Docfiddle

Thank you, resetting WinSecurity to its defaults stopped the misbehavior. You mentioned that those settings constitute "overprotection." I take it that MWB's exploit protection doesn't go as far? The Pulse security is a Juniper VPN program for tunneling into work -- it didn't download with M365 far as I can tell. I don't need it and have deleted it. Again, thank you for your assistance.

You're right, I did use Configure Defender some time ago to set Defender settings. I just reloaded it and reset to defaults. Pulse Secure is an old VPN tunnel for my work years ago. Easy to remove -- just the setup file? Or is Pulse somehow running and causing trouble?

No, force randomization for images is set to off as default.

It's already set to its defaults -- if you look at the screenshot, there is no toggle to turn off exploit protection generally -- one toggles different sub-features, and all are set at their defaults.

Perhaps, but this isn't a business-controlled PC, and I don't recall activating exploit protection. The question for me is whether this duplicates an MWB feature, or if it is additive and finding something MWB hasn't. I'm trying to determine whether this wave of content blocks and interventions requires attention, or if it can be ignored, or Exploit Protection disabled (or some of its sub features disabled).

Edge Smart Screen wasn't happy with the Farbar tool, but I got it to run. FRST.txt Addition.txt

mbst-grab-results.zip Folks: I'm simply wondering if MWB has anything similar to WinSecurity's "attack surface reduction." That feature has been activated often recently, but my MWB scans come out clean. When I ran the Support Tool, WinSecurity responded: "Block executable files from running unless they meet a prevalence, age, or trusted list criteria Affected items: C:\Users\pbk\AppData\Local\Temp\mwb1F16.tmp\FRSTEnglish.exe"

I'm running MWB Windows 4.6.8.311 on win 10 with Windows security activated. The latter is generating alerts that MWB doesn't: "Your administrator has blocked this action: App or process blocked: lsass.exe Blocked by: Attack surface reduction Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) Affected items: C:\windows\System32\taskhostw.exe" I have scoured the system and there's only one lsass.exe that is properly signed. I run MWB full scans weekly. It's not clear to me if Win Security's action is superfluous or if MWB is missing an infection somewhere that is trying to hijack taskhostw.exe to get at local credentials. Any ideas? Thank you.