MS Windows Defender & DeCSS Part II

Mutated / Changed Definition

Windows Defender DeCSS Quarantine on 07/23/2021

MS Windows Defender now see’s the same file as a different definition: Trojan:Win32/Orsam!rts.

The definition of the new threat? This is a generic detection, which means we use this name for a large number of trojans.

Again, this is the same copy of DeCSS. Nothing has changed.

Microsoft Defender still ignoring exception lists

Perhaps more important, the whitelist or exceptions did not work.

Windows Defender Existing Whitelist Exceptions

As 7/20/2021 I set an exception for the whole \Programs folder on the Z: drive (SMB Share). I also set a specific exception to the DeCSS program. As of 7/23/2021 Defender ignored both whitelist items and still quarantined the file, folwed by immediate deletion.

As before, the use of mpcmdrun -restore -all -Path D:\temp is required to retrieve the file from a dump as Defender continues to not restore files to SMB shares