Recent Discussions
Microsoft Defender false positive and WDSI submission details page bug
Hello, I am the developer and publisher of Pulse Launcher, a legitimate signed Windows application / Minecraft mod launcher. I already submitted this through Microsoft Security Intelligence and also opened a Microsoft Q&A thread, but I am posting here because the WDSI submission portal itself appears to be broken for these submissions. Related Microsoft Q&A thread: https://learn.microsoft.com/en-us/answers/questions/5929545/microsoft-defender-false-positive-and-wdsi-submiss There are two related issues: 1. Microsoft Defender cloud ML false positives keep appearing on public multi-engine scan results for the same signed application/product family. The Microsoft detection name changes across rescans and equivalent builds, including: - PUA:Win32/Puwaders.C!ml - Program:Win32/Wacapew.C!ml - Trojan:Win32/Wacatac.B!ml - Trojan:Win32/Wacatac.C!ml - Trojan:Win32/Sabsik.EN.A!ml 2. Microsoft Security Intelligence submissions are visible in Submission history and show status "In progress", but opening the submission details page returns: "The details for the submission were not found or the submission has expired." Affected submission IDs: - dd476efa-fc04-4f13-82cf-631bbfd145a6 - efc6514c-d700-4d6a-a7e2-67a9a83334a2 - ff8d04b7-c5fc-4a05-bd53-ee7ac5981284 File details: - File name: pulse_launcher.exe - SHA-256: def6059c07c3e1f4a8c5649a1bbf190d4f355ee8e8b88c55c5b404edee99ecc8 - Signer: FOP Haponiuk Mykola Viktorovych - Certificate: GlobalSign EV Code Signing certificate The executable is not VMProtect-packed or obfuscated. It is EV-signed. A previous Microsoft analyst response stated that the file did not meet Microsoft criteria for malware or PUA, but Microsoft cloud detections continue to appear. Could someone route this to Microsoft Defender Security Intelligence / malware analysis, or advise how to escalate WDSI submissions that exist in history but whose details endpoint returns "not found or expired"? Thank you.Microsoft Defender for Endpoint and WDAC audit logs not include kernel audit/blocks
While testing WDAC on a fully patched Win11 pro machine - I noticed that kernel audit/block events do not get collected by MDE in the advanced hunting portal, only user mode audit/blocks are collected. Can anyone confirm they see this too and is this by design? My test case is to use a Strict Kernel Mode WDAC policy (as per: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) which is active, using the global secure access client as my test, when the machine boots, the below event is generated locally on the machine: This event is never shown on the MDE advanced hunting portal, though user events do show. Examples of events that are coming through: Not receiving these events centrally for auditing would make deploying a kernel mode wdac control impossible. Would be amazing if Microsoft product team could look into this and resolve as these alerts should be captured as well please to facilitate deployment of more secure controls.
Ways to fetch quarantine files
We are working with quarantine files and have a few questions: 1. Is there a public API available to retrieve quarantined files from Microsoft Defender for Endpoint? 2. Is there a documented method to map an alert or a file SHA-1/SHA-256 hash to the corresponding object in the Defender quarantine store? 3. Is there a way to retrieve quarantined files other than using a PowerShell script through the Live Response API?
Understanding AI workloads on Linux
Hi everyone, I’m a PM working on security for Linux environments and trying to better understand how AI workloads are actually showing up in production today. Would appreciate hearing from folks here: Are you running any AI workloads on Linux today? Or actively exploring? What does your deployment/setup look like — e.g., model training/inference, agents, MCP servers, data pipelines, etc.? How are you thinking about securing this stack, if at all? If you’re open to a quick 30-min chat, I’d love to learn more from your experience as well. Thanks in advance — this will directly help shape where we invest next.
