Share via

Windows Defender blocking custom installer for organizations software

Anonymous
2018-01-10T15:51:40+00:00

Windows defender has started blocking a custom installer we used to move files from a network share to the local computer. It's a sort of "on-demand" installer for a portable testing browser. 

For some reason, Windows defender is now blocking the program (developed in visual studio 2015/VB) saying it is potentially harmful and contains a virus. I know this is not the case. What is also very strange about the situation is that there are actually two custom installers, which both have almost identical code. The only exception is that they move files from different folders on the same server. Only one of the two installers are is blocked by windows defender. 

I've attempted to "exclude" the server IP and path using group policy, however this appears to have made zero difference. Any ideas as to what is going on here? We need a solution to allow us to develop and run organization software without everything coming to a standstill because of windows defender.

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

quietman7 MVP Alumni 19,740 Reputation points Volunteer Moderator
2018-01-10T16:22:59+00:00

If you suspect a file was falsely detected (a false positive) or appears suspicious, then you should submit a sample to the Windows Defender Security Intelligence (WDSI) Center research team so they can investigate and take corrective action if confirmed.

Quote

"Microsoft security researchers analyze suspicious files to determine if they are threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware."

Once a file is received, a researcher can examine it in more detail and provide a report letting you know the results. You should also contact and advise the program vendor that one of their files is being detected as a threat. In many cases they will work with the anti-virus techs in an attempt to resolve the detection.

Was this answer helpful?

3 people found this answer helpful.
0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2018-01-10T17:18:15+00:00

    I went ahead and submitted the file... which the "Rescan submission" report that pops up after submissions shows: cloud - n o malware detected, and client- no malware detected, with Final Determination - Pending

    I am the developer of the executable, so there is not a 3rd party provider or program vendor to contact. I don't know if that is good or bad at this point - but I hope this doesn't take away in house development of tools because of windows defender "false positives" over issues with reliability.

    I don't envy those who have to determine or make decisions on what is good or bad in this digital world. At the same time, it's hard to justify developing or using tools which may "break" at critical moments because of a false positive and with no quick or easy way to resolve. :(

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  2. quietman7 MVP Alumni 19,740 Reputation points Volunteer Moderator
    2018-01-11T00:48:30+00:00

    You're welcome.

    Was this answer helpful?

    0 comments
  3. Anonymous
    2018-01-10T21:32:51+00:00

    Well... took maybe an hour or two - can't really remember, but the issue appears to have been resolved. 

    Response back gave a final determination of "not malware" and sure enough, I was able to confirm that it had been cleared on the user devices. After getting the response back from MSFT, I gave it another try to see what would happen, Windows Defender popped up (same as before). I then I updated the windows defender definitions and repeated previous actions without any pop up from Windows Defender. 

    So - Thank you so much for you help and passing along that link to submit the file. 

    Yes - I was able to confirm that disabling windows defender via Group Policy did provide a work around, though not one that would work for our use case. I plan on playing a bit more with the Windows Defender policies to see if there is a way to quickly mitigate this issue in the future without entirely shutting Windows Defender off... though now I don't have a test app that's being blocked! ;) 

    Thanks again!

    Was this answer helpful?

    0 comments
  4. quietman7 MVP Alumni 19,740 Reputation points Volunteer Moderator
    2018-01-10T20:48:30+00:00

    Unfortunately, all security tools are subject to false detections from time to time and there is not much we can do about it. Since you are the developer and you know the program is legit, you could try temporarily disabling Windows Defender while using it.

    Was this answer helpful?

    0 comments