Leave them alone and don't worry about them unless something else specifically indicates there's a problem relating with that service or device.
In fact, I don't even try to guess whether to allow an item that CFA displays, since if I don't know the only possibility is that I'll make things worse, so I leave that up to CFA itself to decide.
The reason isn't that CFA is new (it's not, it's about 2 or so years old) or even that it does anything wrong, it's that it's not truly "protection" like Defender's AV. It's simply a blocker of suspicious filing system or service activity that may
relate to a potential malware attack, but just as likely may not.
For example, for the very first time in well over a year, I just received my first warnings from CFA this Wednesday evening and very early on Thursday morning. However, they were both for Windows services including the taskhostw.exe one of yours indicated,
as well as both involving protected memory related to the CdRom0 and HarddiskVolume3 devices. The other clue was that at least the early morning one occurred when I was certainly not using the system, which is during the time that this PC happens to be awake
performing automated system maintenance tasks.
The major clue though, is that both of these transient warnings occurred within a day of the Wednesday installation of the most recent Cumulative Windows 10 update that just released on this month's Black Tuesday, May 12th. This is a time of typical operating
system changes which can easily false trigger these warnings, since many seemingly random and strange events can occur that the consumer is usually unaware of.
The problem with CFA isn't that it's "new" or even undependable, it's that it's function isn't consumer friendly, since it's purposefully designed to block these suspicious actions that in some cases have been known to also be used by ransomware in order
to infect or encrypt (modify) files within these particular folders or devices. That's the reason CFA exists and since it's operation is highly technical, the warnings it provides often appear to be as well.
However, like many things that attempt to provide protection today, CFA is simply a workaround and has nothing directly to do with malware at all. It's actually designed to detect these particular types of filing system activity in order to warn the PC
user of what is today considered abnormal activity, just in case that user was recently doing anything like browsing a questionable website or opening a suspect email attachment that may have actually caused the suspicious event.
So don't try to understand the specific event details completely, even I'd have to do extensive research in many cases in order to make that determination. Instead, if they occur while you're working, stop, think and only then make the decision whether
to allow the item being displayed to perform the operation or not. In other words, think about whether what you just did is trustworthy and might have a valid reason for accessing the folder or device the warning message is indicating and only if that answer
is yes should you allow it.
There's absolutely no rush to make this decision, since it's automatically blocked by CFA, the only decision is whether to allow it in the future. That's why in cases like those affecting Windows update it's not critical to even be there, since if the action
needs to occur, Microsoft will realize the issue when literally hundreds or thousands of individual PCs return telemetry (auto-uploaded log) entries indicating this same specific issue has occurred for a specific device type or folder. Eventually they'll
send out an updated version of that Windows patch to fix the transient failure, assuming it truly caused the update to fail and wasn't simply a non-critical event due to some unnecessary query or action the update performed.
The final point I'll make is that though it's included in Windows Defender, CFA really has nothing to do with Defender itself, they've just collected everything that even hints of PC or user protection under the single visual interface of Windows Security
(at one time titled Windows Defender Security Center). That's due to the fact that most consumers perceive their protection as a single "product" or app, while in truth all major security suites today are the combination of often dozens of discrete, independent
modules performing their functions separately or in overlapping unison.
I know the above seems complex and beneath the coding it's massively so, but in truth the interface for most of Windows Security functions are some of the simplest and easiest to use out there, which is actually where Microsoft's developers have spent the
most time since the original Microsoft Security Essentials (WinXP to Win7) and more recently Defender starting with Windows 8.
The reason you're confused is that you're new to using Defender and you're digging into the bowels of its various modules where few consumers ever tread. That's not generally a bad thing, but like anything new, it's likely to bring up lots of questions.
Typically most consumers won't even bother looking and truly don't need to, since the only reason is to deal with exceptions actually causing problems.
In your case I've really heard nothing yet that's a significant problem, just visual anomalies that are causing confusion since you're trying to understand them fully, which in many cases there's no need.
For example, in my case there's no indication that any action is necessary when I go into the Windows Security interface from the quick access icon in the notification menu, since that's green. However, if I choose to drill down into the Ransomware protection,
Controlled Folder Access menu under Virus & malware protection either there or via a CFA notification, I'll find a similar list of (currently 2) history items. The point here is that though the last CFA blocked notification was displayed in Windows 10 notifications
pane, nothing was indicating my attention is critical.
Rob
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 69%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)