[Tutorial] Problems with Windows Defender under Windows 10

Home made tutorials, by users, for users
Forum rules
No question in this forum please
For any question related to a topic, create a new thread in the relevant section.

[Tutorial] Problems with Windows Defender under Windows 10

Postby John_Ha » Tue Mar 26, 2019 1:26 pm

Windows 10 has introduced Windows Defender and many W10 users seem to be finding it causes problems with AOO and LO where they cannot save their files, or where AOO/LO hang and are unresponsive when they attempt to do a Save.

I think the problem is probably caused by the Controlled Folder Access component of Windows Defender Advanced Threat Protection.

 Edit: I have been able to confirm this with Windows 10.

On a laptop where Windows 10 was installed I went START > Settings > Update and security > Windows security > Virus and threat protection > Ransomware protection. I found that Controlled Folder Access was OFF by default. AOO worked.

When I switched Controlled folder access to ON, AOO was unable to save a file to the desktop. File > Save As ..., gave an error message as below.

error.gif

I then tried to add C:\Program Files (x86)\OpenOffice 4\program\soffice.bin which is the required file by clicking Allow an app through controlled folder access. I was taken to a navigator screen but the navigator would only show me .exe and .com files and I could not see soffice.bin. I was therefore unable to add soffice.bin. *!@~*!# Microsoft yet again!

If you want AOO / LO to work either disable Controlled folder access or add soffice.bin manually with a powershell cmdlet as described below. 


See Microsoft's Customize controlled folder access which says:

Applies to: Windows Defender Advanced Threat Protection (Windows Defender ATP)

Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
...
Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.

It goes on to say:

Allow specific apps to make changes to controlled folders

You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.

Important: By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. [This is where we need to add AOO and LO.]

You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders.

When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.

The link goes on to describe how to add the program C:\apps\test.exe to the list of acceptable programs in Windows Defender which gives the program authority to write data to the disk. A standard installation of AOO requires adding C:\Program Files (x86)\OpenOffice 4\program\soffice.bin while a standard installation of LO requires adding C:\Program Files\LibreOffice\program\soffice.bin.

Use the Windows Defender Security app to allow specific apps

Note: We now know that this will not work because the navigator at Step 4 only allows you to search for .exe and .com files, and you need to add soffice.bin. You cannot see soffice.bin. See below for how to do it manually.

1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for Defender.

2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then click Ransomware protection.

3. Under the Controlled folder access section, click Allow an app through Controlled folder access

4. Click Add an allowed app and follow the prompts to add apps.

cfa-allow-app.png


 Edit: It has now been reported that using powershell as below to add the soffice.bin file to controlled folder access does not fix it and the only solution is to turn off Controlled Folder Access. 

This can also be done as a command as described in Use PowerShell to allow specific apps.

1. Type powershell in the Start menu > right click Windows PowerShell > click Run as administrator

2. Enter the following cmdlet for AOO

Code: Select all   Expand viewCollapse view
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files (x86)\OpenOffice 4\program\soffice.bin"

and the following cmdlet for LO

Code: Select all   Expand viewCollapse view
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\LibreOffice\program\soffice.bin"

3. AOO's C:\Program Files (x86)\OpenOffice 4\program\soffice.bin and/or LO's C:\Program Files\LibreOffice\program\soffice.bin will now be allowed to access folders.

Note: If you are unable to add soffice.bin using the cmdlets above then you have no option other than to disable Controlled Folder Access by going START > Settings > Update and security > Windows security > Virus and threat protection > Ransomware protection. Set Controlled Folder Access to OFF.

The image below shows adding C:\apps\test.exe.

Clipboard01.gif

Do I also need to add the other .exe files like swriter.exe, scalc.exe, simpress.exe and soffice.exe etc?

No. swriter.exe (and scalc.exe, simpress.exe etc) are the programs which build the screen you see and which accept what you enter and create the document you are working on. When you want to save your work, the program swriter.exe (or scalc.exe, simpress.exe etc) invokes soffice.bin to write to the disk. Hence only soffice.bin needs permission to write to disk.
AOO 4.1.6, Windows 7 Home 64 bit

See the Writer Manual, the Writer FAQ, the Writer Tutorials and the Writer guide.

Remember: Always save your Writer files as .odt files. - see here for the many reasons why.
John_Ha
Volunteer
 
Posts: 6626
Joined: Fri Sep 18, 2009 5:51 pm
Location: UK

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest