39

All of a sudden, Windows Defender has removed loads of shortcuts (.lnk files) from our Windows 10 and 11 computers. Dozens of computers affected.

Shortcuts have disappeared from both the desktop folder and the taskbar - with most disappearing instantly when the user double clicks the icon. Presumably the issue is machine wide, just most shortcuts are found in these locations.

Some shortcuts are however not affected and others that have been removed can be recreated and may not be removed.

Very odd!!

Moshe Katz
  • 3,193
  • 3
  • 21
  • 42
Matty Brown
  • 845
  • 5
  • 12
  • 21
  • Evidently there were some false positives. Without more information about the apps that were removed, we can't analyze it. – harrymc Jan 13 '23 at 11:42
  • 3
    Shortcuts to Google Chrome seems to be its favourite to remove! Also - TeamViewer, Word, Excel, Outlook... Looking at my OneDrive recycle bin, my lnk files started disappearing at 2:14am GMT today, which I guess would have been an automatic scan. – Matty Brown Jan 13 '23 at 11:52
  • 12
    The version 1.381.2140.0 has this problem and it's reproducible. – kiwiwings Jan 13 '23 at 12:16
  • Looks like this is related to Microsoft's MO497128 Some users are unable to utilize the Application shortcuts on the Start menu and taskbar – Matty Brown Jan 13 '23 at 12:20
  • 2
    It seems that if the shortcut contains "C:\Program files" or similar, it falls under that pattern ... Shortcut to other directories aren't affected. – kiwiwings Jan 13 '23 at 12:39
  • 8
    @harrymc - "*Windows Defender doesn't do that*"... Well, it clearly does and M$ have admitted it! See [Application shortcuts might not work from the Start menu or other locations](https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-22h2#2998msgdesc). – Greenonline Jan 14 '23 at 20:30
  • This affected a number of computers at my workplace too. Some icons totally gone, some others were retained in OneDrive's recycle bin after disappearing from the desktop. Lots of Windows Defender notifications too. – Jubatian Jan 14 '23 at 21:30
  • 1
    Recommended question for Microsoft: [Why does anti-virus software not delete the viruses, malware, etc., but instead quarantine them?](https://superuser.com/q/1096317/194694) – gronostaj Jan 15 '23 at 19:18

4 Answers4

21

Disable (turn Off) the ASR rule "Block Win32 API calls from Office macros".

Ours was set to Warn, so you wouldn't expect it to delete or block access to files, but it did anyway!

I don't know what the link is to Win32 API calls or Office macros, but having disabled this rule and synced settings on 4 PCs - Windows 10 and 11 - the issue is instantly resolved.

Matty Brown
  • 845
  • 5
  • 12
  • 21
13

Because it is buggy...

[Short answer to the question "Why has Windows Defender started removing shortcuts today (13/01/2023)?"]

This issue is resolved in security intelligence update build 1.381.2164.0. Installing security intelligence update build 1.381.2164.0 or later should prevent the issue, but it will not restore previously deleted shortcuts. You will need to recreate or restore these shortcuts through other methods. For additional information, see Recovering from Attack Surface Reduction rule shortcut deletions.

Note that

Affected devices have the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" enabled. After installing security intelligence build 1.381.2140.0, detections resulted in the deletion of certain Windows shortcut (.lnk) files that matched the incorrect detection pattern.

How to solve / avoid the problem

  1. Not installing the security intelligence update build 1.381.2140.0. (To prevent)
  2. Installing security intelligence update build 1.381.2164.0 or later. (To solve)
  3. Changing ASR rules to Audit Mode (It may help to prevent).
Hastur
  • 18,764
  • 9
  • 52
  • 95
10

Problem tracked also by Microsoft at Microsoft 365 Admin Center as "MO497128: Some users are unable to utilize the Application shortcuts on the Start menu and taskbar".

Also set the delayed distribution of Defender update definitions seems as possible if not already on workstations. Disable the particular ASR rule if you have option (MDM/MECM/GPO).

Kazzan
  • 101
  • 4
-6

Us too, we pushed this out

set-mppreference -DisableRealtimeMonitoring $true

as a very very temporary workaround.

Rohit Gupta
  • 2,721
  • 18
  • 27
  • 35
Denis McApple
  • 1
  • 1
  • To improve your answer, please edit your answer and explain where this is executed or set – Rohit Gupta Jan 13 '23 at 13:14
  • 25
    This turns windows malware protection off. Probably best not do this. – kazza Jan 13 '23 at 14:37
  • 2
    @RohitGupta: I think it's pretty clear it's a powershell command. Still a poor choice. – Joshua Jan 14 '23 at 04:23
  • 9
    Its clear only to people that have used powershell :-) And its not for me, its for future visitors. – Rohit Gupta Jan 14 '23 at 04:36
  • 3
    Very temporary? I remember years ago helping my mum's friend with her computer. What happened? I fixed some malware infection but then her Internet connection was not working. Called them. They complained about the AV. I knew it was a mistake but I did it anyway. Guess what? Same infection (worm) happened almost immediately. Disabling AV in any OS is inadvisable but Windows? That's crazy. Don't do it even for a microsecond! – Pryftan Jan 14 '23 at 20:02
  • 3
    _"My car's steering wheel is shaking when I drive"_ - _"Throw this burning molotov cocktail through any of its windows"_ - _"But now my car's on fire!"_ - _"The steering wheel is now still, right?"_ – CodeCaster Jan 16 '23 at 13:15