none
Adding Windows Defender UWF Registry Exclusion WdFilter disables real-time protection RRS feed

  • Question

  • I am building an LTSC 2019 IoTE image.  We use UWF and want to add Windows Defender.

    The UWF protected volume is C:.  E: is a USB flash drive.  I followed the instructions found in https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-antimalware-support, but after applying the exclusions Windows Defender no longer detects the EICAR virus on file open.  When removed, it works correctly again.

    Why does adding the WdFilter registry exclusion break Windows Defender?
    What are the consequences of running without the WdFilter exclusion?


    E:\>uwfmgr file get-exclusions
    Unified Write Filter Configuration Utility version 10.0.17763
    Copyright (C) Microsoft Corporation. All rights reserved.

    Current Session Settings
    Current Session Exclusions for Volume c0165703-e433-42f8-aec0-5075ae1b0831 [C:]
        C:\Program Files\Windows Defender
        C:\ProgramData\Microsoft\Windows Defender
        C:\Windows\WindowsUpdate.log
        C:\Windows\Temp\MpCmdRun.log

    E:\>uwfmgr registry get-exclusions
    Unified Write Filter Configuration Utility version 10.0.17763
    Copyright (C) Microsoft Corporation. All rights reserved.

    Current Session Registry Exclusions
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend

    E:\>copy eicar.com eicar1.com
    Operation did not complete successfully because the file contains a virus or potentially unwanted software.
            0 file(s) copied.

    E:\>uwfmgr registry add-exclusion HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter
    Unified Write Filter Configuration Utility version 10.0.17763
    Copyright (C) Microsoft Corporation. All rights reserved.

    The registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" will be excluded after system restart.

    # After system restart

    E:\>copy eicar.com eicar1.com
            1 file(s) copied.
    Monday, July 1, 2019 3:46 PM

All replies