Windows Defender and prl_tools.exe

Discussion in 'Windows Guest OS Discussion' started by Kazoo, Mar 22, 2019.

  1. Kazoo

    Kazoo Bit Poster

    Messages:
    16
    I got the new Parallels update a couple of days ago. I had the problem installing Parallels Tools and fixed that by disabling Windows Defender. Once installed, I re-enabled it.

    Now, I periodically see Windows Defender complaining about prl_tools.exe trying to change a controlled folder. This has only started since the last update. Now, I'm perfectly fine with giving it permission, but I'd like to know what it's trying to do before I do that.

    Details from the Event Log:

    Log Name: Microsoft-Windows-Windows Defender/Operational
    Source: Microsoft-Windows-Windows Defender
    Date: 3/22/2019 11:17:05 AM
    Event ID: 1127
    Task Category: None
    Level: Warning
    Keywords:
    User: SYSTEM
    Computer: XXX
    Description:
    Controlled Folder Access blocked C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe from making changes to memory.
    Detection time: 2019-03-22T15:17:05.908Z
    User: NT AUTHORITY\SYSTEM
    Path: \Device\Harddisk0\DR0
    Process Name: C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe
    Signature Version: 1.291.66.0
    Engine Version: 1.1.15800.1
    Product Version: 4.18.1902.2

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
    <EventID>1127</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2019-03-22T15:17:05.909390800Z" />
    <EventRecordID>1154</EventRecordID>
    <Correlation />
    <Execution ProcessID="3868" ThreadID="4504" />
    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
    <Computer>XXX</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData>
    <Data Name="Product Name">%%827</Data>
    <Data Name="Product Version">4.18.1902.2</Data>
    <Data Name="Unused">
    </Data>
    <Data Name="ID">
    </Data>
    <Data Name="Detection Time">2019-03-22T15:17:05.908Z</Data>
    <Data Name="User">NT AUTHORITY\SYSTEM</Data>
    <Data Name="Path">\Device\Harddisk0\DR0</Data>
    <Data Name="Process Name">C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe</Data>
    <Data Name="Signature Version">1.291.66.0</Data>
    <Data Name="Engine Version">1.1.15800.1</Data>
    </EventData>
    </Event>
     
  2. Kazoo

    Kazoo Bit Poster

    Messages:
    16
    Anyone? Like, someone from Parallels?
     
  3. Maria@Parallels

    Maria@Parallels Parallels Team

    Messages:
    4,138
    Hi, it happens that the Windows Defender does not allow you to download and save a deliberately safe file.
    If you disable it, does everything work ok?
     
  4. Kazoo

    Kazoo Bit Poster

    Messages:
    16
    It probably will. But before I disable it for prl_tools.exe, I want to know what Parallels is trying to do in this protected directory and why it needs to. It's protected for a reason.

    Also, this wasn't happening prior to the latest update.
     
  5. Maria@Parallels

    Maria@Parallels Parallels Team

    Messages:
    4,138
    Actually, prl_tools.exe is a standard windows process. And Parallels Tools is a set of drivers for the guest OS that is installed in your VM. So, like other drivers Parallels Tools located on the Windows System folders.
    Did you protect this folder or maybe another one?
     
  6. Kazoo

    Kazoo Bit Poster

    Messages:
    16
    I didn't change anything.
    I was running fine, got the parallels update last week and now I'm getting this error. Defender is configured the same way it was before. Maybe Microsoft changed something?

    The path that is supposedly hitting is \device\harddrive0\dr0. Is prl_tools.exe attempting to access the physical disk volume? (Virtual, of course, but you know what I mean)
     
  7. StanislavZ

    StanislavZ Parallels Developers

    Messages:
    98
    prl_tools.exe may access disk volume to get partition info to monitor disk space usage.
    How to configure Windows Defender to produce abovementioned warnings?
     
  8. Kazoo

    Kazoo Bit Poster

    Messages:
    16
    I believe it's the Ransomware protection, Contolled folder access. I've attached a file of the setting I think it being hit.
     

    Attached Files:

  9. Kazoo

    Kazoo Bit Poster

    Messages:
    16
    Were you able to reproduce the symptoms on this?
     
  10. Kazoo

    Kazoo Bit Poster

    Messages:
    16
    Anything? If you can verify that it's innocuous, I can just allow it. But, I need to know.
     
  11. StanislavZ

    StanislavZ Parallels Developers

    Messages:
    98
    I can confirm that this warning is triggered by to guest disk space monitor.
     
  12. Kazoo

    Kazoo Bit Poster

    Messages:
    16
    Ok. Thanks.
     

Share This Page