Windows Defender Keeps Killing My App

[Mr. Taco]

I wrote a fairly simple windows service that checks a website and
returns the status, emails me if the site is down. Works fine in XP (of
course), but windows defender in vista labels it as "Alert Type:
Unclassified software" and "takes action against it".

I've modified the app manifest to require admin, highest avail and
invoker, but it's not helping anything. In my travels, I glossed over
some idea where I would have to start the service with a "runas" - I
have no idea what that is or where to begin with that.

I've been using the VS command line and the installutil to install the
service for testing.

Anyway, if someone could tell me what the best practice is to deploy a
windows service on vista, I would appreciate it.


Thanks,

taco



Event Viewer:

Windows Defender Real-Time Protection agent has detected changes.
Microsoft recommends you analyze the software that made these changes
for potential risks. You can use information about how these programs
operate to choose whether to allow them to run or remove them from your
computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {6B2DCXXX-5E56-4577-869F-CXXXXXXXXXXX}
User: XXXXX-XXXXX\XXXXX
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found:
processid:2592;service:WWWCheck;file:C:\Users\XXXXXXX\Desktop\serviceApp\WWWCheck\bin\Debug\WWWCheck.exe
Alert Type: Unclassified software
Detection Type:

 

[Mr. Arnold]

I wrote a fairly simple windows service that checks a website and
returns the status, emails me if the site is down. Works fine in XP (of
course), but windows defender in vista labels it as "Alert Type:
Unclassified software" and "takes action against it".

Yes, it works on XP as it's an open by default O/S for the most part wide
open to attack. Vista is not XP and is not open by default or wide open to
attack so easily.

I suspect you're going to have to configure Windows Defender and tell it
that your program is safe to run and not notify upon system start-up. You
can use Bing or Google and look-up the information on how to configure WD on
Vista.


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4479 (20091004) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

 

[Mr. Taco]

That is an unacceptable solution. Developers don't release applications
with instructions for end users to modify widows defender so their
application will run. Rubbish.

And thanks you for the suggestion to "GOOGLE" the issue, like I'm a fool
and didn't already google the situation.

Anyone have a real answer?

-T

 

[Nobody]

I wrote a fairly simple windows service that checks a website and
returns the status, emails me if the site is down. Works fine in XP (of
course), but windows defender in vista labels it as "Alert Type:
Unclassified software" and "takes action against it".

I've modified the app manifest to require admin, highest avail and
invoker, but it's not helping anything. In my travels, I glossed over
some idea where I would have to start the service with a "runas" - I
have no idea what that is or where to begin with that.

I've been using the VS command line and the installutil to install the
service for testing.

Anyway, if someone could tell me what the best practice is to deploy a
windows service on vista, I would appreciate it.

I don't use VB.Net, but made services in VC6. It's possible that you are
running it as a regular application(Some services have command line options
for debugging or testing). Instead of running the service directly using
Explorer, use the Services applet in Control Panel to start it. Also, in the
"Log On" tab, check which account that the service is using, you can change
it if you want to. Installation tools internally use CreateService() API
function and the last two parameters specify the account to use. You can
decide what account to use at install time, or change it later using the
Services applet.

Finally, one of the changes in Vista and after is that services run in their
own session for security reasons, called session 0, which is non
interactive, so you can't use things like
FindWindow/EnumWindows/SendMessage/PostMessage to talk to the service from a
GUI app. If you need to make a software that configures the service, you
have to make a second EXE and communicate with the service using some
mechanism, such as named pipes, winsock, or the registry.

See this article:

Application Compatibility: Session 0 Isolation
http://msdn.microsoft.com/en-us/library/bb756986.aspx

This is what Session 0 Isolation is trying to prevent(Look for "WM_TIMER"
and "Session 0"):

http://en.wikipedia.org/wiki/Shatter_attack

 

[Mr. Taco]

For anyone who cares, the error below is a Windows Defender Event ID
3004 notification, if this is followed by a Event ID 3005 and the action
is set to ignore, than WD has NOT blocked the app.

<Message>

Windows Defender Real-Time Protection agent has taken action to protect
this machine from spyware or other potentially unwanted software.
For more information please see the following:
Not Applicable
Scan ID: {08XXX7EX-XBXX-4X6X-XXXX-X6XXXXXXXXXX}
User: XXXXXX-XXXXXXXXX\XXXXXX
Name: Unknown
ID:
Severity ID:
Category ID:
Alert Type: Unclassified software
Action: Ignore

</Message>

Essentially, it evaluated the application and took action - ignore.


For those of you looking for a good tutorial on a threading windows
service look here:

http://www.devcity.net/Articles/190/1/article.aspx


Ultimately, rebuilding the service from scratch, using the above article
to create the structure, gave me a working service.

-T

 

[Nobody]

Some security and AV programs skip digitally signed executables, so try to
sign your files.