mbam.chm attempting to modify "\Device\KsecDD"

Hi. Posting here because this isn’t a problem with CIS. :slight_smile:

Wondering if anyone’s also found mbam’s compiled help file logged in Defense+ as trying to modify the windows encryption device? — see extract snip of Defense+ log attached.

I added “\Device\KsecDD” to ‘Protected Files and Folders’ per trawling the forum and this event was the first outcome after I opened mbam.chm. No longer have a chm decompiler but I know chms can have phone-home script. Can’t think why the Kernel Mode Security Support Provider Interface is relevant in any way to a help file. Not suspicious, just curious. >:(

[attachment deleted by admin]

This poster is an idiot. 8)

If Defense+ meets an untrusted file it gets sandboxed. If idiot user adds new rule to protect “\Device\KsecDD” without thinking it through, user will be confused to find the sandbox event followed in the log by the attempt to ‘modify’ event.

Any chance of losing this thread? :embarassed:

[attachment deleted by admin]

We don’t like to delete threads. I’ll lock it for you though. :slight_smile: