Blocking question

[Guest]

In Defender (Beta 2) if the program encounters an unknown
| program, it will give the user the option of blocking the unknown program,
or
| allowing it. I have blocked two such unknown programs, but there seems to be
| no feature that will allow for the unblocking and "allowing" of these
| programs should I change my mind. Does anybody have any solutions?

 

[Anonymous Bob]

In Defender (Beta 2) if the program encounters an unknown
| program, it will give the user the option of blocking the unknown program,
or
| allowing it. I have blocked two such unknown programs, but there seems to be
| no feature that will allow for the unblocking and "allowing" of these
| programs should I change my mind. Does anybody have any solutions?

Do those programs you have blocked not show under quarantined items?

Bob Vanderveen

 

[Guest]

No. I thought they should as well, but oddly enough, they don't.

 

[Anonymous Bob]

No. I thought they should as well, but oddly enough, they don't.

I don't see any way to unblock a program either. That seems to be a serious
oversight.

Bob Vanderveen

 

[Bill Sanderson]

I would read these as "per run" blocking--I don't believe you can set a
permanent block from the real-time detections, or against an unknown.

 

[Guest]

When I contacted support, the reminded me that this is just a Beta version -
and then referred me to the discussion group. Maybe they'll address the
problem in the next version.

 

[Guest]

Hi Bill,
I hope you are right because this issue can create serious problems. For
example: I had to do a reinstall of McAfee VirusScan. Afer reinstall and
updating, there were a couple of McAfee auto run programs (classified
unknown) that needed to be allowed by Defender. I am used to doing that and
thought I had "allowed" both of them - but there was a glitch and one did not
get allowed. It wan't until about 30 minutes later that I realized VirusScan
was disabled. I had to navigate to McAfee support Virutal Technician to
correct the problem and activate Activeshield. This was quite unusual and I
don't know exactly what happened, but Defender's "not allowing" had a part in
it. I was "surfing naked" and did not know it!!! Running the Virtual Tech
prompted Defender to alert me again, and I successfully "allowed" the item.
Then all was OK. And in this case, I had not "blocked," only not
successfully "allowed." If I had blocked by accident, there is no way to undo
that from the "history" page in Defender. You have to know how to recreate
the event so you can subsequently "allow." PITA!!!

 

[Guest]

OK - here's the post that I was thinking of:

I've got more to say--after the quoted post.

---
From: "Mike Chan [MSFT]" <>
Subject: Re: Problems with Windows Defender
Date: Mon, 6 Mar 2006 14:23:28 -0800
Newsgroups: microsoft.private.security.spyware.general

I think that the new UI will just take some getting used to.

Remember, "ignore" really means "ignore for this session" or "ask me
later" - to never be prompted again, you have to select "Always ignore"

If you do not want to be notified of "unclassified" changes, you will want
to go into Tool->General Settings and uncheck the "Warn on items not yet
classified" (you may have to scroll down). BTW - by default, if you are an
advanced memeber, you will get alerts from "unknowns" while if you are a
basic memeber, you will not. You can override this configuration by going
into the General Settings and checking (or unchecking) your preference.

On this pane, you can also add directories to not scan (if you have things
like VNC that you use, but know is good)

Software Explorer and browser hijacks are also still in the product,
contrary to popular belief =)

Select "Tools"->"Software Explorer" and you should see an improved product
here.

Mike
--
Mike Chan [MSFT]
Technical Product Manager
Windows Defender

This posting provided "AS IS" with no warranties, and confers no rights.
--

So--what happened, in your case? Let me see if I have things straight? At
startup, you get alerts to some "unknown" or "not yet classified" items
routinely--every time you start. Two of these are related to your McAfee
antivirus (or more?) protection software.

On this boot, you either missed one of these alerts or accidentally
responded with block instead of allow--with the consequence that antivirus
protection was not in effect?

It'd be interesting to know if your system is set as McAfee would suggest
with some McAfee tool, rather than the Security Center, taking care of
monitoring whether antivirus protection is in effect or not? One vendor or
the other--either Microsoft's Security Center, or McAfee's equivalent--should
have been able to spot the blocked app and raised an alarm about the
protection not being in place, I'd hope....

These settings are found at:HKLM\software\Microsoft\Security Center--look
for the values ending in "DisableNotify" in the right pane-see if these are
zero (the default) or 1.

I think the fact that you are getting alerted for these two items at each
boot is a "beta" kind of issue--that should get fixed by the time the product
is released--however, there should be another level of backup to alert you to
the missing protection--and that would be either the Windows Security Center,
or McAfee's equivalent.

In looking up the location of these keys to quote it here, the reference I
was looking at referred to the McAfee Security Center as a "sales tool."
I'll confess to having similar thoughts about it the times I've seen it--but
perhaps there's some actual functionality that is supposed to be there as
well.

 

[Guest]

OK. First a clarification: The event does not happen at log on. It happens
during manual update (not McAfee auto update which uses a different process).
Since I am on dial up, I sometimes force an update manually and that
initiates a download via Internet Explorer. At the end of the process, a
McAfee clean up program, not classfied or unknown, always needs to be allowed
by DEfender. NO problem. THIS TIME, however, I had uninstalled VirusScan
entirely, and was forcing an update after reinstalling via CD. The were
multiple McAfee unclassifieds needing to be allowed. Apparently, somehow, one
of them was not allowed - but I did not actually block it. I guess Defender
was still waiting for a reponse, but I was not aware of it. THIS IS VAGUE, I
KNOW, BUT I DID NOT GET AN ALERT FROM DEFENDER, FROM WINDOWS SECURIT CENTER,
OR FROM MCAFE SECURITY CENTER. I acidentally discovered virusscan not
enabled, when I chanced to open the McAfee Security Center to check my
firewall settings. McAfee icon should have been BLACK if VS was off, but it
was not.
I just checked in the Windows Security Center and under the notification,
status of virus protection and firewall were unchecked. I went to the HKLM
disable/notify keys for McAFee firewall and virusscan, and both have value of
1. I don't know why any of the programs did not alert on this, and it is
apparently fixed now, I hope. Should the disable/notify keys be 1 or 0?
--
Old Rebel: Too Old to Rebel; Too Young to just take it!

OK - here's the post that I was thinking of:

I've got more to say--after the quoted post.

---
From: "Mike Chan [MSFT]" <>
Subject: Re: Problems with Windows Defender
Date: Mon, 6 Mar 2006 14:23:28 -0800
Newsgroups: microsoft.private.security.spyware.general

I think that the new UI will just take some getting used to.

Remember, "ignore" really means "ignore for this session" or "ask me
later" - to never be prompted again, you have to select "Always ignore"

If you do not want to be notified of "unclassified" changes, you will want
to go into Tool->General Settings and uncheck the "Warn on items not yet
classified" (you may have to scroll down). BTW - by default, if you are an
advanced memeber, you will get alerts from "unknowns" while if you are a
basic memeber, you will not. You can override this configuration by going
into the General Settings and checking (or unchecking) your preference.

On this pane, you can also add directories to not scan (if you have things
like VNC that you use, but know is good)

Software Explorer and browser hijacks are also still in the product,
contrary to popular belief =)

Select "Tools"->"Software Explorer" and you should see an improved product
here.

Mike
--
Mike Chan [MSFT]
Technical Product Manager
Windows Defender

This posting provided "AS IS" with no warranties, and confers no rights.
--

So--what happened, in your case? Let me see if I have things straight? At
startup, you get alerts to some "unknown" or "not yet classified" items
routinely--every time you start. Two of these are related to your McAfee
antivirus (or more?) protection software.

On this boot, you either missed one of these alerts or accidentally
responded with block instead of allow--with the consequence that antivirus
protection was not in effect?

It'd be interesting to know if your system is set as McAfee would suggest
with some McAfee tool, rather than the Security Center, taking care of
monitoring whether antivirus protection is in effect or not? One vendor or
the other--either Microsoft's Security Center, or McAfee's equivalent--should
have been able to spot the blocked app and raised an alarm about the
protection not being in place, I'd hope....

These settings are found at:HKLM\software\Microsoft\Security Center--look
for the values ending in "DisableNotify" in the right pane-see if these are
zero (the default) or 1.

I think the fact that you are getting alerted for these two items at each
boot is a "beta" kind of issue--that should get fixed by the time the product
is released--however, there should be another level of backup to alert you to
the missing protection--and that would be either the Windows Security Center,
or McAfee's equivalent.

In looking up the location of these keys to quote it here, the reference I
was looking at referred to the McAfee Security Center as a "sales tool."
I'll confess to having similar thoughts about it the times I've seen it--but
perhaps there's some actual functionality that is supposed to be there as
well.

Hi Bill,
I hope you are right because this issue can create serious problems. For
example: I had to do a reinstall of McAfee VirusScan. Afer reinstall and
updating, there were a couple of McAfee auto run programs (classified
unknown) that needed to be allowed by Defender. I am used to doing that and
thought I had "allowed" both of them - but there was a glitch and one did not
get allowed. It wan't until about 30 minutes later that I realized VirusScan
was disabled. I had to navigate to McAfee support Virutal Technician to
correct the problem and activate Activeshield. This was quite unusual and I
don't know exactly what happened, but Defender's "not allowing" had a part in
it. I was "surfing naked" and did not know it!!! Running the Virtual Tech
prompted Defender to alert me again, and I successfully "allowed" the item.
Then all was OK. And in this case, I had not "blocked," only not
successfully "allowed." If I had blocked by accident, there is no way to undo
that from the "history" page in Defender. You have to know how to recreate
the event so you can subsequently "allow." PITA!!!

 

[Guest]

I iforgot to mention that the McAfee Virtual Technician perceived that my
McAfee icon was BLACK and proceeded to auto fix the problem. However, the
icon was actually RED and not notifying me of a problem. The autp fix did
work and enabled virussscan and activeshield.
--
Old Rebel: Too Old to Rebel; Too Young to just take it!

OK - here's the post that I was thinking of:

I've got more to say--after the quoted post.

---
From: "Mike Chan [MSFT]" <>
Subject: Re: Problems with Windows Defender
Date: Mon, 6 Mar 2006 14:23:28 -0800
Newsgroups: microsoft.private.security.spyware.general

I think that the new UI will just take some getting used to.

Remember, "ignore" really means "ignore for this session" or "ask me
later" - to never be prompted again, you have to select "Always ignore"

If you do not want to be notified of "unclassified" changes, you will want
to go into Tool->General Settings and uncheck the "Warn on items not yet
classified" (you may have to scroll down). BTW - by default, if you are an
advanced memeber, you will get alerts from "unknowns" while if you are a
basic memeber, you will not. You can override this configuration by going
into the General Settings and checking (or unchecking) your preference.

On this pane, you can also add directories to not scan (if you have things
like VNC that you use, but know is good)

Software Explorer and browser hijacks are also still in the product,
contrary to popular belief =)

Select "Tools"->"Software Explorer" and you should see an improved product
here.

Mike
--
Mike Chan [MSFT]
Technical Product Manager
Windows Defender

This posting provided "AS IS" with no warranties, and confers no rights.
--

So--what happened, in your case? Let me see if I have things straight? At
startup, you get alerts to some "unknown" or "not yet classified" items
routinely--every time you start. Two of these are related to your McAfee
antivirus (or more?) protection software.

On this boot, you either missed one of these alerts or accidentally
responded with block instead of allow--with the consequence that antivirus
protection was not in effect?

It'd be interesting to know if your system is set as McAfee would suggest
with some McAfee tool, rather than the Security Center, taking care of
monitoring whether antivirus protection is in effect or not? One vendor or
the other--either Microsoft's Security Center, or McAfee's equivalent--should
have been able to spot the blocked app and raised an alarm about the
protection not being in place, I'd hope....

These settings are found at:HKLM\software\Microsoft\Security Center--look
for the values ending in "DisableNotify" in the right pane-see if these are
zero (the default) or 1.

I think the fact that you are getting alerted for these two items at each
boot is a "beta" kind of issue--that should get fixed by the time the product
is released--however, there should be another level of backup to alert you to
the missing protection--and that would be either the Windows Security Center,
or McAfee's equivalent.

In looking up the location of these keys to quote it here, the reference I
was looking at referred to the McAfee Security Center as a "sales tool."
I'll confess to having similar thoughts about it the times I've seen it--but
perhaps there's some actual functionality that is supposed to be there as
well.

