Defender ‘Block At First Sight’ setting now detected as tampering

Topic

New Reply

(I rarely, if ever, write about Defender updates so – if I’ve posted in the wrong area then please move.)

Fighting against Defender querying my own activities – like scripting, exploring registry settings, etc. quickly gets tiring. As a result, quite some time ago now, I started switching Defender‘s Block At First Sight feature off by using Brink’s Disable_BlockAtFirstSight.reg file.

This morning I clean-installed my test laptop with Windows 10 Pro 22H2, ran Windows 10 Decrapifier then rolled my usual tweaks in, mostly via .REG files. Finally I connected to the internet and let Windows Update do its thing until it told me several times that it was up-to-date.

I had a few hours sleep then carried on tweaking. I also ran Windows Update again. As I was tweaking stuff, Defender popped up a Threats found notification, much to my surprise. I checked Defender’s Protection history:

To see whether there was any other information I opened an elevated PowerShell console and ran (Get-MpThreat | Measure-Object).Count which confirmed 1 threat. I also ran Get-MpThreat and was suprised to find even less information than the screenshot above.

I also checked Windows Update‘s Update history and found that two versions of a definitions update, both labelled KB2267602 – one with version 1.381.2529.0; the other with version 1.381.2535.0 had been installed.

I don’t know which definitions update is to blame but the Block At First Sight setting is now deemed a *Severe* threat.

To check, I merged the Disable_BlockAtFirstSight.reg file again then used PowerShell to force an update to Defender‘s definitions. Within seconds another Threats found notification appeared… and the registry entry was deleted again. I waited a bit then did exactly the same again. The registry entry was deleted for the third time.

PS – Perhaps of little interest to most but (Get-MpThreat | Measure-Object).Count still shows a count of 1. So, if Defender gets visited by more than one plague of locusts, Defender still counts it as only one plague?

 

Reply | Quote

Replies

Does it also object if you just disable it in settings instead of using a registry file?

How to manage block at first sight on or off on your own device

I don’t think it’s unreasonable for tamper protection to regard a file which reduces Defender’s effectiveness as a potential threat.

Reply | Quote

Rick,

From reading the link provided by “b” it seems the easy answer to to disable Cloud Based Protection. I’ve personally never used this feature and have had no problems. It bugs me that MS keeps bugging me to turn it back on!

Full Disclosure: I also use Malwarebytes Premium along side Defender despite all the “Experts” saying you shouldn’t do this.

I have Defender as Primary and Malwarebytes as Secondary ( you do this by telling Malwarebytes not to Register itself in its settings).

HTH

FYI: Ex – A has been.
Spurt (sic) – A drip under pressure.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Luckily I don’t use Defender. It is disabled by my Kaspersky A/V.

Reply | Quote

b wrote:

Does it also object if you just disable it in settings instead of using a registry file?

As you are probably aware, the Windows Security settings GUI provides no such toggle for Block At First Sight.

Instead it’s a combination of turning off both Cloud-delivered protection and Automatic sample submission. In theory that’s all that’s required for the Block At First Sight entry to be written to the registry. However, all three settings can be automated via .REG files. I’ve just checked the settings GUI… both Cloud-delivered protection and Automatic sample submission remain toggled off… but are no longer creating the Block At First Sight registry entry.

Tamper Protection – as it says – is to “Prevents *others* [my emphasis] from tampering with important security features.” Note also that Tamper Protection made no protest whatsoever when I merged a whole bunch of .REG files earlier, several of which made changes to Windows Security.

It was only ~5 hours later when the 2 definitions updates installed themselved that the Block At First Sight registry entry was deleted.

Even now, Tamper Protection still allows me to merge the .REG file that writes the DisableBlockAtFirstSeen registry entry and its DWORD value. It’s not until a period later that some sort of SIH-related scheduled task seems to run, just like the Windows Update Medic Service.

Reply | Quote

RetiredGeek wrote:

FYI

Very droll.

Reply | Quote

Windows 10 does not allow many customize since MS does not want to interfere with their spyware.

 

You will have to click to allow it. But ever so often after update, it will reset back and you will have allow it again.

