Controlling Defender's spurious reports


G

Guest

What follows arises from a particular problem that Defender has with the AOL
driver ATWPKT2.sys on my system, but I suspect the solution will be
applicable to many similar issues.

Here's the history of my quest:

1. When I started using Defender I had the two 'Advanced options' boxes
unchecked (see Tools -> 'options' and scroll down). Every time I started AOL,
Defender objected to the behaviour of ATWPKT2.sys, reported it in the history
log, and created a defender checkpoint in System Restore. This led to an
excessive number of checkpoints, which I disliked intensely. For a while, I
switched Real Time Protection off to stop this activity. (There's a registry
edit to stop it, but I don't consider myself competent to edit the registry.)

2. When I felt brave enough to experiment, I switched RTP back on and ticked
the two 'advanced options' boxes under 'options'. From this point on I
received pop up notifications of the ATWPKT2 driver every time I started AOL
(which I ignored) but now there were no entries for these events in the
history log, and more importantly, the proliferation of defender checkpoints
stopped.

3. This was fine - but how nice it would be to be able to tell Defender not
to worry about ATWPKT2. On a previous occasion I'd tried including it in the
'Do not scan these files or locations' box, but it had made no difference.
(I'd assumed this was because checking behaviour of programs in RTP is not
the same as performing a scan.) Well, I've now tried this again, and
discovered that I was wrong - it DOES make a difference. I've added the full
file path to the box, and now when I start AOL there are no spurious pop-up
notifications; no false entries in the history log; and no spurious defender
checkpoints in system restore.

Why does it work now and not before? Well, maybe I made a mistake when I
tried it before (I've learned a lot since then). Or maybe this is another of
those complex and illogical interactions that seem to occur between false
alerts, the selections we make in the options boxes, and the creation of
checkpoints.

But to anyone out there who is getting false alerts with a known 'safe'
program, try the combination I've outlined above, i.e.:
1. Tick the two 'Advanced options' boxes
2. Add the (full path of the) offending program to the 'Do not scan these
files or locations' box (Click the Add button, then browse to the program in
question.)

You may now discover (as I have) that Defender now runs silently in the
background as it's supposed to, with no false alerts in history, no false
pop-up notifications, and no proliferation of checkpoints.
 
Ad

Advertisements

R

robin

well i have been playing and I am still getting ck points with following the
settings that Engl recommended. The only way I do not get ckp points is to
turn real time protection off. :9
This all happened last monday after the newest def update and on all 3
seperate computers- go figure

robin
 
G

Guest

robin said:
well i have been playing and I am still getting ck points with following the
settings that Engl recommended. The only way I do not get ckp points is to
turn real time protection off. :9
This all happened last monday after the newest def update and on all 3
seperate computers- go figure

But the difference, Robin, is that in my case the checkpoints were being
triggered by an obvious collision between Defender and one particular program
(in this case an AOL driver). In your case I think I'm correct in saying that
there's no such assocation with a specific program? So we still don't know
where your extra checkpoints are coming from (apart from the software
distribution checkpoint multiplication service of course).

I'm suggesting this as a possible solution for someone like the chap who
keeps getting an alert from a McAfee program, where Defender is repeatedly
making spurious alerts. Your situation is different.
 
Ad

Advertisements

G

Guest

Alan D said:
You may now discover (as I have) that Defender now runs silently in the
background as it's supposed to, with no false alerts in history, no false
pop-up notifications, and no proliferation of checkpoints.

Well, Defender goes on managing to get under my guard! All the above remain
true, but this morning I decided to take a look at Event Viewer. I found that
despite the fact that I've told Defender not to scan the aol ATWPKT2 file,
and despite the fact that it seemed to be obeying my instructions, there are
Defender "spyware" warnings about ATWPKT2 scattered throughout Event Viewer
system events!!! So presumably it IS scanning the file - but just not
reporting its result in the obvious way.

Trying to tell Defender to stop is harder than trying to catch the soap in
the bath!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top