Hi Phil,
...and how other users deal with it.
Mostly by cursing.
Been dealing with this for a few years.
I have no idea how to get to the location I discovered one day where on my computer I was able to exclude folders from Windows Defender's heavy handed tactics. I excluded my Macro Scheduler scripts folder and I excluded c:\util, a folder I've been creating on all of my and all company computers since the mid 1980's. That does not help any other user of my exes. Also does not help me when trying to run an executable from a network location.
Two things I'd suggest.
One is that Microsoft claims that executable age is a factor in their determination of whether a script is good or bad. Get a copy of "Touch.exe" or something similar and change the timestamp on the executable to make it 10 or 15 years old. I've not yet tried this but I do know that freshly compiled scripts are often captured by Defender whereas scripts from 2012 seem to be fine, mostly.
The other is what I've been doing and I can't explain why its working. I compile a script and send it directly to the network location by placing that location in the script's first line compile information. I run the script from the network location to see if it will be hindered or deleted. If It runs the first time I usually kill it and run it again. I do this at least 5 times. After 5 runs I'm fairly confident Defender will leave the executable alone. If Defender hinders or deletes, I go to the name of the executable on the first line of the script and I add a "1" to the name and recompile. Then I run the new "scriptname1.exe" up to 5 times. If it fails, I alter the first line to compile to "scriptname2.exe"... etc. So far I've never had to go past "scriptname3.exe". I tried this on noticing that once Defender zeros in on a file's name, executables with that name do not stand a chance of working.
Nothing I've tried will prevent the file from working fine for 6 months then suddenly being deleted.
I don't know for certain about file age being a good determinant but I can tell you I have a clock program that I compiled back in 2013 that has been running constantly on an old computer I have at home. Suddenly, summer of 2022, the program stopped and the file was gone. I have backup copies and kept retrying the executable. After a month or so Defender let me run it again and I've had no issue with it since. Again I have no explanation other than the information you can find in the Windows Defender threat protection history. Absolutely know the program was stopped and the file deleted by Windows Defender. Defender said the file was deleted (quarantined) because it was "PUA:Win32/Vigua.A".
As to why this is happening I have two theories. First, Microsoft is using this as a method to generate income.
Butch Cassidy wrote:If he'd just pay me what he's paying them to stop me robbing him, I'd stop robbing him.
Second theory is all of our executables are "packed" by UPX to make the file size smaller. I don't know anything and I have zero expertise on the subject but I have read that UPX is sometimes used by the bad guys to try to hide their code from malware scanners that are looking for signatures. I suspect that on occasion Defender sees the "signature" for UPX in an executable and hinders the process or deletes the file.
I really don't think that the purpose of the script or the functions used in a script have much to do with whether Defender decides to f..mess with the script. At my facility we also have hundreds of old compiled C and Visual basic programs. (Created using Microsoft's Visual Studio.) They are also occasionally getting the same harsh treatment. That said I've never seen one of them deleted, just a warning message that the program is unsafe and will not run. Give it a week and the program will work again.
