none
WD Security Center/V&t protection : how find full location/name of error item????? RRS feed

  • Question

  • Currently on 1803, 17134.165 - current.Though this has been true since I started a half year ago or so (1709, etc).

    I believe it is a known prob, but I never heard the solution.

    Lenovo T530 Laptop : Lenovo software is trying to update its stuff.

    I get very shortened message that is impossible to discern dir or file name info.

    Thus I can't add the exception.

    How can I do this?

    -------- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, Dual boot (BIOS/MBR): Win10 Pro x64 1803 / Win7 Pro x64 . 8GB(15GB/s), Sammy 250GB SSD. Fast! -------




    • Edited by KrisM44 Saturday, August 11, 2018 4:24 AM
    Saturday, August 11, 2018 4:12 AM

Answers

  • so you did not activate controlled folder access yourself?
    if this is done by the software called " WDSC/ V&t prot setgs/ Ransomware": contact their support.

    Thanks for saying the right words.

    I googled for "controlled folder access for lenovo" and got a pointer to a forum post that said add these 3, which I did, and fixed prob. Thanks all

    NOTE, THIS STILL DOES NOT GIVE ME THE DSN/FILE.


    -------- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, Dual boot (BIOS/MBR): Win10 Pro x64 1803 / Win7 Pro x64 . 8GB(15GB/s), Sammy 250GB SSD. Fast! -------


    • Marked as answer by KrisM44 Monday, August 13, 2018 6:58 PM
    • Edited by KrisM44 Monday, August 13, 2018 7:00 PM
    Monday, August 13, 2018 6:58 PM
  • While the above allowed me to bypass the error, the actual file causing the error is also in CFA, but is an EVENT 1127

    Event viewer is started by typing event in start and choose event viewer.

    So as suggested above, go to

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-all-windows-defender-exploit-guard-events

    Grab the "Exploit Guard Evaluation Package"

    Grab cfa-events.xml from it and copy it and modify that copy to add other EVENTS. I used

    <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=1123 or EventID=1124 or EventID=1127 or EventID=1128 or EventID=5007)]]</Select>
              <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=1123 or EventID=1124 or EventID=1127 or EventID=1128 or EventID=5007)]]</Select>

    kind of a shotgun approach since I didn't know which Event I was looking for!

    Event then shows up as 1127

    Controlled Folder Access blocked C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe from making changes to memory.
     	Detection time: 2018-08-13T18:25:56.954Z
     	User: NT AUTHORITY\SYSTEM
     	Path: \Device\Harddisk0\DR0
     	Process Name: C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe
     	Signature Version: 1.273.1328.0
     	Engine Version: 1.1.15100.1
     	Product Version: 4.18.1807.18075
    

    and gives the full directory and file name.

    Why is this so hard to find???

    https://social.technet.microsoft.com/Forums/en-US/5b7fad72-2eb2-49f8-840a-a02538dcee2f/windows-defender-virus-and-threat-protection-find-full-directory-and-file-name-for-attempted?forum=win10itprosecurity


    -------- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, Dual boot (BIOS/MBR): Win10 Pro x64 1803 / Win7 Pro x64 . 8GB(15GB/s), Sammy 250GB SSD. Fast! -------


    • Marked as answer by KrisM44 Tuesday, August 14, 2018 6:44 PM
    • Edited by KrisM44 Tuesday, August 14, 2018 6:59 PM doc for this
    Tuesday, August 14, 2018 6:44 PM

All replies

  • This page describes how to find the event log entries from controlled folder access ( Review Controlled folder access events in Windows Event Viewer): Protect important folders with Controlled folder access
    Saturday, August 11, 2018 5:06 AM
  • Thanks for your time and jogging the old brain.

    If I go to WD Sec Ctr/virus and threat prot settgs, and shut real time prot off, I can then tell Lenovo update to do its thing. (of course the subsequent reboot turns the real time prot back on which is correct.)

