Files
claudetools/.claude/memory/feedback_defender_claude_exclusions.md
Mike Swanson af8a3de00e sync: auto-sync from GURU-5070 at 2026-07-01 13:06:10
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-07-01 13:06:10
2026-07-01 13:07:50 -07:00

2.7 KiB

name, description, metadata
name description metadata
feedback_defender_claude_exclusions Mike wants NOTHING Claude/ClaudeTools issues to be flagged by Windows Defender; keep broad exclusions + allow the ClickFix threat IDs that fire on RMM curl dispatch.
type
feedback

On his workstation (GURU-*), Mike wants nothing Claude issues to be affected by Defender AV — it's a constant irritation. The recurring hits are Trojan:Win32/ClickFix.DBD!MTB (ThreatID 2147939088) and Trojan:Win32/ClickFix.ZF (ThreatID 2147945138), fired by Defender's AMSI command-line scan on the base64-PowerShell payloads that curl.exe POSTs to the GuruRMM coordination API (172.16.3.30:3001/api/agents/.../command).

Why: These are false positives on legitimate ClaudeTools/GuruRMM command dispatch. He's the admin/owner and made an informed call to allow the family.

How to apply: Process/path exclusions alone do NOT stop these — AMSI CmdLine/behavioral detections ignore ExclusionProcess/ExclusionPath. The lever that works is Add-MpPreference -ThreatIDDefaultAction_Ids <id> -ThreatIDDefaultAction_Actions Allow (Allow = action 6) for both IDs. Also maintained (elevated PowerShell):

  • ExclusionProcess: bash.exe, curl.exe, git.exe, node.exe, claude.exe
  • ExclusionPath: C:\Program Files\Git (+ mingw64\bin, usr\bin), C:\Program Files\nodejs, C:\Users\<u>\.claude, C:\Users\<u>\.local\bin, C:\Users\<u>\AppData\Roaming\npm, C:\ClaudeTools, D:\ClaudeTools.

ACTIVE (2026-07-01): Mike opted for the fully-blanket lever — Set-MpPreference -DisableScriptScanning $true is SET on this box, disabling Defender AMSI script scanning machine-wide (his call: "I'm not likely to fall for bogus scripts"). This alone stops the CmdLine detections regardless of variant ID; the ThreatID-Allows + exclusions remain as belt-and-suspenders. If ever re-enabling, Set-MpPreference -DisableScriptScanning $false.

Fleet application (2026-07-01): DisableScriptScanning is Tamper-Protection-gated — it silently stays False if TP is on, even from SYSTEM. This workstation's TP is OFF (toggle worked); GURU-BEAST-ROG's TP is ON, so on Beast only the exclusions + ClickFix ThreatID-Allows applied via RMM (those aren't tamper-gated and DO cover the recurring detections) — the blanket script-scanning kill there needs a manual Windows Security UI toggle (TP can't be disabled by script). Beast (GURU-BEAST-ROG, AZ Computer Guru/Mike's House, RMM id 5233d75b-...) is "treated like this machine." Howard was OFFERED the same via Discord DM — his choice on his own box; do NOT push to Howard's machine without his ok. Related: reference_acg_msp_stack (ACG's own tools shouldn't be flagged as threats), feedback_windows_quote_stripping.