Hi Bill,
I hope you are right because this issue can create serious problems. For
example: I had to do a reinstall of McAfee VirusScan. Afer reinstall and
updating, there were a couple of McAfee auto run programs (classified
unknown) that needed to be allowed by Defender. I am used to doing that and
thought I had "allowed" both of them - but there was a glitch and one did not
get allowed. It wan't until about 30 minutes later that I realized VirusScan
was disabled. I had to navigate to McAfee support Virutal Technician to
correct the problem and activate Activeshield. This was quite unusual and I
don't know exactly what happened, but Defender's "not allowing" had a part in
it. I was "surfing naked" and did not know it!!! Running the Virtual Tech
prompted Defender to alert me again, and I successfully "allowed" the item.
Then all was OK. And in this case, I had not "blocked," only not
successfully "allowed." If I had blocked by accident, there is no way to undo
that from the "history" page in Defender. You have to know how to recreate
the event so you can subsequently "allow." PITA!!!

 

[Guest]

Here are the McAfee program files needing to be allowed each time they run:
mcmnhdlr.exe (task scheculer); mcappins.exe (clean up), and vsoupd.dll
(which I believe is a driver, Nai AV Filter 101 show in the event viewer).
The vsoupd.sll is the one that is not normally present with a regular update.
The event viewer showed normal WinDefend alerts to these, plus multiple
WindDefend alerts to SDDM12. There are also multiple Service Control Manager
error messages regarding SDDM12: Service failed to start due to the following
errorr - the system cannot find the file specified. I understand partially,
not completely.
--
Old Rebel: Too Old to Rebel; Too Young to just take it!

OK - here's the post that I was thinking of:

I've got more to say--after the quoted post.

---
From: "Mike Chan [MSFT]" <>
Subject: Re: Problems with Windows Defender
Date: Mon, 6 Mar 2006 14:23:28 -0800
Newsgroups: microsoft.private.security.spyware.general

I think that the new UI will just take some getting used to.

Remember, "ignore" really means "ignore for this session" or "ask me
later" - to never be prompted again, you have to select "Always ignore"

If you do not want to be notified of "unclassified" changes, you will want
to go into Tool->General Settings and uncheck the "Warn on items not yet
classified" (you may have to scroll down). BTW - by default, if you are an
advanced memeber, you will get alerts from "unknowns" while if you are a
basic memeber, you will not. You can override this configuration by going
into the General Settings and checking (or unchecking) your preference.

On this pane, you can also add directories to not scan (if you have things
like VNC that you use, but know is good)

Software Explorer and browser hijacks are also still in the product,
contrary to popular belief =)

Select "Tools"->"Software Explorer" and you should see an improved product
here.

Mike
--
Mike Chan [MSFT]
Technical Product Manager
Windows Defender

This posting provided "AS IS" with no warranties, and confers no rights.
--

So--what happened, in your case? Let me see if I have things straight? At
startup, you get alerts to some "unknown" or "not yet classified" items
routinely--every time you start. Two of these are related to your McAfee
antivirus (or more?) protection software.

On this boot, you either missed one of these alerts or accidentally
responded with block instead of allow--with the consequence that antivirus
protection was not in effect?

It'd be interesting to know if your system is set as McAfee would suggest
with some McAfee tool, rather than the Security Center, taking care of
monitoring whether antivirus protection is in effect or not? One vendor or
the other--either Microsoft's Security Center, or McAfee's equivalent--should
have been able to spot the blocked app and raised an alarm about the
protection not being in place, I'd hope....

These settings are found at:HKLM\software\Microsoft\Security Center--look
for the values ending in "DisableNotify" in the right pane-see if these are
zero (the default) or 1.

I think the fact that you are getting alerted for these two items at each
boot is a "beta" kind of issue--that should get fixed by the time the product
is released--however, there should be another level of backup to alert you to
the missing protection--and that would be either the Windows Security Center,
or McAfee's equivalent.

In looking up the location of these keys to quote it here, the reference I
was looking at referred to the McAfee Security Center as a "sales tool."
I'll confess to having similar thoughts about it the times I've seen it--but
perhaps there's some actual functionality that is supposed to be there as
well.

