We've come across an issue with AppLocker blocking a Windows Defender executable on some of our endpoints, specifically the file located at %OSDRIVE%PROGRAMDATAMICROSOFTWINDOWS DEFENDERPLATFORM4.18.25090.3009-0MPEXTMS.EXE. This file serves as the Browser Protection Native Messaging Host, which seems crucial for Defender's web protection capabilities. While I'm okay with allowing this particular file, it raises a larger question: what are the recommended paths or publishers we should whitelist in AppLocker to ensure Windows Defender operates effectively? I've looked for official guidance but haven't found any. I'm worried about possible gaps in Defender's coverage, so any advice or shared experiences would be incredibly helpful.
1 Answer
You should definitely allow the "%OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER" path. It's safe since users can't write to it, and whitelisting it prevents AppLocker from disrupting Defender's functionalities. While I don't have an official reference for this, you can check out a script related to AaronLocker which mentions it. The script guides you on allowing directories that aren't writable by users to maintain security without compromising functionality, which could be beneficial if you're looking for best practices.
Thanks for the tip! I'll look into the AaronLocker script!