I noticed something strange with Windows Defender on my personal computer. Under the Exclusions section, there are multiple paths listed that I definitely didn't add:
- C:WindowsSystem32certutil.exe
- C:WindowsSystem32cmd.exe
- C:WindowsTempcsatADcsat.exe
- C:WindowsTempcsatADcsat_dwnldr.exe
- C:WindowsTempcsatcmd.exe
- C:WindowsTempcsatcsat.exe
- C:WindowsTempcsatcsat_dwnldr.exe
I tried removing these exclusions through the Windows Security user interface, but it didn't allow me to. I then attempted to use PowerShell with the Remove-MpPreference command while running as an administrator, but the exclusions remained unchanged. The only time I could successfully remove them was through the Registry Editor, where I deleted them from the Defender-related policy keys. However, as soon as I rebooted my PC, all those exclusions came back!
For additional context, my account is an Administrator account, Tamper Protection is off and cannot be toggled, I'veperformed a Microsoft Defender Offline scan that didn't provide any useful information, and I'm a beginner with all this tech stuff.
I'm concerned about whether my PC might be compromised or being controlled by malware. Should I consider using different antivirus software? What steps should I take next?
3 Answers
It seems like you might have exclusions set through a Group Policy Object (GPO). You can verify this by running the command 'gpresult /H output.html' in an elevated command prompt. This will create a report of the Group Policies in effect. If the exclusions are from a GPO, the report will tell you which one is responsible. If you want to look it up more easily without generating a report, you might want to consult Microsoft's documentation on managing exclusions.
Check to see if your device is connected to a work or school account. You can easily search for "work" in your start menu to find management options. I recommend checking this out, as it could clarify why those exclusions are set.
It sounds like your computer might be managed by a work or school account, especially if you logged in with your school email at any point. Have you done that? If you installed software like the Respondus Lockdown Browser for exams, that could be the reason those exclusions are being set. If that's the case, you might not need to worry too much about malware, but it could be a good idea to leave those settings alone. Just keep an eye on your PC to be safe.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures