Defender Scans Network Drives Which Are Not Mapped

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have installed the full release version of Windows Defender. When I
perform a full system scan, whether manually or automatically, Windows
Defender attempts to scan network resources which are not mapped.

What is really strange is that these attempts are not made on any of the
machines on the LAN where my Active Directory Domain resides. These
authentication failures occur in a Windows environment in a separate
building, which is connected by an IPSec VPN, allowing traffic from my office
to that building to be instantiated.

The failures are logged because Defender is running as my local machine,
which has no privileges in the other environment. There are always two
errors in quick succession because I've enabled Account Logon and
Logon/Logoff failure auditing, which follow:

======================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 11/14/2006
Time: 1:41:01 AM
User: NT AUTHORITY\SYSTEM
Computer: T#####
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: L####$
Source Workstation: L####
Error Code: 0xC0000064
======================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/14/2006
Time: 1:41:01 AM
User: NT AUTHORITY\SYSTEM
Computer: T#####
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: L####$
Domain: C#########
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: L####
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.#.#.#
Source Port: 0
======================================================

I need a way to turn this off in Windows Defender.

1> the drives on these machines are not mapped, so I'm not sure where
Defender is even getting the machine names (unless it's pulling it from my
explorer history or something).

2> these machines are not even in a trust relationship with my domain.

3> there is not a list of "items to scan" anywhere that I can find, in the
registry, flat files, or online. There is the list of "Do not scan these
files or folders," but that's exclusive - I need the inclusive.

4> where is the promised .adm file which was supposed to accompany the full
release?

As a domain administrator, I am going to be hard pressed to deploy this
corporate-wide if I can't configure it to not scan network devices which are
not mapped, and have to run around trying to block it everywhere to prevent
it from attempting authentication in other connected environments.

Thanks for your help, anyone.

- Eric McWhorter
 
..adm file is in the proper location (C:\WINDOWS\inf) - my apologies for
having overlooked it.

- Eric McWhorter
 
Hello Eric,

Try this, exclude the entire networked drive from scanning under WD Advanced
Options.
--
 
Hi, Engel -

Thanks for your response! I'm not quite sure I understand your suggestion.
Are you saying I should add the machines in the external environment to the
list of "do not scan these files or locations?" I'd really rather not have
to do this for every install I do. What I'm looking for is the setting which
tells Defender to INCLUDE network locations to begin with - it seems
counterintuitive to have this action without a way to shut it off.

Keep in mind that a> I do not see these authentication attempts on my LAN,
just at this remote location, and b> the machines against which my machine
tries to authenticate are not mapped as network drives. Most of them don't
even have anything but the default administrator shares enabled. Certainly,
they don't show up under the "browse for folder" dialog when I attempt to add
them to the list, and they don't show up in the "disconnect network drives"
dialog either.

Without a priori knowledge of what was being accessed, I can't add anything
to the list in "do not scan these files or locations" anyway - unless I add
EVERYTHING from each of several servers - tedious and not the expected way of
having to do this.

This is why I was wondering if there existed a log of devices/drives that
Defender has ATTEMPTED to contact for a scan. This way, I could identify the
network locations to block.

Thanks for your help!

- Eric McWhorter
 
Back
Top