Larac2shell: Turning MDE Live Response into a near real-time shell We are the EDR!
https://github.com/akefallonitis/larac2shell Turning MDE live response into a near real time interactive shell beta version out Features: - Internal (Thanks to https://www.linkedin.com/in/fabianbader/ - https://www.linkedin.com/in/nathanmcnulty/ and xdrinternals research ) vs External api authentication - Arbitrary command execution via pre-uploaded base64 wrapper script - Cross-OS support PS Two MSRC bugs reported for direct command execution bypass waiting for Microsoft Response in order to publish them Coming SOON TM Full LaraC2 Post Exploitation OST framework over MDE as C2/C3 Channel - We are the EDR / No external Infra / Onboarding to your controlled tenant silencing MDE Happy testing 🥳 🎉
runHuntingQuery API and 'evaluate pivot'
Seem to have a problem where any request to the runHuntingQuery API with 'evaluate pivot' fails with error": { "code": "UnknownError", "message": "", Is this just a 'feature' ? The query happily runs trough the website/XDR portal. :-( Is there a way to simulate a pivot (easily) in powerapps ?Defender for Business - No alert after process lock out ?
Hello all, A few days ago, I have setup Defender for business server on a Windows Server 2019. I can see that server in the Microsoft security portail devices list. I have also tested the "suspicious" powershell command provided by Microsoft and it went all good. Powershell blocked, alert escaladed as incident in the security portal, email received, ... But the next day, I tried to install a service on that server that got blocked by Virus & Thread Protection because it was attempting to modify a lot of files. That was a good point for Defender (it was not a real thread and was later added as exception). My worry is that it was never escaladed to the security portal, I didn't received a alert email, .. The system blocked that "thread" multiple times during my attempt to deploy it and no incident were throw. What could be wrong ? Thank you.Save the date - January 26, 2026 - AMA: Secure your endpoints with policy and Microsoft Defender
Save the date for January 26 at 8:00 AM PT! Have questions about using Microsoft Intune to enforce device compliance? Curious how to configure devices to help prevent security breaches and limit the impact of threats? Ask Microsoft Anything (AMA) about integrating Microsoft Defender for Endpoint with Microsoft Intune at Tech Community Live! Product teams will be answering your questions live and in chat. Get tips using policy to onboard devices, define risk level, block non-compliant devices from accessing corporate resources, and more. Go to aka.ms/AMA/SecureEndpoints to save the date and add this event to your calendar!
Using MDE (Passive Mode) with Palo Alto Cortex XDR to enable Defender for IoT (Enterprise IoT)
Hi everyone! I’m working with a customer that uses Palo Alto Cortex XDR as their primary EDR. We want to leverage Microsoft Defender for IoT specifically for Enterprise IoT (not OT/ICS). I have a few questions: MDE in Passive Mode as a sensor: Can Microsoft Defender for Endpoint (MDE) running in Passive mode act as a sensor to enable Enterprise IoT discovery/monitoring for Defender for IoT? Are there any feature limitations when MDE is not the primary EDR? Appliance sensor in Enterprise IT: If we cannot use the MDE agent, is it supported to deploy the Defender for IoT appliance sensor in an enterprise IT network (e.g., offices/campuses) to cover Enterprise IoT use cases? Coexistence / Complementary sensors: Is it possible (and recommended) to run the appliance sensor alongside MDE (sensor) to complement coverage/features? Any guidance on architecture, data overlap/deduplication, or licensing implications?
MS Defender setting
Hello, I have a question. I'm not an English-speaking country, so please understand any shortcomings. I'm trying to block or alert on specific URLs in Microsoft Defender > Settings > Endpoint > Rules > Indicators. I've completed the setup, but I'd like to customize the screen that appears on the webpage when an alert is triggered. Is there a way to do this? Thank you in advance for your help.
Latest Threat Intelligence (December 2025)
Microsoft Defender for IoT has released the December 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 5c642a16bf56cb6d98ef8b12fdc89939 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Correct firewall log names to be included in a Defender investigation package?
