Windows Defender Folder Exclude

Windows 10 Updates change the way Windows works. Not only does the entire Operating System change from time to time, but the various components upgrade in between. Windows Defender was recently updated. This updated (March 2020) has changed the way Defender behaves.

We have previously written on why it is necessary to set folder exclusions and how to do so. That post can be found here.

The current procedure is hidden, but follows the same basic pattern.

NOTE: That accessing the Defender menu through the Control Panel does not work. The option for exclusion is not available there.

  • Start by finding the Defender shield icon in the icon tray
  • Scroll down to Virus & threat protection settings
    • Click Manage Settings
      • Scroll down to Exclusions
      • Click Add or remove exclusions
        • Click the + button to Add an exclusion, and select Folder

Browse to locate the folder to be excluded. For a standard installation this should be the local c:\Dynamic folder

Dynamic

How to Exclude your Dynamic from Virus Scan

We have written before about the different reasons why Dynamic may get flagged as a false positive on virus scans. Few things can be as annoying as coming back to your work computer and finding that your shortcut has disappeared because an anti-virus application decided your software is not safe for you to use.

Dynamic has certain built-in features which can trigger anti-virus software diagnostics to make false positive matches.  These include

  • Quick Update – Dynamic makes it easy for users to update their software over the internet. This is a great time-saving feature, and guarantees that the most recent update is only a click away, without relying on specialized IT support.  However, anti-virus software designers tend to take a dim view of software with download capabilities.  The zip file (it’s always a zip file) is described as a “payload” and because it originates on the internet, automatically defined as malicious. Well, it’s not.
  • Bundled file distribution – Dynamic applications act like self-extracting zip files, containing everything they need to go operational immediately.  This means that when you run a Dynamic executable file in a folder, it will immediately create any missing files, such as the DLLs (dynamic link library’s) used to supply run-time functionality.  This features allows smaller and faster updates, and only writes to the local folder. Much the same case as with the Quick Update feature, anti-virus software designers unfortunately tend to take a dim view of software with self-extracting capabilities.  These files are extracted silently in the background. And only to the local folder.
  • Microsoft Windows Outlook integration – Dynamic provides Microsoft Outlook integration.  Dynamic sends email through Outlook.  The local user gets to use their own primary email account as the Dynamic sender account. Outgoing mail can be seen in the Outbox and Sent Items. Again, anti-virus software designers tend to take a dim view of software with Outlook integration capabilities. This is typically flagged as MachineLearning. 🙂
  • PDF document generation creates new content. Client Billing, such as invoices are generated at a speed of approximately one every 3 seconds. These documents are written to the %documents% folder. However, certain anti-virus software considers this malicious activity and blocks the creation of the PDF.

AVAST Anti-virus interferes with file creation
AVAST Anti-virus interferes with file creation

Dynamic installs into a single folder. Typically c:\Dynamic\mylawfirm and installs it’s required files and folders here.  Specifically no registry keys are written or read.

It should be noted that a common threat detection mechanism is to scan for files which did not originate on the local computer.  This is done by scanning the “data stream” of each file. As Dynamic software is internet delivered, it is a tell tale sign that the files are indeed foreign. But not malicious.

Once operational, Dynamic creates folders for each matter in the Documents user folder. Again no registry keys are written or read.

Windows Defender False Positive
Windows Defender False Positive

Note that this screen grab shows the same target, identified by Windows Defender as three different threats.

Add an exclusion to Windows Security

Set Windows Defender Exclusions
Set Windows Defender Exclusions

Since May 2019 we noticed increased instances of false positive detection by Windows Defender. This coincides with Windows 10 Updates.

Other anti virus applications that are known react very harshly to our products include Kaspersky, Norton, Avira and Avast. Please set exceptions. Do not Quarantine or Delete, just Allow Always.

We have taken remedial action to safeguard the relevant modules.  This seems to make Windows Defender happy and has reduced the number of false positive hits.  Users are encouraged to use the Quick Update feature and use at least version 2.0.1.76.

Our software is scanned by Eset’s Nod32 and Malwarebytes prior to release.

https://www.eset.com/

https://www.malwarebytes.com/

If you do have problems, we would like to hear from you.

-Dynamic

Why is DynamicLTA detected as virus / malware by antivirus software?

Panda Antivirus False Positive
Panda Antivirus False Positive

Antivirus and anti-malware software are essentials to protect our computers against malicious software attacks.

Firewalls protect us from unauthorized internet based access.

 

DynamicLTA constists of two portions.  The actual software and the database.

The database is an on-disk file that just houses the data.  The software is the front end that the user sees.  The software continuously reads and writes to the database.  It is this series of read-and-write processes which the anti-virus software detects and flags as an suspicious and typical of virus or malicious software.

False Positive
False Positive

This result where good software is incorrectly identified as bad, is called a False Positive.  The test result is positive, that means it has identified a problem, but that test result is false.  We want to keep this good software and do not agree that the match is in fact positive.  That is why this match is called a false positive.

If it is any relief, other accounting systems that use this type of data read, modify and write cycle are subject to the same scrutiny by anti-virus products.

 

Usually, the solution is NOT to quarantine, isolate, delete or remove the files in question.

The problem can be neutralized by setting the scanner to exclude the software folder.

 

The only reliable solution is to set an Exclusion on the Dynamic folder.

Each anti-virus has its own specific mechanism for Excluding files and folders from further scrutiny.  Select the Exclusion folder for Dynamic and you should be good to go.

In this example a “c:\dynamic” folder hosts the DynamicLTA installation inside the “fastcar” subfolder. By excluding the dynamci folder, all sub-folders, where the dLTA.EXE application and data is located, are excluded.

-Dynamic