Hi Bill,
I hope you are right because this issue can create serious problems. For
example: I had to do a reinstall of McAfee VirusScan. Afer reinstall and
updating, there were a couple of McAfee auto run programs (classified
unknown) that needed to be allowed by Defender. I am used to doing that and
thought I had "allowed" both of them - but there was a glitch and one did not
get allowed. It wan't until about 30 minutes later that I realized VirusScan
was disabled. I had to navigate to McAfee support Virutal Technician to
correct the problem and activate Activeshield. This was quite unusual and I
don't know exactly what happened, but Defender's "not allowing" had a part in
it. I was "surfing naked" and did not know it!!! Running the Virtual Tech
prompted Defender to alert me again, and I successfully "allowed" the item.
Then all was OK. And in this case, I had not "blocked," only not
successfully "allowed." If I had blocked by accident, there is no way to undo
that from the "history" page in Defender. You have to know how to recreate
the event so you can subsequently "allow." PITA!!!

 

[Guest]

(having some trouble with incredibly slow response from the HTML servers, and
also messages not synching in a timely way to the NNTP side where I normally
live.)

My understanding of the registry settings you have is that they turn off
notification by the Windows Security Center--this would be the standard
recommendation of both McAfee and Symantec--but I can't recall how they
phrase it--not in those terms, certainly.

Having read on--it looks like McAfee's security center knew the ball was in
it's court, but didn't function properly--you weren't alerted to the lack of
protection.

OK. First a clarification: The event does not happen at log on. It happens
during manual update (not McAfee auto update which uses a different process).
Since I am on dial up, I sometimes force an update manually and that
initiates a download via Internet Explorer. At the end of the process, a
McAfee clean up program, not classfied or unknown, always needs to be allowed
by DEfender. NO problem. THIS TIME, however, I had uninstalled VirusScan
entirely, and was forcing an update after reinstalling via CD. The were
multiple McAfee unclassifieds needing to be allowed. Apparently, somehow, one
of them was not allowed - but I did not actually block it. I guess Defender
was still waiting for a reponse, but I was not aware of it. THIS IS VAGUE, I
KNOW, BUT I DID NOT GET AN ALERT FROM DEFENDER, FROM WINDOWS SECURIT CENTER,
OR FROM MCAFE SECURITY CENTER. I acidentally discovered virusscan not
enabled, when I chanced to open the McAfee Security Center to check my
firewall settings. McAfee icon should have been BLACK if VS was off, but it
was not.
I just checked in the Windows Security Center and under the notification,
status of virus protection and firewall were unchecked. I went to the HKLM
disable/notify keys for McAFee firewall and virusscan, and both have value of
1. I don't know why any of the programs did not alert on this, and it is
apparently fixed now, I hope. Should the disable/notify keys be 1 or 0?
--
Old Rebel: Too Old to Rebel; Too Young to just take it!

OK - here's the post that I was thinking of:

I've got more to say--after the quoted post.

---
From: "Mike Chan [MSFT]" <>
Subject: Re: Problems with Windows Defender
Date: Mon, 6 Mar 2006 14:23:28 -0800
Newsgroups: microsoft.private.security.spyware.general

I think that the new UI will just take some getting used to.

Remember, "ignore" really means "ignore for this session" or "ask me
later" - to never be prompted again, you have to select "Always ignore"

If you do not want to be notified of "unclassified" changes, you will want
to go into Tool->General Settings and uncheck the "Warn on items not yet
classified" (you may have to scroll down). BTW - by default, if you are an
advanced memeber, you will get alerts from "unknowns" while if you are a
basic memeber, you will not. You can override this configuration by going
into the General Settings and checking (or unchecking) your preference.

On this pane, you can also add directories to not scan (if you have things
like VNC that you use, but know is good)

Software Explorer and browser hijacks are also still in the product,
contrary to popular belief =)

Select "Tools"->"Software Explorer" and you should see an improved product
here.

Mike
--
Mike Chan [MSFT]
Technical Product Manager
Windows Defender

This posting provided "AS IS" with no warranties, and confers no rights.
--

So--what happened, in your case? Let me see if I have things straight? At
startup, you get alerts to some "unknown" or "not yet classified" items
routinely--every time you start. Two of these are related to your McAfee
antivirus (or more?) protection software.

On this boot, you either missed one of these alerts or accidentally
responded with block instead of allow--with the consequence that antivirus
protection was not in effect?

