Windows Defender - Remove Ignore - How?

[Joe727]

Hi - just installed Beta 2 of Windows Defender. The scan listed an
UNinstalled program as potential spyware. The program is part of the
software package that comes with my Lucent/Agere modem. So, I clicked
Ignore. After processing, Windows Defender identified Aureate as being part
of that Uninstalled software program.

Question - How do I remove this program from Windows Defender Ignore list?

Thanks

Joe

 

[Bill Sanderson]

This should be in History, and then click the link for "allowed" in the text
at the top.

 

[Joe727]

I clicked Allowed, and the "Ignored entry" disappeared. It's not in
"Allowed or Quarantined" either. Any idea where it went?

Thanks

Joe

 

[Joe727]

Nothing happened when I clicked "Allowed". Here's a screenshot:

http://home.cfl.rr.com/jbmsbink/Defender screenshot.jpg

Joe

 

[Bill Sanderson]

That was a useful screenshot.

OK - If you had clicked "always ignore" it would be in allowed.

Ignore just makes Windows Defender quit nagging you about this particular
threat until the next time it scans.--so--if you wish to change your choice
on this one, just re-scan--it'll be re-detected, and you can make a
different choice.

--

 

[Joe727]

Thanks Bill - A rescan had it pop back up as a threat. But, I got this
error when I tried to remove it using Defender:

http://home.cfl.rr.com/jbmsbink/Defender screenshot 2.jpg

The error was probably caused by the fact that the software is not
installed. It's just in an extra software bundle that came with the modem.

Joe

 

[Bill Sanderson]

Take a look--you may need to go to the System Event log and filter on source
WINDEFEND, and grab yellow-triangle entries--at the detailed path and file
involved in the detection.

This error either involves a location that can't be cleaned (system restore
data store is one example) or the detected item is one of several in an
archive file--zip, cab, arj--and Defender won't just blow away the whole
archive. Check the detection for yourself--there's a good chance this is an
archive whose sole purpose is the malware--in which case you can rename or
delete it yourself without risk.

--

 

[Joe727]

Bill - Here's the error:

Event Type: Error
Event Source: WinDefend
Event Category: None
Event ID: 1008
Date: 3/23/2006
Time: 1:19:12 AM
User: N/A
Computer: PC1
Description:
Windows Defender has encountered an error when taking action on potential
malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {F7866BEE-23D6-415C-9D8F-94C408DBDD48}
Scan Type: AntiMalware
User: PC1\Main PC
Threat Name: Aureate
Threat Id: 2401
Threat Severity: 4
Threat Category: 2
Action: Remove
Error Code: 0x80508026
Error description: Windows Defender cannot remove a potentially harmful
item from the contents of an archived file. To remove the item, you need to
delete the archive or you can search for options for removing spyware in
Help and Support.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

**

The program that's showing malware is in it's own folder on partitions that
are separate from the operating systems partitions (98SE, XP Pro & Suse
Linux 10). That particular program (called Simply Music) is Not installed,
so, it's not really causing any problems. Spybot, Ad Aware, and Computer
Associates spyware detectors do not report it as a problem. I could always
delete that particular folder since it would not affect use of the
phone-line modem.

Thanks again for your help.

Joe

 

[Bill Sanderson]

The text describing the error seems clean. Am I correct that this is on a
full scan, rather than a Quick Scan?

I would never recommend not taking heed of anything found on a
quickscan--because something found that way is active--it is being run on
startup. However, I'm coming around to your view on this one---this is
something which is just sitting there--the detection could possibly be a
false positive.

There's some risk in choices here: You can choose ignore, in which case
you'll need to make that choice after every full scan you do, unless you
delete that folder.

You can choose ignore always. I'm not sure, in that case, what happens if a
similar Aureate threat is downloaded--is it detected? (I hope the answer is
yes, but I'm not certain of that, and I cannot find this mentioned in Help)

Here's what I think I would recommend. Go with ignore. Then, set the
machine to do quickscans, rather than fullscans. If you read the help,
Microsoft's recommendations are to do daily quickscans (which are quite
speedy--some office machines I work with go in 1.5 minutes) unless something
is detected. If a detection is made, they recommend a fullscan.

You'll need to remember this issue, and if you ever want to reinstall that
software, you'll have to consider whether this is a real detection, or a
false positive.
--

 

[Bill Sanderson]

Whoops--I meant "seems clear!"

 

[Joe727]

It was a full scan - 1 hour and 20 minutes. That program has been sitting
UNinstalled on my computer for several years - LOL.

A registry search fails to find Aureate.

Joe