Hi - first time poster, I work in a SecOps team using Defender for Endpoint. I noticed that when we collect an investigation package from a device in Defender that the firewall logs aren't being found. The advice on Microsoft Learn articles seems to be contradictory as to what firewalls should be named as: https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts FirewallExecutionLog.txt and pfirewall.log The pfirewall.log file must exist in %windir%\system32\logfiles\firewall\pfirewall.log, so it's included in the investigation package. For more information on creating the firewall log file, see https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune. This section implies for the firewall log to be collected it has to be called "pfirewall.log" but on the linked page it is recommended to change the log file names: For each profile (Domain, Private, and Public) change the default log file name from %windir%\system32\logfiles\firewall\pfirewall.log to: %windir%\system32\logfiles\firewall\pfirewall_Domain.log %windir%\system32\logfiles\firewall\pfirewall_Private.log %windir%\system32\logfiles\firewall\pfirewall_Public.log We have tested the changed names and they are not found by the investigation package. Which one is recommended and is the logic used in the Defender investigation package correct?Investigating Excel-Initiated Email Activity Without Sent Items Trace
Two days ago, three emails were sent from a user’s inbox without leaving any copies in the Sent Items folder. The user did not send these emails manually—this is confirmed by the presence of the SimpleMAPI flag in Outlook. What I know: Email Characteristics: All three emails contained a Word attachment. No body text was present. The subject line matched the attachment file name. Two of the emails were identical. Recipients: Emails were sent to colleagues who originally created the attached documents. Attachment Details: One attachment appeared to be a temporary file (e.g., a3e6....). System Behavior: No suspicious logins detected before or after the event. Emails were sent via the Outlook.exe process on the user’s machine. Excel.exe was identified as the parent initiating process according to Microsoft Defender endpoint logs. In Defender's Endpoint logs I found this under Typed Details (related to the firing of the 3 emails): 1. -Downloaded file: 2057_5_0_word_httpsshredder-eu.osi.office.net_main.html Path: C:\Users\s***s\AppData\Local\Microsoft\Office\16.0\TapCache\2057_5_0_word_httpsshredder-eu.osi.office.net_main.html 2. Downloaded file: ~$rmalEmail.dotm Path: C:\Users\s***s\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm I am seeking assistance to replicate this issue and accurately determine how these three emails were triggered.KQL query to report on Audit/Block status of Network Protection
Anyone know how to run a query using KQL in the defender portal to return the status of Network Protection - Audit or Block mode? The following query returns the results but "IsCompliant" = 1 when Network Protection is on in either Audit or Block mode. I thought the context might help but for this SCID it is always empty. DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-96" The information is available within the portal when you drill into the device - configuration management - effective settings - but this is not scalable when needing to check across a large estate. How could you query this via KQL or another way to generate on a report on overall estate health and configuration? Long term would be great to report on this in a powerBi dashboard. ThanksMS Defender 101.25102 update error
I have been trying to update MS Defender for several days now and without luck. I am on a iMac M3 with macOS 26.1. I tried removing and reinstalling the app, but it seems that the uninstall script does not remove the app at all. Yes, I did restart the machine. Does anyone have a solution?
Defender for Endpoint on Linux
I'm using the Linux version of the defender agent on RHEL 8. The intended setup is, The agents are registered to the Defender cloud. And we have enabled the InTune to Defender connector. So when you register your endpoint, it should also create a skeleton registration in Intune so it can manage the Linux policy. I've got that setup. However, If you need to make quick, perhaps unscheduled changes to your Linux MDATP profile. How do you do it? As it seems to be based on when the endpoint checks in with Intune. Which Intune does between 4-6 hours. Some of the docs I read, said just make the change to the .json config on the client. Then Intune will reapply the update policy when it checks the agent in. Ok, but if you have enabled the anti tamper feature on the agents. How do you then update the .json file? It's just going to block you from doing that
Recent Blogs
- In today’s threat landscape, internet exposure, i.e. devices that allow inbound connectivity from the public internet, continues to be a major vector for initial access and compromise. Devices that a...Jun 11, 2026
- Security teams rely on scheduled scans to ensure consistent coverage across devices, detect dormant or missed threats, and meet compliance requirements. However, managing scans on Linux has tradition...Jun 10, 2026
