Defender History revisions?

Following installation & initial scan I hurriedly (& ignorantly!) permitted
some scan results despite WD advising me they could have potentially unwanted
behaviour. I do not seem to be able to alter the Action taken now? Is
there no facility for reversing that decision i.e. remove instead?

Just click the Windows Defender Icon, click Tools and then click Allowed
Items. You should be able to highlight the allowed item(s) and then remove
from list. Entries get into the allowed items list via "always ignore" after
a scan. Real time protection entires (Permit or Deny) do not go into allowed
items.

"Greystones" wrote:

> Following installation & initial scan I hurriedly (& ignorantly!) permitted
> some scan results despite WD advising me they could have potentially unwanted
> behaviour. I do not seem to be able to alter the Action taken now? Is
> there no facility for reversing that decision i.e. remove instead?

Thank you Mr Cat for your rapid response & advice, but it has not enabled me
to do what I wanted. There are no items in my "Allowed items" so far, and I
have not yet found the "Always ignore" tab or button. Do I need to do
another scan before I can reach the setting for "Always ignore"? Or, should
I have clicked the "Close history" button after the History listing? I did
a second scan after the initial one, but it still did not list anything in
"Allowed items".

"Mr Cat" wrote:

> Just click the Windows Defender Icon, click Tools and then click Allowed
> Items. You should be able to highlight the allowed item(s) and then remove
> from list. Entries get into the allowed items list via "always ignore" after
> a scan. Real time protection entires (Permit or Deny) do not go into allowed
> items.
>
> "Greystones" wrote:
>
> > Following installation & initial scan I hurriedly (& ignorantly!) permitted
> > some scan results despite WD advising me they could have potentially unwanted
> > behaviour. I do not seem to be able to alter the Action taken now? Is
> > there no facility for reversing that decision i.e. remove instead?

If the entries listed under HIstory show Permit or Deny, then the actions
were the result of real time protection. If you said (or WD defaulted to)
Permit, then when the action is detected again, you will have another
opportunity to Permit or Deny. If you indicated Deny, then WD (Windows
Defender) took some form of action. Usually, WD prevents a change to the
registry or prevents a change to the drivers. In some circumstances, WD
would delete the offending routine (at least it did under the beta) and
undoing that would probably require a System Restore. In the case of a
manual or automatic scan, if WD spotted a suspected malicious piece of
software you would be be given the opportunity (assuming you didn't specifiy
that WD should take default actions) to specify Allow (which means Ignore),
Quarantine, Remove, or Always Allow. Always allow means to put the software
in the Allowed Items list and to basically Ignore it everytime you do a scan.
You can remove the entry from the Allowed Items list and it will be eligible
for scanning again. I hope that answers you question. Please feel free to
post again if you need additional clarification.

"Greystones" wrote:

> Thank you Mr Cat for your rapid response & advice, but it has not enabled me
> to do what I wanted. There are no items in my "Allowed items" so far, and I
> have not yet found the "Always ignore" tab or button. Do I need to do
> another scan before I can reach the setting for "Always ignore"? Or, should
> I have clicked the "Close history" button after the History listing? I did
> a second scan after the initial one, but it still did not list anything in
> "Allowed items".
>
> "Mr Cat" wrote:
>
> > Just click the Windows Defender Icon, click Tools and then click Allowed
> > Items. You should be able to highlight the allowed item(s) and then remove
> > from list. Entries get into the allowed items list via "always ignore" after
> > a scan. Real time protection entires (Permit or Deny) do not go into allowed
> > items.
> >
> > "Greystones" wrote:
> >
> > > Following installation & initial scan I hurriedly (& ignorantly!) permitted
> > > some scan results despite WD advising me they could have potentially unwanted
> > > behaviour. I do not seem to be able to alter the Action taken now? Is
> > > there no facility for reversing that decision i.e. remove instead?

Thanks again, Mr Cat, for your patience & further comments. As I recall, I
had just downloaded WD and on installation completion I think it asked if I
wished to do a scan & I Ok'd it to do so. It came back with 61 items listed
which it told me could have poten tially unwanted behaviour. It gave me a
choice of the four options you mentioned, and because I was unsure of which
to select I think I 'Allowed' (permitted) them and thought I could have
another chance later to change my mind? I also realised that I had not
checked if any updates were available and proceeded to try and obtain them.
I then did another scan, but by then my history was listing the 61 items and
each had "Permit" against them. I checked my allowed and quarentined pages
but neither of them had any items listed and that is still the case. The
next scan which was done failed to pick up any of the items (as I think you
say would be the case?).

Can you make any sense of my actions? Hope so!

