Recent Discussions
Bitdefender active mode , configure MDE passive mode
Hi We have scenario where client currently has Bitdefender in Active Mode and uses it to manage their endpoints and now plans to use Defender for Endpoint in Passive Mode for Endpoints (Windows 11/Server) How to configure MDE in passive mode step by step I have 500 devices how to onboard that on MDE step by step in co-management While MDE in Passive mode any performance issue along with 3rd party antivirus solutionMDE use of Certificate based IoC not working
I have been trying to use MDE IoC with certificates as per the following link: https://learn.microsoft.com/en-us/defender-endpoint/indicator-certificates#create-an-indicator-for-certificates-from-the-settings-page This is on a demo tenant with full M365 E5 licenses and vulnerability trial enabled just in case. Test devices are: windows 11 with latest updates - domain joined and managed by Intune MDE onboarded and active with AV Network protection in block mode Cloud delivered protection enabled File hash enabled In defender portal - settings - endpoints advanced settings - all options enabled I am testing with Firefox - the installer and the application .exe after installation. I have extracted the leaf certificate from both these .exe's using the helpful information in the following link: https://www.linkedin.com/pulse/microsoft-defender-missing-manual-how-actually-create-adair-collins-paiye/ Then uploaded the certs into defender portal - settings - endpoints - IoC - certificates - set to Block and remediate Issue: Its been 24h and nothing happens on the client devices. In the defender portal - assets - devices - device timeline - I can see the firefox processes but at no point is the installer or application blocked. Have I miss understood how the feature works? Has anyone else managed to get this to work? Advice appreciated. Thanks Warren
Defender exclusion model seems to Violate CIS Benchmarks
Basically i wanted to exclude Shadow copies from the Virus scans as this already takes forever and i could see high system usage while this was done on our server. The logic being that this data was already scanned multiple times again and again, and even if a virus managed to infect the shadow volume it would be caught as soon as the file was restored. Unfortunately it seems to be impossible to only exclude the HarddiskVolumeShadowCopy, so to achieve this i would have to exclude the whole "System Volume Information" folder.... and this obviously violates the CIS benchmark for security, and is generally just weak design that this is not possible (unless I am misunderstanding something and that it is possible in some way). So here is the long and short after my debate with Copilot: Microsoft Defender Antivirus currently lacks support for exclusions using NT device paths such as: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy* This limitation forces administrators to exclude the entire System Volume Information folder to prevent scanning of VSS shadow copies. However, this folder contains multiple critical system components beyond shadow copies, including: NTFS Change Journal (USN) DFS Replication Database Indexing Service Data Other system metadata Excluding this entire folder violates CIS Benchmarks and Microsoft’s own hardening guidance, which recommend minimizing antivirus exclusions to the smallest scope possible (Principle of Least Privilege). Current design introduces unnecessary risk and creates compliance gaps for organizations following CIS or similar frameworks. Impact: Security risk: Broader exclusions than necessary reduce visibility into system metadata. Compliance risk: Organizations cannot meet CIS Benchmark requirements for AV configuration. Operational inefficiency: Defender scans shadow copies using kernel paths but does not allow precise exclusions for those same paths. Recommendation: Microsoft should: Support exclusions for NT device paths (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*). Alternatively, provide a specific policy setting to exclude VSS snapshots without excluding other system components. This change would align Defender with CIS Benchmark principles, reduce unnecessary exclusions, and improve performance without compromising security. References: CIS Microsoft Windows Server Benchmark v3.0 Microsoft Defender Antivirus Configuration Guidelines Principle of Least Privilege in AV Exclusions
Does Windows Defender create a batch file?
