Windows Defender Hates My Executables

[JRL]

Work computer did an automated Windows update last night. Now Macro Scheduler executables fail with a message that states "You do not have permission to access 'FilePath\FileName.exe'. Contact your network administrator to request access."

This message is incorrect. To begin with the network is not necessarily involved. Files on my hard drive fail.

Also can no longer compile from Macro Scheduler. The compile process looks good at first. You can make choices about what and how you want to compile. When you pick "OK" the first time, Windows Defender pops up a message stating.

Action Blocked:
Your administrator caused Windows security to block this action.

Subsequent requests to compile simply fail with no message.
Even this message is incorrect. As a part of the administration team I've checked to see if anyone made any changes recently and they have not. The only change was last night's windows update.

Any thoughts? Can't turn off Defender. Not finding a way to set exclusions. Running the executables as administrator fails. Logging into the computer as administrator has no effect either.

[Grovkillen]

We had to make an exception in Intune for each and every compiled exe.

[Grovkillen]

We recently had a huge problem with our approach. The excluded files was captured and removed by windows defender. However, we did find a way to manually sign the exe files and add this signature file to Intune. It's free of charges but is only recommended to be used in development purposes. I feel it's not very much hassle to have to add the signature file to the company service but others might not want this approach. I can give a step by step instruction on how we do it if anyone needs it.

[JRL]

Thank you for your concern. I'm sure it could change in the blink of an eye but not currently having serious issues. There are some new rules I've discovered. For example, I used to have two scripts for each program. The work script and the "setup" script. I had everyone run the "setup" script. The setup script would copy the work script to the local computer and run it from there. This greatly assisted with script updates. In any case this process is prohibited by Defender. It sees an executable copying another executable and loses its digital mind. Also running a Macro Scheduler executable sometimes (not always) fails if the executable is located on a network drive rather than a local drive.

Also got the corporate security guru to set a folder at C: root that is now universally excluded. Any file I put in that folder will run. This helps immensely.

Also got them to allow mine (and a few others) admin accounts to be able to set defender exclusions on a PC. That came in handy this morning. Setting up a new PC and defender would not allow the install of a 10 year old legacy program. Opened Defender and selected "allow" and solved the problem in a minute. Would have taken weeks to get this resolved a year ago.

I appreciate your comments just from the standpoint of hearing that I'm not the only IT person having issues.

[Grovkillen]

For my own and other's knowledge; here's how I create certificates using PowerShell:

Code: Select all

Let>NAME_OF_CERTIFICATE=test
Let>EXPIRE_OF_CERTIFICATE_IN_YEARS=99
Let>EXPORT_CERTIFICATE_TO=%SCRIPT_DIR%\%NAME_OF_CERTIFICATE%.cert
Let>RP_CAPTURESTDOUT=1
  
Let>POWERSHELL_COMMAND=New-SelfSignedCertificate -DnsName %NAME_OF_CERTIFICATE% -NotAfter (Get-Date).AddYears(%EXPIRE_OF_CERTIFICATE_IN_YEARS%) -Type CodeSigning -CertStoreLocation cert:\CurrentUser\My | ConvertTo-Json
RunProgram>cmd /c chcp 65001 > nul & cmd /c PowerShell -Command " & {%POWERSHELL_COMMAND%}"
Trim>RP_STDOUT,TEMP_string

JSONParse>TEMP_string,$.Thumbprint,TEMP_array
Let>CERTIFICATE_thumbprint=TEMP_array_1
JSONParse>TEMP_string,$.SubjectName.Name,TEMP_array
Let>CERTIFICATE_subject_name=TEMP_array_1

Let>POWERSHELL_COMMAND=Export-Certificate -Cert (Get-ChildItem Cert:\CurrentUser\My | Where-Object -Property Subject -eq '%CERTIFICATE_subject_name%') -FilePath '%EXPORT_CERTIFICATE_TO%' | ConvertTo-Json
RunProgram>cmd /c chcp 65001 > nul & cmd /c PowerShell -Command " & {%POWERSHELL_COMMAND%}"
Trim>RP_STDOUT,TEMP_string
JSONParse>TEMP_string,$.Exists,TEMP_array
Let>CERTIFICATE_cert_file_exported=TEMP_array_1
**BREAKPOINT**
/*
certmgr.msc in Win+R (Run) to view created certificates (under personal), here you can delete them too....

to install the certificate you can either click on them and choose install or run these PowerShell commands:

Import-Certificate -FilePath "%EXPORT_CERTIFICATE_TO%" -Cert Cert:\CurrentUser\TrustedPublisher
Import-Certificate -FilePath "%EXPORT_CERTIFICATE_TO%" -Cert Cert:\CurrentUser\Root

to sign your script files you just use this PowerShell command:
Set-AuthenticodeSignature "%PATH_TO_FILE_TO_SIGN%" -Certificate (Get-ChildItem Cert:\CurrentUser\My | Where-Object -Property Subject -eq "%CERTIFICATE_subject_name%")
*/

This .cert file is the file you upload to your organisations 365-portal or add it to the Windows Defender application in some other way(?). This is not an official signature as in you can send your signed files to anyone and it will not be captured by Windows Defender. BUT it's a great way to have your own script files not being captured by WD.

From now on I just sign every exe file I create using the "Set-AuthenticodeSignature" command.