Summary
We have enabled Controlled Folder Access (CFA) and now Windows Defender is telling us that the agent is trying to modify files. Why is this?
Symptoms
We have enabled Controlled Folder Access (CFA) and now Windows Defender is telling us that the agent is trying to modify files. Why is this?
Cause
As per Microsoft:
Controlled Folder Access in Windows Security reviews the apps that can make changes to files in protected folders. Occasionally, an app that is safe to use will be identified as harmful.
This is a false detection caused by the new CFA feature found in recent versions of Windows Defender (Windows 10 and Windows Server 2016). As the FNMS agent must run on multiple versions of Windows where CFA may or may not be present, the method in how the agent requests access and scans a machine could be seen as malicious activity by such a feature.
Steps To Reproduce
Resolution
Add the agent to the list of CFA exclusions or turn off CFA. The instructions to perform this are available via the Microsoft link in the Additional Inforrmation section of this KB.
Workaround
Additional Information
Related Documents
Related KB Articles