Summary
Microsoft Defender on Windows has repeatedly shown Sample submission prompts involving Codex's local config.toml across separate events and machines.
A later screenshot captured on June 29, 2026 on laptop YURIYS_GAMINGPC directly showed Defender listing the same exact path twice in one prompt window:
C:\Users\shimk\.codex\config.toml
C:\Users\shimk\.codex\config.toml
This suggests either:
- Codex is causing Defender to repeatedly see/re-evaluate this file during normal startup/update/plugin activity
- Defender is overreacting to a normal Codex config file
- or there is a duplicate-entry / duplicate-handle edge case in how the file is being surfaced
What is confirmed
- Defender repeatedly prompted for Codex's local
.codex\config.toml across separate events.
- The pattern occurred on both desktop and laptop.
- On the laptop, a preserved screenshot from 2026-06-29 directly showed a Defender
Sample submission dialog for C:\Users\shimk\.codex\config.toml, with the same path shown twice in the same prompt window.
- Earlier laptop investigation showed
C:\Users\shimk\.codex\config.toml was newly created at 2026-06-03 03:10:50 America/Los_Angeles.
- In that same minute, Codex logs showed plugin/install, bundled marketplace writes, and Chrome host reconciliation.
- A nearby file,
C:\Users\shimk\.codex\chrome-native-hosts-v2.json, was also created immediately afterward.
- Defender on the laptop had
SubmitSamplesConsent = 1, so prompting before upload is expected when Defender wants to submit a file sample.
What is not confirmed
- I have not confirmed that every prompt involved the exact same unchanged file hash.
- I have not found a Defender operational-log entry explicitly naming
config.toml.
- I have not proven whether the duplicate rows in the June 29 prompt were byte-identical copies, separate handles, or a Defender/UI duplication artifact.
Why this seems relevant to Codex
The timing on the laptop strongly suggests the file is being created or rewritten during normal Codex local-state/setup/update/plugin activity, not just sitting unchanged:
config.toml created: 2026-06-03 03:10:50 local time
config.toml written: 03:11:13
chrome-native-hosts-v2.json created: 03:11:14
- Codex logs in the same minute showed plugin install + bundled marketplace writes + Chrome host reconciliation
That makes it plausible that Codex is regenerating or rewriting local config state in a way that repeatedly surfaces config.toml to Defender.
User impact
- Repeated Windows Defender prompts during normal Codex use
- User uncertainty about whether Codex local state is unsafe
- One prompt showed the same exact path twice, which makes the behavior look buggy rather than merely cautious
Request
Could you investigate whether recent Windows/Desktop Codex behavior is rewriting or recreating .codex\config.toml (or surfacing it multiple times) in a way that triggers repeated Defender sample-submission prompts?
If useful, I can follow up with:
- the exact screenshot text from the June 29 Defender prompt
- the SHA-256 observed for the June 3 laptop
config.toml
- the local investigation summary correlating the file timestamps with Codex log activity
Summary
Microsoft Defender on Windows has repeatedly shown
Sample submissionprompts involving Codex's localconfig.tomlacross separate events and machines.A later screenshot captured on June 29, 2026 on laptop
YURIYS_GAMINGPCdirectly showed Defender listing the same exact path twice in one prompt window:C:\Users\shimk\.codex\config.tomlC:\Users\shimk\.codex\config.tomlThis suggests either:
What is confirmed
.codex\config.tomlacross separate events.Sample submissiondialog forC:\Users\shimk\.codex\config.toml, with the same path shown twice in the same prompt window.C:\Users\shimk\.codex\config.tomlwas newly created at 2026-06-03 03:10:50 America/Los_Angeles.C:\Users\shimk\.codex\chrome-native-hosts-v2.json, was also created immediately afterward.SubmitSamplesConsent = 1, so prompting before upload is expected when Defender wants to submit a file sample.What is not confirmed
config.toml.Why this seems relevant to Codex
The timing on the laptop strongly suggests the file is being created or rewritten during normal Codex local-state/setup/update/plugin activity, not just sitting unchanged:
config.tomlcreated: 2026-06-03 03:10:50 local timeconfig.tomlwritten: 03:11:13chrome-native-hosts-v2.jsoncreated: 03:11:14That makes it plausible that Codex is regenerating or rewriting local config state in a way that repeatedly surfaces
config.tomlto Defender.User impact
Request
Could you investigate whether recent Windows/Desktop Codex behavior is rewriting or recreating
.codex\config.toml(or surfacing it multiple times) in a way that triggers repeated Defender sample-submission prompts?If useful, I can follow up with:
config.toml