none
Litetouch.vbs cought as a virus RRS feed

  • Question

  • Hello, recently I have been having an issue where Windows Defender is catching Litetouch.vbs as a virus with suspicious activity. My question is why is this happening out of nowhere and how can i avoid it so that i can continue to have successful deployments?

    Dudefoxlive

    Monday, July 15, 2019 4:55 PM

All replies

  • +1 same issue here.
    Tuesday, July 16, 2019 7:31 PM
  • The order number depends on where you put this in your Unattend.xml
    but try this:

                    <RunSynchronousCommand wcm:action="add">
                        <Description>Exclusion for Cisco AMP</Description>
                        <Order>7</Order>
                        <Path>reg add &quot;HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths&quot; /v &quot;C:\MININT&quot; /t REG_DWORD /d 0 /f</Path>
                    </RunSynchronousCommand>

    That will at least create an exclusion for newly deployed computers.


    Daniel Vega

    Tuesday, July 16, 2019 8:26 PM
  • The order number depends on where you put this in your Unattend.xml
    but try this:

                    <RunSynchronousCommand wcm:action="add">
                        <Description>Exclusion for Cisco AMP</Description>
                        <Order>7</Order>
                        <Path>reg add &quot;HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths&quot; /v &quot;C:\MININT&quot; /t REG_DWORD /d 0 /f</Path>
                    </RunSynchronousCommand>

    That will at least create an exclusion for newly deployed computers.


    Daniel Vega

    So to add this i simply use something like notepad++ and edit the Unattend.xml and add that code to below to the section that has similar looking things? Also does this add the MININT folder to Windows Defender exclusion?

    Dudefoxlive

    Tuesday, July 16, 2019 11:24 PM
  • Hello,

    In Which step your Task Sequence failing?

    Recently I have encountered with same issue while deploying the Windows 10 Version 1903. The deployment stuck once the Install Operating System steps completed. It was not allowing to proceed the deployment. After checking the notification panel we got a message from Windows Defender App that it has detected LiteTouch.lnk shortcut as threat.

    For resolution we tried to turn off Windows Defender in Post Install phase later on turn on it back at the end of deployment.

    Turn Off Windows Defender Antivirus 

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    "DisableAntiSpyware"=dword:00000001
    "DisableRoutinelyTakingAction"=dword:00000001

    Turn On Windows Defender Antivirus

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    "DisableAntiSpyware"=-
    "DisableRoutinelyTakingAction"=-  

    I'm still looking to find an exact issue why is it causing.

    

     
    Wednesday, July 17, 2019 5:50 AM
  • Now that you mention it yes it is only happening in 1903. I never had this issue on 1809 or any prior version of windows 10. I wonder whats changed that is making it consider it s virus.

    Dudefoxlive

    Wednesday, July 17, 2019 12:12 PM
  • So to add this i simply use something like notepad++ and edit the Unattend.xml and add that code to below to the section that has similar looking things? Also does this add the MININT folder to Windows Defender exclusion?


    Dudefoxlive

    Correct. Yes this will add the MININT folder as an exclusion. By doing this in unattend, no extra registry edits are needed and the exception will be there before the OS boots.

    Daniel Vega


    • Edited by Dan_Vega Wednesday, July 17, 2019 2:07 PM
    Wednesday, July 17, 2019 2:05 PM
  • In mine Case Windows Defender is detecting LiteTouch.lnk from ProgramData.

    That's why recently I tried to Inject the registry for turn off Windows Defender by mounting Wim file modified registry.......

    later turned on Windows Defender at the End of TaskSequence.

    It's executed perfectly for me. 

    I need to forcefully Inject the registry inside wim because the deployment wasn't proceeding once Install OS phase completed. Tried to apply registry through Tasksequence during PostInstall just before State Restore Phase unfortunately was not getting expected results. 

    Wednesday, July 17, 2019 3:02 PM
  • We need to get in touch with Microsoft Support. Hopefully release some updates to fix this issue as many of us are in trouble. Meanwhile have to figure out. 
    Wednesday, July 17, 2019 3:06 PM
  • If you make those registry additions using unattend, they will be set before the OS runs, which will prevent registry changes during PostInstall from failing.

    It's probably a detection issue that will be corrected through a definition update.


    Daniel Vega

    Wednesday, July 17, 2019 3:08 PM
  • This is corrrect. I added it to my test deployment task and it worked as expected. I will run some more tests and verify that the issue is solved. Defender would only catch it maybe 1 out of 10 deployments. but its still annoying.

    With what JiteshKumar said though is true. It simply creates a shortcut to the file and puts it in the startup folder so should we add a second exclusion for that file specifically to temporally fix this issue until Microsoft releases a proper fix for this?


    Dudefoxlive

    Wednesday, July 17, 2019 4:21 PM
  • It shouldn't kill the shortcut since the actual script is in the excluded folder. You could add it as an exclusion but if I were you I'd rather not exclude the startup folder in case something bad got put in there. But that's up to you. 


    Daniel Vega

    • Marked as answer by Dudefoxlive Wednesday, July 17, 2019 6:10 PM
    • Unmarked as answer by Dudefoxlive Wednesday, July 17, 2019 6:10 PM
    Wednesday, July 17, 2019 5:13 PM