It'd be interesting to know if your system is set as McAfee would suggest
with some McAfee tool, rather than the Security Center, taking care of
monitoring whether antivirus protection is in effect or not? One vendor or
the other--either Microsoft's Security Center, or McAfee's equivalent--should
have been able to spot the blocked app and raised an alarm about the
protection not being in place, I'd hope....

These settings are found at:HKLM\software\Microsoft\Security Center--look
for the values ending in "DisableNotify" in the right pane-see if these are
zero (the default) or 1.

I think the fact that you are getting alerted for these two items at each
boot is a "beta" kind of issue--that should get fixed by the time the product
is released--however, there should be another level of backup to alert you to
the missing protection--and that would be either the Windows Security Center,
or McAfee's equivalent.

In looking up the location of these keys to quote it here, the reference I
was looking at referred to the McAfee Security Center as a "sales tool."
I'll confess to having similar thoughts about it the times I've seen it--but
perhaps there's some actual functionality that is supposed to be there as
well.

Hi Bill,
I hope you are right because this issue can create serious problems. For
example: I had to do a reinstall of McAfee VirusScan. Afer reinstall and
updating, there were a couple of McAfee auto run programs (classified
unknown) that needed to be allowed by Defender. I am used to doing that and
thought I had "allowed" both of them - but there was a glitch and one did not
get allowed. It wan't until about 30 minutes later that I realized VirusScan
was disabled. I had to navigate to McAfee support Virutal Technician to
correct the problem and activate Activeshield. This was quite unusual and I
don't know exactly what happened, but Defender's "not allowing" had a part in
it. I was "surfing naked" and did not know it!!! Running the Virtual Tech
prompted Defender to alert me again, and I successfully "allowed" the item.
Then all was OK. And in this case, I had not "blocked," only not
successfully "allowed." If I had blocked by accident, there is no way to undo
that from the "history" page in Defender. You have to know how to recreate
the event so you can subsequently "allow." PITA!!!
--
Old Rebel: Too Old to Rebel; Too Young to just take it!


:

I would read these as "per run" blocking--I don't believe you can set a
permanent block from the real-time detections, or against an unknown.

--

In Defender (Beta 2) if the program encounters an unknown
| program, it will give the user the option of blocking the unknown
program,
or
| allowing it. I have blocked two such unknown programs, but there seems
to be
| no feature that will allow for the unblocking and "allowing" of these
| programs should I change my mind. Does anybody have any solutions?

 

[Guest]

I spent some time googling about SDDM12. Is this a Dell system, with some
Dell management bits installed?

I didn't find anything I could declare as authoritative, but I did find some
users who simply uninstalled SDDM12 from someplace--and eliminated the error
that way.

So--I'm not sure the SDDM12 messages are directly related to the McAfee
incident.

Here are the McAfee program files needing to be allowed each time they run:
mcmnhdlr.exe (task scheculer); mcappins.exe (clean up), and vsoupd.dll
(which I believe is a driver, Nai AV Filter 101 show in the event viewer).
The vsoupd.sll is the one that is not normally present with a regular update.
The event viewer showed normal WinDefend alerts to these, plus multiple
WindDefend alerts to SDDM12. There are also multiple Service Control Manager
error messages regarding SDDM12: Service failed to start due to the following
errorr - the system cannot find the file specified. I understand partially,
not completely.
--
Old Rebel: Too Old to Rebel; Too Young to just take it!

OK - here's the post that I was thinking of:

I've got more to say--after the quoted post.

---
From: "Mike Chan [MSFT]" <>
Subject: Re: Problems with Windows Defender
Date: Mon, 6 Mar 2006 14:23:28 -0800
Newsgroups: microsoft.private.security.spyware.general

I think that the new UI will just take some getting used to.

Remember, "ignore" really means "ignore for this session" or "ask me
later" - to never be prompted again, you have to select "Always ignore"

If you do not want to be notified of "unclassified" changes, you will want
to go into Tool->General Settings and uncheck the "Warn on items not yet
classified" (you may have to scroll down). BTW - by default, if you are an
advanced memeber, you will get alerts from "unknowns" while if you are a
basic memeber, you will not. You can override this configuration by going
into the General Settings and checking (or unchecking) your preference.