Reply | Quote

lost wrote:

You will have to click to allow it

Click to allow what?
What spyware do MS have that nobody else is using?
What are you using that doesn’t have this “spyware”?

cheers, Paul

Reply | Quote

Rick,
I noticed the link you used for Decrapifier, is that version the same as the GitHub one from n1snt? https://github.com/n1snt/Windows-Decrapifier

Reply | Quote

Mike wrote:

Rick,
I noticed the link you used for Decrapifier, is that version the same as the GitHub one from n1snt? https://github.com/n1snt/Windows-Decrapifier

No, not only are they completely different, their purpose is completely different. The only two similarities is the script name – decrapifier.ps1 and that they are both PowerShell scripts.

Windows 10 Decrapifier
The one I linked to and have used for years is called Windows 10 Decrapifier and written by csand. It was written for use primarily in a *managed* environment, i.e. business or education. (Having said that, my experience is that it works just as well in a non-managed environment.) As such it takes a very safe and cautious approach… which I like (‘cos when I started using it I didn’t understand PowerShell at all but I knew what I wanted to achieve).

It’s designed to be run during OOBE – the ‘Out Of the Box Experience’. (OOBE is the first-run process just after Windows has been installed yet before the first account has been created.) To do this you have to interrupt OOBE, run the script whilst Windows is paused in something called ‘Admin mode’ then continue OOBE. (It sounds complex… it isn’t – see here for more info.)

As a result, the script modifies the default account template from which all other accounts are subsequently created. All accounts, from the first one created at completion of OOBE onwards, they’ll all start off looking and acting the same.

The script is managed primarily by a list of switches/parameters to control what it does or doesn’t do. Have a look at the Switches section at the top of script for an explanation of the available switches. This approach means that you really only have two choices to make – 1. what switch to use and; 2. check that the $GoodApps variable is what you want. $GoodApps defines the apps you don’t want touched. So, for example, my own modified version of this script shows:

$GoodApps =	"calculator|store|miracast"

That because those are the only 3 built-in apps I want to remain after the script has run.

Windows Decrapifier
The one you linked to is called Windows Decrapifier and written by Nishant Bhandari. A quick check shows it’s more a list of PowerShell commands to be used in a *non-managed* environment, e.g. home environment. The focus is thus on a different type of users.

You – the user – have to amend what happens by commenting/uncommenting the commands that you do or don’t want to run rather than relying on the use of parameters to make choices for you.

Most importantly, it’s runs against user account profiles which have already been created individually, not *prior* to the creation of those account profiles (via the .default profile). So, if you have – say – 5 user accounts on a device then you would need to run the script 5 times, i.e. log into each account individually to ensure consistency between the accounts. (Some Windows settings are ‘per user’ whilst others affect ‘all users’.)

Both approaches have their own advantages and disadvantages – neither one is ‘better’ than the other.

Hope this helps…

1 user thanked author for this post.

Mike

Reply | Quote

Thanks for the reply Rick.  I hate to hijack this thread anymore, but seems like the primary difference between the two versions is that one is primarily “during installation” OOBE and isn’t recommended after installation (in my case:  new installation, single user, drivers, Macrium and just core Windows 10 Pro software).  I was thinking of using O&O App.

Mike

Reply | Quote

Mike wrote:

Thanks for the reply Rick.  I hate to hijack this thread anymore, but seems like the primary difference between the two versions is that one is primarily “during installation” OOBE and isn’t recommended after installation (in my case:  new installation, single user, drivers, Macrium and just core Windows 10 Pro software).  I was thinking of using O&O App.

Mike

I should have made it clearer that Windows 10 Decrapifier *can* be used after OOBE. It just means that the actions will be carried out in the context of the individual user rather than the .default template… so is far less effective. Still works though.

The other thing I didn’t mention is that Windows 10 Decrapifier has a third question – do you want to change the default Start menu? Heck, yeah… I want to get rid of every single stupid default tile and just have 3 shortcuts to apps that *I* want. Windows Decrapifier doesn’t offer that.

What I like about PowerShell scripts (as opposed to third-party apps) is that you can read through them and see how changes are effected.

Hope this helps…

1 user thanked author for this post.

Mike

Reply | Quote