Plaxo Toolbar for Outlook is blocked by Windows Defender

[Guest]

Hello -
On my Vista system (Gateway desktop), Windows Defender keeps blockinga
plug-in that I downloaded and installed for Outlook: It is the Plaxo add-in
that allows me to manipulate my Plaxo services in Outlook. (A toolbar, I
think.) How can I fix this? Here is what Windows Defender recorded for the
event:
Log Name: System
Source: Microsoft-Windows-Windows Defender
Date: 6/22/2007 1:07:37 PM
Event ID: 3004
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: MJLewis-PC
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {C427EFE5-8EAD-414B-82C8-51BB05EC3A31}
User: MJLewis-PC\MJLewis
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found:
regkey:HKCU@S-1-5-21-336559941-1480386105-577895080-1001\Software\Microsoft\Windows\CurrentVersion\Run\\PlaxoUpdate;runkey:HKCU@S-1-5-21-336559941-1480386105-577895080-1001\Software\Microsoft\Windows\CurrentVersion\Run\\PlaxoUpdate;file:C:\Program Files\Plaxo\3.2.3.43\PlaxoHelper_en.exe
Alert Type: Unclassified software
Detection Type:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender"
Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" EventSourceName="WinDefend" />
<EventID Qualifiers="0">3004</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-06-22T17:07:37.000Z" />
<EventRecordID>41059</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>MJLewis-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">1.1.1505.0</Data>
<Data Name="Scan ID">{C427EFE5-8EAD-414B-82C8-51BB05EC3A31}</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Domain">MJLewis-PC</Data>
<Data Name="User">MJLewis</Data>
<Data Name="SID">S-1-5-21-336559941-1480386105-577895080-1001</Data>
<Data Name="Threat Name">Unknown</Data>
<Data Name="Threat Id">
</Data>
<Data Name="Threat Severity">
</Data>
<Data Name="Threat Category">
</Data>
<Data Name="FWLink">%%832</Data>
<Data Name="Path
Found">regkey:HKCU@S-1-5-21-336559941-1480386105-577895080-1001\Software\Microsoft\Windows\CurrentVersion\Run\\PlaxoUpdate;runkey:HKCU@S-1-5-21-336559941-1480386105-577895080-1001\Software\Microsoft\Windows\CurrentVersion\Run\\PlaxoUpdate;file:C:\Program Files\Plaxo\3.2.3.43\PlaxoHelper_en.exe</Data>
<Data Name="Threat Classification Index">0</Data>
<Data Name="Threat Classification">%%807</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Detection Type Index">
</Data>
<Data Name="Detection Type">
</Data>
</EventData>
</Event>

 

[Bill Sanderson MVP]

This is an "unknown." Have you changed the default options in Windows
Defender to be notified about "unknown" software? i.e. software not yet
classified as either safe or to be flagged for removal?

If you've changed that default, you could change it back again. You could
also use the box about half way down in tools, options (use the scroll bar)
to add the location of the executable to the scanning exclusions.

Presumably this is what you need to exclude:

C:\Program Files\Plaxo\3.2.3.43\PlaxoHelper_en.exe



--

 

[Guest]

Thanks Bill:
I checked under Defender's"options" and, as far as I can tell, everything is
still listed as "default" actions. I didn't see anything specifically about
notification about "unknown" software though. Could this be somewhere else,
where I might have changed it?

 

[Bill Sanderson MVP]

Hmm - I didn't describe that well: In Windows Server 2003, Windows
Defender, Tools Options, scroll to near the bottom of "Real-time protection
options"

after the list of agents, which should all be checked, are two items:

Choose if Windows Defender should notify you about:
Software that has not yet been classified for risks
Changes made to your computer by software that is permitted to run

I believe the default is unchecked for both of these, although both are
checked on my machine which is a Windows Home Server. Very little gets
installed or changed on servers, and I like to see what is happening.

For the average user, leaving those unchecked makes sense---certainly the
first might well detect something malicious, but it will also detect a large
variety of drivers and similar software which just haven't made it to the
Spynet radar screen in sufficient numbers to be classified.

--

 

[Guest]

Hi Bill,
I looked again at Windows Vista--Defender. The boxes you list are unchecked
- but below that, under Advanced, the 3 options are checked: "scan archives",
"use heuristics" and something else. Should these be checked? thanks.

Maryellen

 

[Bill Sanderson MVP]

Yes - I would leave those checked, they are checked by default. I have
sometimes unchecked the one about scanning within archives when I'm
impatient about the time to scan some machine which contains a large number
of files in such archives--but for most--just leave the settings alone.

--