On this pane, you can also add directories to not scan (if you have things
like VNC that you use, but know is good)

Software Explorer and browser hijacks are also still in the product,
contrary to popular belief =)

Select "Tools"->"Software Explorer" and you should see an improved product
here.

Mike
--
Mike Chan [MSFT]
Technical Product Manager
Windows Defender

This posting provided "AS IS" with no warranties, and confers no rights.
--

So--what happened, in your case? Let me see if I have things straight? At
startup, you get alerts to some "unknown" or "not yet classified" items
routinely--every time you start. Two of these are related to your McAfee
antivirus (or more?) protection software.

On this boot, you either missed one of these alerts or accidentally
responded with block instead of allow--with the consequence that antivirus
protection was not in effect?

It'd be interesting to know if your system is set as McAfee would suggest
with some McAfee tool, rather than the Security Center, taking care of
monitoring whether antivirus protection is in effect or not? One vendor or
the other--either Microsoft's Security Center, or McAfee's equivalent--should
have been able to spot the blocked app and raised an alarm about the
protection not being in place, I'd hope....

These settings are found at:HKLM\software\Microsoft\Security Center--look
for the values ending in "DisableNotify" in the right pane-see if these are
zero (the default) or 1.

I think the fact that you are getting alerted for these two items at each
boot is a "beta" kind of issue--that should get fixed by the time the product
is released--however, there should be another level of backup to alert you to
the missing protection--and that would be either the Windows Security Center,
or McAfee's equivalent.

In looking up the location of these keys to quote it here, the reference I
was looking at referred to the McAfee Security Center as a "sales tool."
I'll confess to having similar thoughts about it the times I've seen it--but
perhaps there's some actual functionality that is supposed to be there as
well.

Hi Bill,
I hope you are right because this issue can create serious problems. For
example: I had to do a reinstall of McAfee VirusScan. Afer reinstall and
updating, there were a couple of McAfee auto run programs (classified
unknown) that needed to be allowed by Defender. I am used to doing that and
thought I had "allowed" both of them - but there was a glitch and one did not
get allowed. It wan't until about 30 minutes later that I realized VirusScan
was disabled. I had to navigate to McAfee support Virutal Technician to
correct the problem and activate Activeshield. This was quite unusual and I
don't know exactly what happened, but Defender's "not allowing" had a part in
it. I was "surfing naked" and did not know it!!! Running the Virtual Tech
prompted Defender to alert me again, and I successfully "allowed" the item.
Then all was OK. And in this case, I had not "blocked," only not
successfully "allowed." If I had blocked by accident, there is no way to undo
that from the "history" page in Defender. You have to know how to recreate
the event so you can subsequently "allow." PITA!!!
--
Old Rebel: Too Old to Rebel; Too Young to just take it!


:

I would read these as "per run" blocking--I don't believe you can set a
permanent block from the real-time detections, or against an unknown.

--

In Defender (Beta 2) if the program encounters an unknown
| program, it will give the user the option of blocking the unknown
program,
or
| allowing it. I have blocked two such unknown programs, but there seems
to be
| no feature that will allow for the unblocking and "allowing" of these
| programs should I change my mind. Does anybody have any solutions?

 

[Guest]

Yes, it is a Dell Dimension 3000 with Dell Support 3.1 (Gteko) installed. I
have removed some Dell components (mywaysearch assistant, Dell cybercoach)
but Dell is deep in this machine, which also has Dell PC restore in a hidden
partition.
--
Old Rebel: Too Old to Rebel; Too Young to just take it!

I spent some time googling about SDDM12. Is this a Dell system, with some
Dell management bits installed?

I didn't find anything I could declare as authoritative, but I did find some
users who simply uninstalled SDDM12 from someplace--and eliminated the error
that way.

So--I'm not sure the SDDM12 messages are directly related to the McAfee
incident.

Here are the McAfee program files needing to be allowed each time they run:
mcmnhdlr.exe (task scheculer); mcappins.exe (clean up), and vsoupd.dll
(which I believe is a driver, Nai AV Filter 101 show in the event viewer).
The vsoupd.sll is the one that is not normally present with a regular update.
The event viewer showed normal WinDefend alerts to these, plus multiple
WindDefend alerts to SDDM12. There are also multiple Service Control Manager
error messages regarding SDDM12: Service failed to start due to the following
errorr - the system cannot find the file specified. I understand partially,
not completely.
--
Old Rebel: Too Old to Rebel; Too Young to just take it!

