Recent Discussions
Defender exclusion model seems to Violate CIS Benchmarks
Basically i wanted to exclude Shadow copies from the Virus scans as this already takes forever and i could see high system usage while this was done on our server. The logic being that this data was already scanned multiple times again and again, and even if a virus managed to infect the shadow volume it would be caught as soon as the file was restored. Unfortunately it seems to be impossible to only exclude the HarddiskVolumeShadowCopy, so to achieve this i would have to exclude the whole "System Volume Information" folder.... and this obviously violates the CIS benchmark for security, and is generally just weak design that this is not possible (unless I am misunderstanding something and that it is possible in some way). So here is the long and short after my debate with Copilot: Microsoft Defender Antivirus currently lacks support for exclusions using NT device paths such as: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy* This limitation forces administrators to exclude the entire System Volume Information folder to prevent scanning of VSS shadow copies. However, this folder contains multiple critical system components beyond shadow copies, including: NTFS Change Journal (USN) DFS Replication Database Indexing Service Data Other system metadata Excluding this entire folder violates CIS Benchmarks and Microsoft’s own hardening guidance, which recommend minimizing antivirus exclusions to the smallest scope possible (Principle of Least Privilege). Current design introduces unnecessary risk and creates compliance gaps for organizations following CIS or similar frameworks. Impact: Security risk: Broader exclusions than necessary reduce visibility into system metadata. Compliance risk: Organizations cannot meet CIS Benchmark requirements for AV configuration. Operational inefficiency: Defender scans shadow copies using kernel paths but does not allow precise exclusions for those same paths. Recommendation: Microsoft should: Support exclusions for NT device paths (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*). Alternatively, provide a specific policy setting to exclude VSS snapshots without excluding other system components. This change would align Defender with CIS Benchmark principles, reduce unnecessary exclusions, and improve performance without compromising security. References: CIS Microsoft Windows Server Benchmark v3.0 Microsoft Defender Antivirus Configuration Guidelines Principle of Least Privilege in AV Exclusions
Does Windows Defender create a batch file?
Hi there, I am on Windows 11 an Defender did detect some malware during an installation. The files have been blocked and quarantined, a deep scan did not find any more issues. But I had a weired explorer behaviour after restarting - explorer exe did stop and restart. I realized the is a bactch file called securitycenter.bat in the autostart folder. The batch stops and restarts explorer. It was created right at the time defender did notice about the malware. I checked explorer exe. There is only one on the system and it seems to be the correct one (signed by Microsoft). Any ideas?Web Protection not blocking click throughs, but blocks direct access
I'm currently working to block all AI LLM's that aren't CoPilot. I'm using the Defender for Cloud integration which so far in testing is working well. However, I have one example with Grok where I have needed to add a custom URL so that I can block it being accessed from the sidebar on the main X website. I've added the URL as a custom URL indicator but if I follow the link on the X website it's not blocked. If I refresh the page once I'm on it, it will then return the expected block page. Similarly, if I manually browse to that URL it's also blocked on the first attempt. What's preventing Endpoint from blocking the click through to the page? I'm using Edge.
Kql query that search reg key
Hay I created the next kql query but unfraternally i get O devices on the results : // Search for creation, modification, or deletion events for the specified ESU registry key DeviceRegistryEvents | where RegistryKey has_any (@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU") | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by Timestamp desc Am I doing something wrong? Thanks Elad.
Hundreds of DSM-Synology NAS work files are intercepted by Defender as threats!