    If I grab the Controlled folder Access xml and put that in Event viewer, I see 7 hits, but the Lenovo hits don't show up there.

    So I still don't have a way to find out the dir/file name that it is objecting to. I have always used AgentRansack to find those things in the past but it can't find this one.

    I can do WDSC/ V&t prot setgs/ Ransomware and turn CFA "off" but that seems way too harsh.


    -------- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, Dual boot (BIOS/MBR): Win10 Pro x64 1803 / Win7 Pro x64 . 8GB(15GB/s), Sammy 250GB SSD. Fast! -------




    • Edited by KrisM44 Saturday, August 11, 2018 9:02 PM
    Saturday, August 11, 2018 6:02 PM
  • anyone? - need log with full directory and file name for things that kick out and get notification.

    -------- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, Dual boot (BIOS/MBR): Win10 Pro x64 1803 / Win7 Pro x64 . 8GB(15GB/s), Sammy 250GB SSD. Fast! -------

    Monday, August 13, 2018 5:58 PM
  • so you did not activate controlled folder access yourself?
    if this is done by the software called " WDSC/ V&t prot setgs/ Ransomware": contact their support.
    Monday, August 13, 2018 6:18 PM
  • so you did not activate controlled folder access yourself?
    if this is done by the software called " WDSC/ V&t prot setgs/ Ransomware": contact their support.

    Thanks for saying the right words.

    I googled for "controlled folder access for lenovo" and got a pointer to a forum post that said add these 3, which I did, and fixed prob. Thanks all

    NOTE, THIS STILL DOES NOT GIVE ME THE DSN/FILE.


    -------- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, Dual boot (BIOS/MBR): Win10 Pro x64 1803 / Win7 Pro x64 . 8GB(15GB/s), Sammy 250GB SSD. Fast! -------


    • Marked as answer by KrisM44 Monday, August 13, 2018 6:58 PM
    • Edited by KrisM44 Monday, August 13, 2018 7:00 PM
    Monday, August 13, 2018 6:58 PM
  • While the above allowed me to bypass the error, the actual file causing the error is also in CFA, but is an EVENT 1127

    Event viewer is started by typing event in start and choose event viewer.

    So as suggested above, go to

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-all-windows-defender-exploit-guard-events

    Grab the "Exploit Guard Evaluation Package"

    Grab cfa-events.xml from it and copy it and modify that copy to add other EVENTS. I used

    <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=1123 or EventID=1124 or EventID=1127 or EventID=1128 or EventID=5007)]]</Select>
              <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=1123 or EventID=1124 or EventID=1127 or EventID=1128 or EventID=5007)]]</Select>

    kind of a shotgun approach since I didn't know which Event I was looking for!

    Event then shows up as 1127

    Controlled Folder Access blocked C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe from making changes to memory.
     	Detection time: 2018-08-13T18:25:56.954Z
     	User: NT AUTHORITY\SYSTEM
     	Path: \Device\Harddisk0\DR0
     	Process Name: C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe
     	Signature Version: 1.273.1328.0
     	Engine Version: 1.1.15100.1
     	Product Version: 4.18.1807.18075
    

    and gives the full directory and file name.

    Why is this so hard to find???

    https://social.technet.microsoft.com/Forums/en-US/5b7fad72-2eb2-49f8-840a-a02538dcee2f/windows-defender-virus-and-threat-protection-find-full-directory-and-file-name-for-attempted?forum=win10itprosecurity


    -------- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, Dual boot (BIOS/MBR): Win10 Pro x64 1803 / Win7 Pro x64 . 8GB(15GB/s), Sammy 250GB SSD. Fast! -------


    • Marked as answer by KrisM44 Tuesday, August 14, 2018 6:44 PM
    • Edited by KrisM44 Tuesday, August 14, 2018 6:59 PM doc for this
    Tuesday, August 14, 2018 6:44 PM