OK - here's the post that I was thinking of:

I've got more to say--after the quoted post.

---
From: "Mike Chan [MSFT]" <>
Subject: Re: Problems with Windows Defender
Date: Mon, 6 Mar 2006 14:23:28 -0800
Newsgroups: microsoft.private.security.spyware.general

I think that the new UI will just take some getting used to.

Remember, "ignore" really means "ignore for this session" or "ask me
later" - to never be prompted again, you have to select "Always ignore"

If you do not want to be notified of "unclassified" changes, you will want
to go into Tool->General Settings and uncheck the "Warn on items not yet
classified" (you may have to scroll down). BTW - by default, if you are an
advanced memeber, you will get alerts from "unknowns" while if you are a
basic memeber, you will not. You can override this configuration by going
into the General Settings and checking (or unchecking) your preference.

On this pane, you can also add directories to not scan (if you have things
like VNC that you use, but know is good)

Software Explorer and browser hijacks are also still in the product,
contrary to popular belief =)

Select "Tools"->"Software Explorer" and you should see an improved product
here.

Mike
--
Mike Chan [MSFT]
Technical Product Manager
Windows Defender

This posting provided "AS IS" with no warranties, and confers no rights.
--

So--what happened, in your case? Let me see if I have things straight? At
startup, you get alerts to some "unknown" or "not yet classified" items
routinely--every time you start. Two of these are related to your McAfee
antivirus (or more?) protection software.

On this boot, you either missed one of these alerts or accidentally
responded with block instead of allow--with the consequence that antivirus
protection was not in effect?

It'd be interesting to know if your system is set as McAfee would suggest
with some McAfee tool, rather than the Security Center, taking care of
monitoring whether antivirus protection is in effect or not? One vendor or
the other--either Microsoft's Security Center, or McAfee's equivalent--should
have been able to spot the blocked app and raised an alarm about the
protection not being in place, I'd hope....

These settings are found at:HKLM\software\Microsoft\Security Center--look
for the values ending in "DisableNotify" in the right pane-see if these are
zero (the default) or 1.

I think the fact that you are getting alerted for these two items at each
boot is a "beta" kind of issue--that should get fixed by the time the product
is released--however, there should be another level of backup to alert you to
the missing protection--and that would be either the Windows Security Center,
or McAfee's equivalent.

In looking up the location of these keys to quote it here, the reference I
was looking at referred to the McAfee Security Center as a "sales tool."
I'll confess to having similar thoughts about it the times I've seen it--but
perhaps there's some actual functionality that is supposed to be there as
well.


:

Hi Bill,
I hope you are right because this issue can create serious problems. For
example: I had to do a reinstall of McAfee VirusScan. Afer reinstall and
updating, there were a couple of McAfee auto run programs (classified
unknown) that needed to be allowed by Defender. I am used to doing that and
thought I had "allowed" both of them - but there was a glitch and one did not
get allowed. It wan't until about 30 minutes later that I realized VirusScan
was disabled. I had to navigate to McAfee support Virutal Technician to
correct the problem and activate Activeshield. This was quite unusual and I
don't know exactly what happened, but Defender's "not allowing" had a part in
it. I was "surfing naked" and did not know it!!! Running the Virtual Tech
prompted Defender to alert me again, and I successfully "allowed" the item.
Then all was OK. And in this case, I had not "blocked," only not
successfully "allowed." If I had blocked by accident, there is no way to undo
that from the "history" page in Defender. You have to know how to recreate
the event so you can subsequently "allow." PITA!!!
--
Old Rebel: Too Old to Rebel; Too Young to just take it!


:

I would read these as "per run" blocking--I don't believe you can set a
permanent block from the real-time detections, or against an unknown.

--

In Defender (Beta 2) if the program encounters an unknown
| program, it will give the user the option of blocking the unknown
program,
or
| allowing it. I have blocked two such unknown programs, but there seems
to be
| no feature that will allow for the unblocking and "allowing" of these
| programs should I change my mind. Does anybody have any solutions?