Hi everyone. . . Sorry, long... For a couple of days now, I've been experiencing an annoying, persistent, and unresolvable problem affecting the Synology Drive Client 3.5.2 working folder D:\.SynologyWorkingDirectory. I'm running Windows 11 Pro 64-bit v25H2, and a couple of days ago, I accidentally discovered that Windows Defender has become incredibly slow when launched from its taskbar icon. Once I opened Defender, it presented a report with HUNDREDS (!) of threats, all caused by (temporary?) files in the hidden working folder "D:\.SynologyWorkingDirectory." The vast majority of the threats were eliminated. However, a few were classified as "severe" and warned that Defender may not have been able to completely eliminate the threat. I'm almost certain these aren't real threats, partly because of my extreme care with my browsing habits and behavior, but primarily because there are hundreds of them and they're constantly being created, exclusively in the D:\.SynologyWorkingDirectory folder. Defender, for its part, constantly deletes them, making it incredibly slow, and opening its history is equally slow. I ran a thorough system scan with Defender, both online and offline, but nothing was found. I also ran a scan with MalwareBytes, and nothing was found, perhaps also because the files are quickly deleted by Defender. I therefore suspect that Windows Defender has arbitrarily classified Synology's temporary files as threats. Even deleting Windows Defender's history was a painstaking task due to numerous (!) failed attempts due to the low-level and operational protections in Windows 11 Pro 64-bit v25H2. The only solution was to boot WinRE from a Windows installation USB drive, then delete the scans folder (D:\ProgramData\Microsoft\Windows Defender\Scans) from DOS. I also had to obtain the Bitlocker key, but clearing the history is pointless because it continually recreates itself with new detections! I'm forced to pause Synology Drive Client v3.5.2. How can I get support for this issue? Regards . .Question malwares behavior
1) Does the behavior of the same malware on different PCs vary a lot? example: Trojan:Win32/Wacatac.C!ml PC 1 Trojan:Win32/Wacatac.C!ml, behavior: idle remains PC2 Trojan:Win32/Wacatac.C!ml, behavior: delete modify files in PC 2) Can a malware like Trojan:Win32/Wacatac.C!ml download other malware, let that perform actions, then delete itself—and would it evade future AV scans? Does it not leave traces to detect in the scan?Issue with Missing Endpoint menu in Settings
I know this is a frequent topic, but nothing seems to be working for me. I am a security admin and licensed for Microsoft 365 Business Standard and I have a Defender for Endpoint P2 license assigned to my user ID. The license has been assigned for over 24 hours, I've clicked on menu choices waiting for provisioning, but the Endpoint menu and settings link do not appear. Any other ideas? Thanks for your assistance.
Defender API - Get software by ID with a " ' " inside the defender_id
In the list of software I retrieved with the API ("/api/Software") some of the software have an Id with a "'" (apostrophe) in the name i.e. : microsoft-_-portail_d'entreprise when calling, for exemple, Get Software by Id ("/api/Software/{Id}"), so in this case it would be /api/Software/microsoft-_-portail_d'entreprise or if I replace the ' by %27, so /api/Software/microsoft-_-portail_d%27entreprise I always get a status code 400 (malformed). How can make it to work ? Thx
Core Isolation False Positives
Why is there currently no way to white list or even submit Memory Integrity Core Isolation false positives to Microsoft? I have a services that is constantly detected (even though now it has been digitally signed by the vendor). When it is detected it stops the product from working correctly. There is no way to white list this service and the only way to currently work around it is to turn off Core Isolation. But our security teams are wanting to turn Core Isolation back on for users. How do we get this service looked at? I have tried submitting the file to Microsoft who say it isn't malicious but it's still getting detected. I don't have access to the MDE console so can't submit anything directly from there either.[MS Defender for Endpoint] Wanted guidance on Alerts API
Question: Which API is recommended for reliably sharing domain information, especially for integration with external tools? https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info How can I generate or simulate alerts so that the https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info API returns actual domain-related data? What are the best practices for selecting the appropriate API for this use case, considering I cannot use both in my integration? Things I have explored so far, Currently using https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id API. Provides domain-related data in the evidence section. Example response includes entities with entityType as Url containing domain names and URLs both. Alert Response { "id": "da0c5a38e4-3ef4-4c75-a0ad-9af83e866cf1_1", "detectionSource": "WindowsDefenderAtp", "category": "CredentialAccess", "evidence": [ { "entityType": "Url", "url": "pub-8eab0c35f1eb4dacafaaa2b16d81a149.r2.dev" DOMAIN TYPE // ... Other fields }, { "entityType": "Url", "url": "https://example.com" URL TYPE // ... Other fields } ] // ... Other fields } Noticed another API: https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info. Purpose-built for retrieving domains related to alerts. Returns empty data object with no domains or hosts, even when generating alerts by accessing blocked domains. Custom IOC type domain has been added to endpoint indicators list and then accessed the same domain from windows machine. Ref: https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain#create-an-indicator-for-ips-urls-or-domains-from-the-settings-pageHow to extract vulnerability details from Microsoft Defender?
