Detected Changes

[Guest]

Every day when I boot up my computer, I get the same message from Windows
Defender telling me WD dected changes. The file is always the same, and I
always allow it, but the next day it is back. I signed up for MotionBased
services last week (a subsidiary of Garmin).

The specifics:
Publisher
MotionBased Technologies
Agent
Auto start
Checkpoint
Startup folder
Action
Allow

The specific files involved are:
...\Start Menu\Programs\Startup\MotionBasedAgent.lnk

C:\Program Files|MotionBased\Agent|MBAgend.exe

Should I be doing something other than allowing this? I trust the software
source. I installed Windows Defender Beta 2 about two weeks ago. I've gotten
this message every day since I installed MotionBased a week ago.

 

[Bill Sanderson MVP]

Do you have any idea why these items are changing? I suggested to another
user in a similar thread that he check the files with a hash-generating
utility to see whether they are, in fact, changing from one day to the next,
and he found that they were.

I've not seen this issue on any machines I work with first hand--my sense is
that some kind of antivirus/antispyware/"protective" software must be making
changes on a daily basis to the stuff in startup, and that creates this
alert--any thoughts?

 

[Guest]

Where can I get a hash generating utility? Until I check that, I have no
idea if they are really changing. I can't imagine a reason they would
change. MotionBased says they have over 15,000 users of this program, so I
would think someone else would have encountered this problem if it is
changing.
--
Lyle
Montrose, Colorado

Do you have any idea why these items are changing? I suggested to another
user in a similar thread that he check the files with a hash-generating
utility to see whether they are, in fact, changing from one day to the next,
and he found that they were.

I've not seen this issue on any machines I work with first hand--my sense is
that some kind of antivirus/antispyware/"protective" software must be making
changes on a daily basis to the stuff in startup, and that creates this
alert--any thoughts?

--

 

[Bill Sanderson MVP]

http://support.microsoft.com/kb/841290/

is the command line Microsoft tool I recommended to the earlier poster.
However, he had a tool of his own choice that provided the same
functionality, so I don't think he used it.

I think that it is unlikely that the Motion software itself is modifying
this link on the fly--I'm still interested in hearing about what other
Antispyware, antivirus, privacy or security-related software that might be
running on your system.

The idea is to run the above tool at a command prompt to get a checksum of
one or all of the files which get alarmed about daily--and then do that
again the next day, when you see the message from Windows Defender.

It is, however, probably a reasonable assumption that the files are, in
fact, being changed in some way--so the question will remain--what is doing
the change. Using MSCONFIG, and removing some startup items is probably the
way to narrow this down.

--

Where can I get a hash generating utility? Until I check that, I have no
idea if they are really changing. I can't imagine a reason they would
change. MotionBased says they have over 15,000 users of this program, so
I
would think someone else would have encountered this problem if it is
changing.

 

[Stephen Boots MVP-MSN Client]

Do you have any idea why these items are changing? I suggested to another
user in a similar thread that he check the files with a hash-generating
utility to see whether they are, in fact, changing from one day to the next,
and he found that they were.

I've not seen this issue on any machines I work with first hand--my sense is
that some kind of antivirus/antispyware/"protective" software must be making
changes on a daily basis to the stuff in startup, and that creates this
alert--any thoughts?

I get a similar situation on my Acer laptop at every boot. In this
case it is the driver for the Acer eRecovery package:
c:\Acer\Empowering Technology\eRecovery\int15.sys
I believe that this driver is loading at startup through the execution
of an Acer program called Monitor.exe located in the same folder.

The driver is not changing each time, it simply appears that they way
Acer implemented the load of this software is at odds with behavior
expected by Defender to be normal.
Until there is a way to "always allow" or manually add this driver as
allowed through the Defender interface, I suspect I'll be telling
Defender to allow it each and every time I boot. If I don't allow it,
I get an error from the Acer software later on in the session.
-steve

 

[MrB]

You can try this one.

http://www.karenware.com/powertools/pthasher.asp

Where can I get a hash generating utility? Until I check that, I have no
idea if they are really changing. I can't imagine a reason they would
change. MotionBased says they have over 15,000 users of this program, so
I
would think someone else would have encountered this problem if it is
changing.

 

[Guest]

Bill, sorry it took me so long to reply. It's been a too long Easter weekend.
I downloaded the hashing program you recommended, but have been unable to
get it to work. It works fine on other files, but when I enter the file name
path:
C:\Program Files\MotionBased\Agent\MBAgent.exe it gives an error 3, The
system cannot find the path specified. I've tried everything I can think of
to get it to work, but I can't find a path that works. It doesn't appear to
be case sensitive, but you may be able to clarify that.