"Mr Cat" wrote:

> If the entries listed under HIstory show Permit or Deny, then the actions
> were the result of real time protection. If you said (or WD defaulted to)
> Permit, then when the action is detected again, you will have another
> opportunity to Permit or Deny. If you indicated Deny, then WD (Windows
> Defender) took some form of action. Usually, WD prevents a change to the
> registry or prevents a change to the drivers. In some circumstances, WD
> would delete the offending routine (at least it did under the beta) and
> undoing that would probably require a System Restore. In the case of a
> manual or automatic scan, if WD spotted a suspected malicious piece of
> software you would be be given the opportunity (assuming you didn't specifiy
> that WD should take default actions) to specify Allow (which means Ignore),
> Quarantine, Remove, or Always Allow. Always allow means to put the software
> in the Allowed Items list and to basically Ignore it everytime you do a scan.
> You can remove the entry from the Allowed Items list and it will be eligible
> for scanning again. I hope that answers you question. Please feel free to
> post again if you need additional clarification.
>
> "Greystones" wrote:
>
> > Thank you Mr Cat for your rapid response & advice, but it has not enabled me
> > to do what I wanted. There are no items in my "Allowed items" so far, and I
> > have not yet found the "Always ignore" tab or button. Do I need to do
> > another scan before I can reach the setting for "Always ignore"? Or, should
> > I have clicked the "Close history" button after the History listing? I did
> > a second scan after the initial one, but it still did not list anything in
> > "Allowed items".
> >
> > "Mr Cat" wrote:
> >
> > > Just click the Windows Defender Icon, click Tools and then click Allowed
> > > Items. You should be able to highlight the allowed item(s) and then remove
> > > from list. Entries get into the allowed items list via "always ignore" after
> > > a scan. Real time protection entires (Permit or Deny) do not go into allowed
> > > items.
> > >
> > > "Greystones" wrote:
> > >
> > > > Following installation & initial scan I hurriedly (& ignorantly!) permitted
> > > > some scan results despite WD advising me they could have potentially unwanted
> > > > behaviour. I do not seem to be able to alter the Action taken now? Is
> > > > there no facility for reversing that decision i.e. remove instead?

I think the key is that History shows Permit. In the case of an automatic or
manual scan, History would not show Permit (unless SpyNet is getting in the
picture and I'm not really up-to-date on how that influences what is in
History). So what you probably are seeing is real time protection Permits.
Since nothing is in Allowed Items or Quarantine, the only way you could have
gotten in trouble with automatic or manual scans would have been to say
Remove and since that is not in History, you should be OK. I would just go
ahead and trouble shoot what is currently being Permitted by real time
protection and make sure that Permit is appropriate.

"Greystones" wrote:

> Thanks again, Mr Cat, for your patience & further comments. As I recall, I
> had just downloaded WD and on installation completion I think it asked if I
> wished to do a scan & I Ok'd it to do so. It came back with 61 items listed
> which it told me could have poten tially unwanted behaviour. It gave me a
> choice of the four options you mentioned, and because I was unsure of which
> to select I think I 'Allowed' (permitted) them and thought I could have
> another chance later to change my mind? I also realised that I had not
> checked if any updates were available and proceeded to try and obtain them.
> I then did another scan, but by then my history was listing the 61 items and
> each had "Permit" against them. I checked my allowed and quarentined pages
> but neither of them had any items listed and that is still the case. The
> next scan which was done failed to pick up any of the items (as I think you
> say would be the case?).
>
> Can you make any sense of my actions? Hope so!
>
> "Mr Cat" wrote:
>
> > If the entries listed under HIstory show Permit or Deny, then the actions
> > were the result of real time protection. If you said (or WD defaulted to)
> > Permit, then when the action is detected again, you will have another
> > opportunity to Permit or Deny. If you indicated Deny, then WD (Windows
> > Defender) took some form of action. Usually, WD prevents a change to the
> > registry or prevents a change to the drivers. In some circumstances, WD
> > would delete the offending routine (at least it did under the beta) and
> > undoing that would probably require a System Restore. In the case of a
> > manual or automatic scan, if WD spotted a suspected malicious piece of
> > software you would be be given the opportunity (assuming you didn't specifiy
> > that WD should take default actions) to specify Allow (which means Ignore),
> > Quarantine, Remove, or Always Allow. Always allow means to put the software
> > in the Allowed Items list and to basically Ignore it everytime you do a scan.
> > You can remove the entry from the Allowed Items list and it will be eligible
> > for scanning again. I hope that answers you question. Please feel free to
> > post again if you need additional clarification.
> >
> > "Greystones" wrote:
> >
> > > Thank you Mr Cat for your rapid response & advice, but it has not enabled me
> > > to do what I wanted. There are no items in my "Allowed items" so far, and I
> > > have not yet found the "Always ignore" tab or button. Do I need to do
> > > another scan before I can reach the setting for "Always ignore"? Or, should
> > > I have clicked the "Close history" button after the History listing? I did
> > > a second scan after the initial one, but it still did not list anything in
> > > "Allowed items".
> > >
> > > "Mr Cat" wrote:
> > >
> > > > Just click the Windows Defender Icon, click Tools and then click Allowed
> > > > Items. You should be able to highlight the allowed item(s) and then remove
> > > > from list. Entries get into the allowed items list via "always ignore" after
> > > > a scan. Real time protection entires (Permit or Deny) do not go into allowed
> > > > items.
> > > >
> > > > "Greystones" wrote:
> > > >
> > > > > Following installation & initial scan I hurriedly (& ignorantly!) permitted
> > > > > some scan results despite WD advising me they could have potentially unwanted
> > > > > behaviour. I do not seem to be able to alter the Action taken now? Is
> > > > > there no facility for reversing that decision i.e. remove instead?