With the KQL below, I'm able to retrieve only a few details about the vulnerability. DeviceInfo | summarize arg max(Timestamp, DeviceName, OSPlatform, SensorHealthState, OnboardingStatus) by DeviceId join kind inner ( DeviceLogonEvents where ActionType == "LogonSuccess" summarize arg max(Timestamp, AccountName, AccountDomain) by DeviceId extend Owner = strcat(AccountDomain, "\\", AccountName) ) on DeviceId | join kind=inner ( DeviceTvmSoftwareVulnerabilities | project DeviceId, Cveld, SoftwareName, VulnerabilitySeverityLevel, RecommendedSecurityUpdate ) on DeviceId OnboardingStatus, Cveld, SoftwareName, RecommendedSecurityUpdate However, I need additional details as below: Environment,OS Version,Vulnerability Name,Apps/Infra,Owner, Risk,CVSS, CVE ID, Solution, Vulnerability links,IP, Port,DNS/NETBIOS NAME, Plugin Output, Synopsis Description, Occurance, Ageing, Region, Plugin ID, Purpose, Exception, Application Is there a way or script (KQL or PowerShell) to retrieve these details from Microsoft Defender?Defender for Endpoint/Identity not logging eventid 4625
During some on-prem pen-testing password-sprays were conducted and defender did not alert in any way and even digging in the advanced hunting did not show enough indication of this attack. We were also ingesting the logs(Eventid 4624 and 4625) from a domain-controller which made it possible to create an SIEM-rule to detect the behavior but the question is what is missing for Defender to pick this up or atleast log the events to make custom detection an option? The Domaincontroller that generated the SIEM-logs was onboarded with a type of "domain controller", defender for identity is also enabled. Does any users have this experience with Defender is missing pen-test activities?Looking for Siloed solution
Hello, my organization is looking for a new cyber security solution for our siloed network. The network is kept internal and we have been using a trellix solution for our needs, but we are looking to move away from it for various reasons. With MDE looking at the current solution we want, we have been unable to find if there is a solution for an isolated network like ours where it we would still have access to the GUI and the features, but we wouldn't connect via the cloud to the greater networks outside. Is this possible for us to set up with MDE or should we begin looking for a different solution?MemScanVfz-AMSI scan causing CPU performance issue
We have few workstations (W11) and servers (Win Srv 2019) where there is slow performance due to MsMpEng.exe is the highest CPU utilizer (80-90%). Based on MP performance recording, noticed only MemScanVfz-AMSI in the top 20 scans. Is there a anyway we can disable this service or add exclusions, or any suggest to reduce the CPU utilization?
Intune Website Block Policy Not Working on Newly Enrolled Devices
We configured URL blocking for multiple cloud storage services via Microsoft 365 Defender portal at https://security.microsoft.com > Settings > Endpoints > Indicators. The policy works on older devices, but we recently discovered that newly enrolled Windows devices can still access those URLs — even though they show as compliant in Microsoft Defender for Endpoint. Has anyone encountered this issue before? The PC Enroll 2day ago
Password reuse limitations
I have been doing some testing of using Windows Defender to detect password re-use. I have found that if you have the username and password fields together then password re-use detection works well. However if you have a site like chat gpt that has a form for your username and then the password box only appears after you have hit enter then the password re-use detection does not work.
how do i contact comcast about email problems
We’re deploying Microsoft Defender for Endpoint and aligning it with PCI-DSS v4.0 compliance for our UPI-first fintech brand UPYUGO Technologies. Our focus: Shield transactional emails (KYC, OTP, payment alerts) Lock down phishing/spam with custom quarantine logic Implement Defender strict policy + advanced anti-spam (MDO) Would love feedback on: Best practices for Defender ATP in regulated environments DMARC, SPF, DKIM recommendations Log forwarding to Sentinel or Azure Monitor Cheers, email address removed for privacy reasons🔒 Title: Enabling Microsoft Defender for Endpoint + PCI-DSS Email Protection (UPYUGO Use Case)
We’re deploying Microsoft Defender for Endpoint and aligning it with PCI-DSS v4.0 compliance for our UPI-first fintech brand UPYUGO Technologies. Our focus: • Shield transactional emails (KYC, OTP, payment alerts) • Lock down phishing/spam with custom quarantine logic • Implement Defender strict policy + advanced anti-spam (MDO) Would love feedback on: • Best practices for Defender ATP in regulated environments • DMARC, SPF, DKIM recommendations • Log forwarding to Sentinel or Azure Monitor Cheers, email address removed for privacy reasons
Recent Blogs
- This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attack...Nov 18, 2025
- Root detection is a critical security control that identifies whether an Android device has been compromised to gain elevated privileges or unrestricted access to the operating system. When a device ...Nov 17, 2025