I am running antivirus software supplied by my ISP, the Bresnan Cable
company. I believe they get the software from Authentium. It includes
antivirus and anti spyware. The only time I ran their anti spyware check, it
found 23 programs that Windows Defender hadn't flagged. I opted to leave
them alone, since most appeared to be adware.

Stephen Boots posted to say he was having a similar problem. He may be
right that defender needs an option to "always allow".

Something else also occasionally pops up, a small notification window that
goes away before I can investigate it, but I finally captured the window. It
says, "Windows Defender

An Application Registration changes was made for a known application file:
C:\Program Files\Windows Defender\MpCmdRun.exe.

I've seen this note several times but I have no idea what action is required.

Thanks again for your help.

 

[Donald Anadell]

Hi Lyle,

I don't presume to speak for Bill, but while you are waiting for him to answer this post you might try placing your path inside
quotation marks like this:

"C:\Program Files\MotionBased\Agent\MBAgent.exe" .

Any path that contains a blank space should be enclosed in quotation marks.

Alternately you could use a short name path to this file, like this: C:\PROGRA~1\MOTION~1\Agent\MBAgent.exe

In this case you would not need to include quotation marks because there are no blank spaces in the Path.

Donald Anadell

 

[Guest]

Donald,
Your suggestion worked. Those of us who don't use command lines more than
once a year forget the rules. Putting quotes around it worked.

Bill, I ran the hashing program, then rebooted. I got the warning message
from Windows Defender that something had changed, but when I re-checked the
hash totals, they were identical. I'll let the experts figure this one out.
Thanks.

 

[Bill Sanderson MVP]

Well I can answer the question about the little balloon message about
MPCMDrun. A Microsoft post here states that you see this message when
you've checked to see some non-default alerts, and that it indicates that
the scheduled scan job has been updated. So, typically you might see this
daily, if you have a daily scheduled scan job.

About the rest of this issue, I'll read the other replies and try out the
tool myself and see if I can say anything helpful.

--

 

[Bill Sanderson MVP]

Well-I'm not the expert, so I'll hope Steve Dodson or someone else is
looking over my shoulder.

At this point, I think I'd go to tools, options, and scroll down to the box
where you can put in exclusions from scanning, and exclude the executable.
I'm not sure whether you also need to exclude the .lnk file in startup as
well.

If your Cable company has a support forum, or good phone support, you might
ask them about these issues--you probably aren't their only customer using
Windows Defender, and if this issue relates to their software, they may be
aware of it.

--

 

[Bill Sanderson MVP]

Thanks Stephen. Have you tried putting this into an exclusion, in tools,
options, scroll down to "advanced options." Given your description of the
process, I'm not sure it'll work, but it's what I can think of to try.

--

 

[Guest]

Do you have any idea why these items are changing? I suggested to another
user in a similar thread that he check the files with a hash-generating
utility to see whether they are, in fact, changing from one day to the next,
and he found that they were.

I've not seen this issue on any machines I work with first hand--my sense is
that some kind of antivirus/antispyware/"protective" software must be making
changes on a daily basis to the stuff in startup, and that creates this
alert--any thoughts?

--

 

[Guest]

Hi ya'll, to add a bit to this subject, I've noticed you'all are taking to
the notion that this issue pops up on those who run their machines for say a
day or so without rebooting; I have been rebooting my machine several times
today. I'd say at least 5 to 6 times already this morning and this pop-up
from Defender shows up every time. I have turned off the option "change made
by your computer" feature and feel (since I haven't rebooted yet) that this
will in deed cure the pop-ups, but thought I'd mention that it doesn't happen
to just those who reboot once a day...Just so you guys don't go down the
wrong road in troubleshooting this *thang*...That's all bye..

Do you have any idea why these items are changing? I suggested to another
user in a similar thread that he check the files with a hash-generating
utility to see whether they are, in fact, changing from one day to the next,
and he found that they were.

I've not seen this issue on any machines I work with first hand--my sense is
that some kind of antivirus/antispyware/"protective" software must be making
changes on a daily basis to the stuff in startup, and that creates this
alert--any thoughts?

--

 

[Bill Sanderson MVP]

Thanks - I probably misused "daily" there--certainly per boot changes would
be an alternative explanation.

--

Hi ya'll, to add a bit to this subject, I've noticed you'all are taking to
the notion that this issue pops up on those who run their machines for say
a
day or so without rebooting; I have been rebooting my machine several
times
today. I'd say at least 5 to 6 times already this morning and this pop-up
from Defender shows up every time. I have turned off the option "change
made
by your computer" feature and feel (since I haven't rebooted yet) that
this
will in deed cure the pop-ups, but thought I'd mention that it doesn't
happen
to just those who reboot once a day...Just so you guys don't go down the
wrong road in troubleshooting this *thang*...That's all bye..