Forum Widgets
Latest Discussions
Blocking in Vulnerability Management triggers full scan in Defender.
Over that last couple of weeks our users have been complaining about their computers being slow as molasses - we observed Defender was running a full scan after every reboot. Reviewing event logs we were eventually able to pin down the root cause - a while back we introduced a Block remediation for a vulnerable version of 7-Zip. It turned out that the driver updates delivered via Dell Command Update are internally using an older version of 7-Zip for the file extraction, and were being blocked every time the driver installation retry attempt occurred (which seems to be at every reboot...) Removing the block remediation in Vulnerability Management resolved the issue. While having our driver updates being blocked is somewhat of a nuisance, the repeated full scans had a severe impact on our productivity. Does it even make sense for Defender to do a full scan for a detected "Enterprise Unwanted Software"? Are there options to tweak this (apparently) default behavior to skip the (full) scan for certain categories?VibbersFeb 07, 2025Copper Contributor29Views0likes1CommentMDE Device Control Prevent installation of removable devices
Hello All, We had configured a Device Control policy restricting removable device installations under Device Installation Restrictions > Prevent installation of removable devices (Enabled). This blocked new PnP device installations, including USB keyboards and mice. We have since reverted the setting to Not Configured and removed all assignments. However, one device is still unable to install new USB keyboards/mice. A hunting script check in MDE shows no blocking alerts. Could someone guide us on how to verify if any residual Device Control settings are still affecting the device? Is there a registry key where we can review and remove this setting locally? Appreciate your assistance. Thanks.drivesafelyFeb 07, 2025Brass Contributor27Views0likes1CommentWebsite reported as unsafe on Microsoft Edge but no malware found on any scanners
Hi our website https://coastalgolf.ca/ hosted on shopify. Recently we've noticed our website getting blocked on Microsoft Edge browser. Our development and security team confirmed there are no malicious issues. >We've checked other security scanners, no malicious issue found. We've checked Google search console and Bing search console, no security issues found. Submitted Feedback to Microsoft using the form almost 2 weeks ago, but no reply or initiative found. No issues found on SSL certificates. No issues found on MXtool Blacklist. How can we resolve this? It's affecting our bussiness.RushMamunFeb 07, 2025Copper Contributor18Views0likes1CommentBaseline Assesment Auditing Status Unknown
Hi I am working with Microsoft Defender Vulnerability Management with the feature called Baseline Assessment. I created a Baseline Profile with CIS compliant configurations and It was applied to 10 devices for testing. Checking the compliant status I can observe that the Auditing Configurations are showed as Unknow. Someone has experimented this situation? Any recomendation? Thanks for any comments.Carlos_ValenciaFeb 03, 2025Copper Contributor25Views0likes0CommentsNo Automated Investigation Triggered for High Severity Incident
Hi Community, I’ve noticed an issue where no Automated Investigation and Response (AIR) was invoked for a high-severity incident and alert on a device that belongs to a device group configured with full AIR. This behavior contradicts the expected principle of AIR, as outlined in the documentation: How Automated Investigation Starts. Details: The device is part of a group with full AIR enabled. A high-severity alert/incident occurred but did not trigger any automated investigation. Manual actions were required to address the threat, despite AIR being enabled. Questions: Has anyone experienced similar behavior where AIR is not triggered for eligible devices/incidents? Are there known scenarios or conditions that might prevent AIR from starting, even in fully configured groups? What steps can I take to troubleshoot or escalate this to ensure consistent AIR functionality? Your insights and suggestions would be greatly appreciated! Thank you.MarnikFeb 03, 2025Brass Contributor21Views0likes1Comment[MDE] Add the important feature, Yara rules if possible
Hi, Refer to this advisory (first link). In addition, you can see that there are Yara rules from GitHub (inside pdf). (2nd link) All EDR/XDR companies (except Microsoft) already have features and a Yara rule configuration for the incident responders to detect. The method of adding and detecting Yara rules has been in practice across companies for many years. Would you mind advising on any reason why not adding the important feature, Yara rules? It would be good if you include the important feature, Yara rules. If not, would you mind advising on converting from Yara rules to MDE query for querying via advanced threat hunting? Thanks much appreciated. 🙂 https://www.csa.gov.sg/singcert/Advisories/ad-2021-007 This link is the Yara rule. https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike.yar https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/yara-rule-support/m-p/2276820tay76Jan 28, 2025Copper Contributor20KViews9likes5CommentsIntegration of Microsoft Defender into SIEM Open Source via Syslog
Hello everyone, I have: Microsoft Defender central console Endpoints reporting to central console SIEM open source I need to be able to export all logs from Microsoft Defender central console to SIEM via Syslog. Could someone provide me with a guide or step by step configuration? Thanks in advance!ciberociberJan 26, 2025Copper Contributor44Views1like1CommentMDA Passive Telemetry
Does anyone know where log (LSA,Device,CredGuard) are stored in query table for MDA in Passive mode? I found these signals but don't recall where. Please advise I have several tables as follows: //DeviceEvents //DeviceFileCertificateInfo //DeviceImageLoadEvents //DeviceFileEvents //DeviceImageLoadEvents //Deviceinfo ...logger2115Jan 24, 2025Copper Contributor10Views0likes0Comments
Resources
Tags
- Defender14 Topics
- MDATP13 Topics
- Defender for Endpoint13 Topics
- defender atp10 Topics
- ATP10 Topics
- security7 Topics
- microsoft defender for endpoint6 Topics
- MDE5 Topics
- Microsoft Defender ATP5 Topics