It turns out, it can mean the binary you are running has a bad certificate.
I downloaded the latest insider preview for the Windows 10 ADK.
Then I simply wanted to capture a trace…
Ok…so, weird? So I launch a command prompt, try it that way, (WPR works fine, just no UI btw).
So I procmon’d it. ‘Cause, “when in doubt, procmon”
Why is WPRUI.exe being scanned heavily by Defender? What gives?
Ok, and what is BAM.sys? Exactly?
So, I did some searching, and someone noticed if they get this error “A referral was returned from the server” it meant digital sigs were busted… so I checked. Surely Microsoft didn’t ship a binary with a bad cert…right?
So that’s a quick and dirty “Why the hell is this happening” brought to you by the dude.
Alois Kraus also mentioned to me you can work around this by doing a regedit:
“A quick and dirty fix is to disable the check: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Open “ValidateAdminCodeSignatures” and set “Value data” to “0“