CIS 3.12 D+ log events and DFRGNTFS.EXE

Since the upgrade to CIS 3.12 I’m receiving these D+ log events every 2 minutes.
“APPLICATION” windows\system32\dfrgntfs.exe “ACTION” modify file “TARGET” \device\volume{-}

As of now I have over 100 events logged. I know dfrgntfs.exe is windows disk defrager.
Under the CIS Computer Security Policy for this file it is set to “custom policy” when I edit the policy “application system activity control” the access rights are all set to “ask”. Should the access rights be modified to “allow” and if so, which one or ones do I modify? Or should I go with a predefined policy? Or is there more to it then that, like a D+ problem?

Seems like Defense+ prevents dfrgntfs.exe accessing \device\volume{-} .
That possibly could lead to problems (?).

Maybe it’s better to set dfrgntfs.exe as trusted app under D+ policy to allow it access \device\volume{-} and maybe other entities. That’s the easiest solution to fix that should fix your issue.

What’s the difference between TRUSTED APPLICATION and WINDOWS SYSTEM APPLICATION in the predefined security policies. The access rights and protection settings are all set the same.

The difference exists only if Image Execution Control of D+ is NOT disabled.

The difference is that “Windows System Application” is allowed to invoke any other program silently. While attempt of “Trusted Application” to invoke (non-whitelisted) executable will trigger D+ alert.

To see the difference you should go to exceptions tab of “running an executable” of Windows System Application’s protection settings. There should be * wildcard which means every exe is allowed to run by Windows System Application.

Are you referring to D+ predefined security policies, (Edit) Windows system applications, (Click) Access Rights (Click) Modify on Run an Executable? If so, Yes there is an * Trusted Apps there is nothing…

Yep :slight_smile:

Thanks SS26!!!

No problems :slight_smile: