followed up with Sabatino via the ticket, but wanted to post here as well. What I'm finding through my investigations is that Defender almost appears to be ignoring folder exclusions, and so I'm having to add individual exclusions for a significant number of our processes and files. I'm going to do some deeper testing on this and will report back as I find out more. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Kyle Kerst Replied
Employee Post
I was able to do some testing locally on a fresh VM and had similar results in that Windows Defender scanned the subfolders and files/executables contained within folders I had excluded. After doing some digging on this I found some feedback from a Microsoft employee indicating subfolders and files are excluded when excluding a directory, but this does not apply to Real Time ProtectionThere was some back and forth on this thread but it was ultimately an interesting read:

https://superuser.com/questions/1121942/does-an-excluded-directory-in-windows-10-defender-also-include-the-sub-directori

As such, I'm working on determining which additions need to be included in our KB article on this and you should see this updated in the next week or two. Thanks for your patience on this while I got to the bottom of it. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Sabatino Replied
Well Kyle
I was starting to question my sanity.
In the last few months I have opened various tickets but they have all fallen on deaf ears. Yet I was convinced that there was something that was not going well.

Maybe I was the only fool who thoroughly studied what windows defender was doing, checking all the logs and manually checking the quarantined .eml files one by one for false positives

Allow me to add some notes:

The exclusion of the folder only
Add-MpPreference -ExclusionPath "C: \ SmarterMail \ Domains"
and since the .eml extension is not excluded
the folder c:\SmarterMail\Spool in my opinion could have problems
Same thing the c:\smartermail\archive folder and related custom archive folders
also in the c:\smartermail\temp folder I see .eml appearing

This morning I found myself in the logs both this


Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Script/Conteban.A!ml&threatid=2147735508&enterprise=0
 Name: Trojan: Script / Conteban.A! Ml
 ID: 2147735508
 Severity: Severe
 Category: Trojan
 Path: file: _C:\Windows\Temp\cteng6141A17659CE.tmp
 Detection Origin: Local machine
 Detection Type: Concrete
 Detection Source: Real-Time Protection
 User: NT AUTHORITY \ SYSTEM
 Process Name: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Cyren\bin\ctasd.exe
 Security intelligence Version: AV: 1.349.741.0, AS: 1.349.741.0, NIS: 1.349.741.0
 Engine Version: AM: 1.1.18500.10, NIS: 1.1.18500.10


be this

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/AgentTesla.JPI!MTB&threatid=2147793742&enterprise=0
 Name: Trojan: MSIL / AgentTesla.JPI! MTB
 ID: 2147793742
 Severity: Severe
 Category: Trojan
 Path: amsi: _C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe
 Detection Origin: Unknown
 Detection Type: Concrete
 Detection Source: AMSI
 User: NT AUTHORITY \ SYSTEM
 Process Name: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe
 Security intelligence Version: AV: 1.349.741.0, AS: 1.349.741.0, NIS: 1.349.741.0
 Engine Version: AM: 1.1.18500.10, NIS: 1.1.18500.10

but in your opinion it is not better to exclude the processes


Process Name: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe

C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Cyren\bin\ctasd.exe

in the log as process name puts the complete path ... I don't know if it is needed

ctasd.exe creates a .tmp file in windows / temp
it is the .tmp that is intercepted
0
Kyle Kerst Replied
Employee Post
Good morning Sabatino. First, please allow me to clarify that none of your tickets have fallen on deaf ears. We take each support ticket very seriously, and look forward to getting you a resolution.

Next, I recommend we further this on the support ticket as having updates in two locations is not very efficient. Finally, these errors look to be different than the exceptions you were seeing previously, and so the original exceptions (relating to exclusions) look to have cleared up. Exceptions and behaviors need to be investigated on their own, and not grouped in under a larger complaint.

As you'll remember I'm still working on narrowing down the required exceptions now that Defender is handling them differently, so I should have feedback for you on this and the previous issues in the near future. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Sabatino Replied
hi Kyle
I have ticketed the details.

I opened a thread here too because so far it seemed that the problem was only for me so much so that I was advised to do a clean installation of windows and previously to uninstall and reinstall windwos defender.

I am happy that we have finally managed to identify that in fact there is something wrong with windows defender

So I look forward confidently that you finish your tests. For the moment I have disabled windows defender in sm because it is giving me false positives.
1
Ron Raley Replied
We are subscribed and want to also hear back from our Jedi SmarterTools Tech, Kyle.
0
Kyle Kerst Replied
Employee Post
Thanks Ron, I appreciate the compliment. I will definitely follow up here once we have concrete findings.

Thus far though, it looks like Defender might have changed how they handle exclusions as these changes haven't been required up until recently. I have seen some non-English(US) default environments that require additional exclusions due to the language and location differences, but this seems to be affecting all of the Windows environments I've tested on so far. I'll get to the bottom of it and hope to have a full update for you both soon.
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread