6
Windows defender, something is wrong
Problem reported by Sabatino - 9/14/2021 at 2:45 AM
Submitted
I have been checking the activity of antivirus on sm for months now

windows defender has something that does not fit me


Before it gave me so many problems and the assistance advised me to install a new windows server with English localization (it was already planned and so I did it)
But the problems are not over, even after migrating to a new server the problems are not over ... false positives ...

However, here are some problems that I invite you to check on your installations

1) The installer (in my case version 7906) does not create the right exceptions for windows defender
In particular, it is not at all consistent with the provisions of this article (recently updated)

https://portal.smartertools.com/kb/a3249/windows-defender-and-virus-scanner-exceptions.aspx

and particularly this article (even before its update) plans to exclude the entire folder
Add-MpPreference -ExclusionPath "C: \ Program Files (x86) \ SmarterTools \ SmarterMail"

While the installer only excludes Add-MpPreference -ExclusionPath "C: \ Program Files (x86) \ SmarterTools \ SmarterMail \ service \ settings"

Okay, never mind so far, the exclusions are updated by hand.

The thing that worries me the most right now is the presence in the windows event log (Microsoft-Windows-Windows Defender / Operational)
of events like this:

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Script/Sabsik.TE.A!ml&threatid=2147780197&enterprise=0
 Name: Trojan: Script / Sabsik.TE.A! Ml
 ID: 2147780197
 Severity: Severe
 Category: Trojan
 Path: file: _C: \ Windows \ Temp \ cteng61405C9C8010.tmp
 Detection Origin: Local machine
 Detection Type: Concrete
 Detection Source: Real-Time Protection
 User: NT AUTHORITY \ SYSTEM
 Process Name: C: \ Program Files (x86) \ SmarterTools \ SmarterMail \ Service \ Cyren \ bin \ ctasd.exe
 Security intelligence Version: AV: 1.349.682.0, AS: 1.349.682.0, NIS: 1.349.682.0
 Engine Version: AM: 1.1.18500.10, NIS: 1.1.18500.10


According to assistance it happens when cryen detects the virus, while moving it to quarantine

Too bad I have nothing quarantined at that time.
Therefore? Was the message deleted without going into quarantine, or worse is it gone?


From the sm log I can't connect the two events. The lack of an antivirus log bothers me a lot.

Please check your windows log in (Microsoft-Windows-Windows Defender / Operational) and see if you also have the same situation.

Meanwhile, I opened yet another ticket hoping to finally understand something more.

The assistance is like washing your hands of windows defender, which can also be fine for me, as long as it does not limit the functionality of cyren and clamav

Thanks




Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

22 Replies

Reply to Thread
0
Sébastien Riccio Replied
Personnally I had nothing but trouble leaving Windows Defender service running on our servers (I mean the real-time scan system-wide).

Even with exceptions, it still sometimes quarantined things it shouldn't. This can lead to corruption as it moves files to quarantine.

Our best (and only?) solution was to remove Windows Defender completly from the system.


Sébastien Riccio System & Network Admin https://swisscenter.com
1
Kyle Kerst Replied
Employee Post
I just followed up with Sabatino via the ticket, but wanted to post here as well. What I'm finding through my investigations is that Defender almost appears to be ignoring folder exclusions, and so I'm having to add individual exclusions for a significant number of our processes and files. I'm going to do some deeper testing on this and will report back as I find out more. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Kyle Kerst Replied
Employee Post
I was able to do some testing locally on a fresh VM and had similar results in that Windows Defender scanned the subfolders and files/executables contained within folders I had excluded. After doing some digging on this I found some feedback from a Microsoft employee indicating subfolders and files are excluded when excluding a directory, but this does not apply to Real Time ProtectionThere was some back and forth on this thread but it was ultimately an interesting read:

https://superuser.com/questions/1121942/does-an-excluded-directory-in-windows-10-defender-also-include-the-sub-directori

As such, I'm working on determining which additions need to be included in our KB article on this and you should see this updated in the next week or two. Thanks for your patience on this while I got to the bottom of it. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Sabatino Replied
Well Kyle
I was starting to question my sanity.
In the last few months I have opened various tickets but they have all fallen on deaf ears. Yet I was convinced that there was something that was not going well.

Maybe I was the only fool who thoroughly studied what windows defender was doing, checking all the logs and manually checking the quarantined .eml files one by one for false positives

Allow me to add some notes:

The exclusion of the folder only
Add-MpPreference -ExclusionPath "C: \ SmarterMail \ Domains"
and since the .eml extension is not excluded
the folder c:\SmarterMail\Spool in my opinion could have problems
Same thing the c:\smartermail\archive folder and related custom archive folders
also in the c:\smartermail\temp folder I see .eml appearing

This morning I found myself in the logs both this


Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Script/Conteban.A!ml&threatid=2147735508&enterprise=0
 Name: Trojan: Script / Conteban.A! Ml
 ID: 2147735508
 Severity: Severe
 Category: Trojan
 Path: file: _C:\Windows\Temp\cteng6141A17659CE.tmp
 Detection Origin: Local machine
 Detection Type: Concrete
 Detection Source: Real-Time Protection
 User: NT AUTHORITY \ SYSTEM
 Process Name: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Cyren\bin\ctasd.exe
 Security intelligence Version: AV: 1.349.741.0, AS: 1.349.741.0, NIS: 1.349.741.0
 Engine Version: AM: 1.1.18500.10, NIS: 1.1.18500.10


be this

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/AgentTesla.JPI!MTB&threatid=2147793742&enterprise=0
 Name: Trojan: MSIL / AgentTesla.JPI! MTB
 ID: 2147793742
 Severity: Severe
 Category: Trojan
 Path: amsi: _C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe
 Detection Origin: Unknown
 Detection Type: Concrete
 Detection Source: AMSI
 User: NT AUTHORITY \ SYSTEM
 Process Name: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe
 Security intelligence Version: AV: 1.349.741.0, AS: 1.349.741.0, NIS: 1.349.741.0
 Engine Version: AM: 1.1.18500.10, NIS: 1.1.18500.10

but in your opinion it is not better to exclude the processes


Process Name: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe

C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Cyren\bin\ctasd.exe

in the log as process name puts the complete path ... I don't know if it is needed

ctasd.exe creates a .tmp file in windows / temp
it is the .tmp that is intercepted
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Kyle Kerst Replied
Employee Post
Good morning Sabatino. First, please allow me to clarify that none of your tickets have fallen on deaf ears. We take each support ticket very seriously, and look forward to getting you a resolution.

