Forum Widgets
Latest Discussions
ASR rules enabled after onboarding Windows server
Hello, I tested onboarding Windows Server 2019 to Defender using local script and noticed that after onboarding some ASR rules are already enabled in Block mode by default: Block Office applications from creating executable content 3b576869-a4ec-4529-8536-b80a7769e899 Block execution of potentially obfuscated scripts 5beb7efe-fd9a-4556-801d-275e5ffc04cc Block Office applications from injecting code into other processes 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Block Win32 API calls from Office macros 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block executable content from email client and webmail be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 Block JavaScript or VBScript from launching downloaded executable content d3e037e1-3eb8-44c8-a917-57927947596d Block all Office applications from creating child processes d4f940ab-401b-4efc-aadc-ad5f3c50688a I haven't applied any group policies yet to it. The server is domain joined. Could it happen that it pulls the configuration from another place? Thanks
Registry modifications
If a file was downloaded, executed, and created a registry entry for persistence, is it enough to just delete the file from its original location? Or does the registry entry also need to be removed? What happens if it is not removed? If a malicious file created an entry under HKLM Run, HKCU Run, or RunOnce, and the file is later deleted but the registry entry is left behind, will the system still try to execute it at startup?
Endpoint menu missing in settings in security center
Hello, I'm trying to understand while endpoint menu is missing in security center. (security.microsoft.com). I currently have a Microsoft 365 E5 Security License but I can't access to endpoint menu. I'm currently logging with a global admin account with the "Microsoft 365 E5 Security" license assigned but I can't access to the endpoint menu at all. Am I doing something wrong? My current license is a trial license, could be the issue (I don't think so)? Thanks
MDE-Onboarding issue
Hello Community, while i am trying to onboard a windows 10 machine into MDE where there is already another AV running which is Kaspersky, i am facing that issue that Microsoft AV is not able to revert its status from disabled into running state (passive mode). even if i am trying to start the service manually, it will revert itself back to the disable status. Did anyone experience that issue before between Defender AV and Kaspersky?Ransomeware query
If any ransomware detection i need following query for advance hunting in defender Look for rapid file modification or creation or deletion 2. Rapid file encryption one 3. look for a ransom note 4. look for encryption algorithms 5. look for double extension 6. Also query for birth time of the file
