Hi, Engel -
Thanks for your response! I'm not quite sure I understand your suggestion.
Are you saying I should add the machines in the external environment to the
list of "do not scan these files or locations?" I'd really rather not have
to do this for every install I do. What I'm looking for is the setting which
tells Defender to INCLUDE network locations to begin with - it seems
counterintuitive to have this action without a way to shut it off.
Keep in mind that a> I do not see these authentication attempts on my LAN,
just at this remote location, and b> the machines against which my machine
tries to authenticate are not mapped as network drives. Most of them don't
even have anything but the default administrator shares enabled. Certainly,
they don't show up under the "browse for folder" dialog when I attempt to add
them to the list, and they don't show up in the "disconnect network drives"
dialog either.
Without a priori knowledge of what was being accessed, I can't add anything
to the list in "do not scan these files or locations" anyway - unless I add
EVERYTHING from each of several servers - tedious and not the expected way of
having to do this.
This is why I was wondering if there existed a log of devices/drives that
Defender has ATTEMPTED to contact for a scan. This way, I could identify the
network locations to block.
Thanks for your help!
- Eric McWhorter
"Engel" wrote:
> Hello Eric,
>
> Try this, exclude the entire networked drive from scanning under WD Advanced
> Options.
> --
>
> "loraXXarol" wrote:
>
> > I have installed the full release version of Windows Defender. When I
> > perform a full system scan, whether manually or automatically, Windows
> > Defender attempts to scan network resources which are not mapped.
> >
> > What is really strange is that these attempts are not made on any of the
> > machines on the LAN where my Active Directory Domain resides. These
> > authentication failures occur in a Windows environment in a separate
> > building, which is connected by an IPSec VPN, allowing traffic from my office
> > to that building to be instantiated.
> >
> > The failures are logged because Defender is running as my local machine,
> > which has no privileges in the other environment. There are always two
> > errors in quick succession because I've enabled Account Logon and
> > Logon/Logoff failure auditing, which follow:
> >
> > ======================================================
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Account Logon
> > Event ID: 680
> > Date: 11/14/2006
> > Time: 1:41:01 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: T#####
> > Description:
> > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > Logon account: L####$
> > Source Workstation: L####
> > Error Code: 0xC0000064
> > ======================================================
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 11/14/2006
> > Time: 1:41:01 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: T#####
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: L####$
> > Domain: C#########
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: L####
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 192.#.#.#
> > Source Port: 0
> > ======================================================
> >
> > I need a way to turn this off in Windows Defender.
> >
> > 1> the drives on these machines are not mapped, so I'm not sure where
> > Defender is even getting the machine names (unless it's pulling it from my
> > explorer history or something).
> >
> > 2> these machines are not even in a trust relationship with my domain.
> >
> > 3> there is not a list of "items to scan" anywhere that I can find, in the
> > registry, flat files, or online. There is the list of "Do not scan these
> > files or folders," but that's exclusive - I need the inclusive.
> >
> > 4> where is the promised .adm file which was supposed to accompany the full
> > release?
> >
> > As a domain administrator, I am going to be hard pressed to deploy this
> > corporate-wide if I can't configure it to not scan network devices which are
> > not mapped, and have to run around trying to block it everywhere to prevent
> > it from attempting authentication in other connected environments.
> >
> > Thanks for your help, anyone.
> >
> > - Eric McWhorter
|
Similar Threads