Next, I recommend we further this on the support ticket as having updates in two locations is not very efficient. Finally, these errors look to be different than the exceptions you were seeing previously, and so the original exceptions (relating to exclusions) look to have cleared up. Exceptions and behaviors need to be investigated on their own, and not grouped in under a larger complaint.

As you'll remember I'm still working on narrowing down the required exceptions now that Defender is handling them differently, so I should have feedback for you on this and the previous issues in the near future. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Sabatino Replied
hi Kyle
I have ticketed the details.

I opened a thread here too because so far it seemed that the problem was only for me so much so that I was advised to do a clean installation of windows and previously to uninstall and reinstall windwos defender.

I am happy that we have finally managed to identify that in fact there is something wrong with windows defender

So I look forward confidently that you finish your tests. For the moment I have disabled windows defender in sm because it is giving me false positives.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
1
Ron Raley Replied
We are subscribed and want to also hear back from our Jedi SmarterTools Tech, Kyle.
0
Kyle Kerst Replied
Employee Post
Thanks Ron, I appreciate the compliment. I will definitely follow up here once we have concrete findings.

Thus far though, it looks like Defender might have changed how they handle exclusions as these changes haven't been required up until recently. I have seen some non-English(US) default environments that require additional exclusions due to the language and location differences, but this seems to be affecting all of the Windows environments I've tested on so far. I'll get to the bottom of it and hope to have a full update for you both soon.
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
JerseyConnect Team Replied
Kyle any update on the Defender exclusions?
2
Kyle Kerst Replied
Employee Post
Not at the moment, unfortunately. When I left off testing I was not able to get the exclusions working the way they should be in my test environment. I still have an open development task to look at these behaviors and implement some debug logging, and so I hope this will point us in the right direction. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
5
echoDreamz Replied
Im going to throw in my compliments too... Kyle is top-notch with support, always good to hear from him :)
2
Kyle Kerst Replied
Employee Post
Thanks guys, its a pleasure working with each of you as well! :-)
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Kyle Kerst Replied
Employee Post
Good morning everyone! Just a quick update for you on this today. I'm still currently awaiting the addition of debug logging on this front, but am in the process of spinning up a brand new test server so I can look at these Defender issues in a control environment. My hope is that I will discover the root cause behind those exclusions not being honored and may avoid the need for the debug logging in the first place. Please stand by and I'll update here again as I find out more. Have a great rest of your week guys!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Kyle Kerst Replied
Employee Post
I think I may have figured out what's going on here! After doing some deeper research on this, I found directories exclusions do include subdirectories and all files recursively. However, so long as Realtime Protection is enabled, all executables and their support files (DLLs and the like) are subject to scanning. So, it doesn't look like there is a good way to prevent Defender from engaging with other services while they're scanning potentially malicious content. Additionally, I wanted to comment that I am going to put in a request to have the exclusions implemented as part of the install, but feel this might be difficult due to the different directory pathing decisions that are made in different environments. Just wanted to give you all an update and invite some discussion. Have a good one!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
echoDreamz Replied
0
Kyle Kerst Replied
Employee Post
Thanks! That is really unfortunate, because I can definitely see the benefit in real-time scanning. When malware infections hit you want to catch them as fast as you possibly can, and realtime scanning is a really good way to do that. That said, if you have realtime scanning turned off, but have Defender, ClamAV, and maybe even Cyren or your favorite third-part AV implemented at the SmarterMail level I think you should be 100% at that point. That will scan the spool and uploaded files, two of the only real ingress points for malicious content in most cases. As long as you're not opening attachments ON the server, or installing cracked software and the like, your main entry points should be covered at that point. Isolating SmarterMail to its own server to avoid cross-infections can be a big help too. Any other ideas on how to minimize the risk as much as possible?
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
echoDreamz Replied
One item we havent explored... Running SmarterMail as a user other than SYSTEM.
0
Sabatino Replied
I am sorry. But even with the installation of 8664 and reactivating window defender, false positives occur. I opened numerous tickets and numerous threads on the topic and in the end the developers had confirmed that there was a problem that caused defender to generate false positives in some circumstances and that it would be appropriate to implement a double scan in the event of a positive result from defender. At present window defender cannot be used. Manual control of the quarantine is not practicable
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Ron Raley Replied
Based on the analysis, what are the recommended settings for Microsoft Defender in SmarterMail Admin interface?
0
Sabatino Replied
In the past we checked all the exceptions for Windows Defender via tickets. We got to the point that I even configured a new VM and migrated the SM server. But to no avail.
Maybe I'm the only crazy person who went and manually checked quarantined messages via virustotal.com
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Gabriele Maoret - SERSIS Replied
Thsi is strange... My Server has Windows Defender active, but never catched a message, only ClamAV does
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Sabatino Replied
Hi Gabriele. I do not know what to tell you.
For me, window defender intervenes. But every 10 messages 1 is a false positive.

I also have cyren active. I wonder if they bother each other?
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Reply to Thread