Hi there, I am on Windows 11 an Defender did detect some malware during an installation. The files have been blocked and quarantined, a deep scan did not find any more issues. But I had a weired explorer behaviour after restarting - explorer exe did stop and restart. I realized the is a bactch file called securitycenter.bat in the autostart folder. The batch stops and restarts explorer. It was created right at the time defender did notice about the malware. I checked explorer exe. There is only one on the system and it seems to be the correct one (signed by Microsoft). Any ideas?Web Protection not blocking click throughs, but blocks direct access
I'm currently working to block all AI LLM's that aren't CoPilot. I'm using the Defender for Cloud integration which so far in testing is working well. However, I have one example with Grok where I have needed to add a custom URL so that I can block it being accessed from the sidebar on the main X website. I've added the URL as a custom URL indicator but if I follow the link on the X website it's not blocked. If I refresh the page once I'm on it, it will then return the expected block page. Similarly, if I manually browse to that URL it's also blocked on the first attempt. What's preventing Endpoint from blocking the click through to the page? I'm using Edge.
Defender for Endpoint - macOS scan takes 1 second
Hello, We use Defender for Endpoint on macOS deployed by Mosyle MDM. However, we noticed when user run quick or full scan that action takes 1 second and that is it - 0 files scanned. This used to work before; I happen to have a screenshot: Now, if I run scan from command line, again the same: We use config profiles from here: https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles mdatp health output: Did anyone have this issue? Thanks!
Kql query that search reg key
Hay I created the next kql query but unfraternally i get O devices on the results : // Search for creation, modification, or deletion events for the specified ESU registry key DeviceRegistryEvents | where RegistryKey has_any (@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU") | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by Timestamp desc Am I doing something wrong? Thanks Elad.
Hundreds of DSM-Synology NAS work files are intercepted by Defender as threats!
Hi everyone. . . Sorry, long... For a couple of days now, I've been experiencing an annoying, persistent, and unresolvable problem affecting the Synology Drive Client 3.5.2 working folder D:\.SynologyWorkingDirectory. I'm running Windows 11 Pro 64-bit v25H2, and a couple of days ago, I accidentally discovered that Windows Defender has become incredibly slow when launched from its taskbar icon. Once I opened Defender, it presented a report with HUNDREDS (!) of threats, all caused by (temporary?) files in the hidden working folder "D:\.SynologyWorkingDirectory." The vast majority of the threats were eliminated. However, a few were classified as "severe" and warned that Defender may not have been able to completely eliminate the threat. I'm almost certain these aren't real threats, partly because of my extreme care with my browsing habits and behavior, but primarily because there are hundreds of them and they're constantly being created, exclusively in the D:\.SynologyWorkingDirectory folder. Defender, for its part, constantly deletes them, making it incredibly slow, and opening its history is equally slow. I ran a thorough system scan with Defender, both online and offline, but nothing was found. I also ran a scan with MalwareBytes, and nothing was found, perhaps also because the files are quickly deleted by Defender. I therefore suspect that Windows Defender has arbitrarily classified Synology's temporary files as threats. Even deleting Windows Defender's history was a painstaking task due to numerous (!) failed attempts due to the low-level and operational protections in Windows 11 Pro 64-bit v25H2. The only solution was to boot WinRE from a Windows installation USB drive, then delete the scans folder (D:\ProgramData\Microsoft\Windows Defender\Scans) from DOS. I also had to obtain the Bitlocker key, but clearing the history is pointless because it continually recreates itself with new detections! I'm forced to pause Synology Drive Client v3.5.2. How can I get support for this issue? Regards . .Question malwares behavior
1) Does the behavior of the same malware on different PCs vary a lot? example: Trojan:Win32/Wacatac.C!ml PC 1 Trojan:Win32/Wacatac.C!ml, behavior: idle remains PC2 Trojan:Win32/Wacatac.C!ml, behavior: delete modify files in PC 2) Can a malware like Trojan:Win32/Wacatac.C!ml download other malware, let that perform actions, then delete itself—and would it evade future AV scans? Does it not leave traces to detect in the scan?Question malwares
Are the following malware programs that modify, damage, corrupt, or delete various files from your PC? all malware types operates malicious operations in files? Trojan:Win32/Wacatac.C!ml, Trojan.DownLoader47.36298, TrojanPSW.Rhadamanthys, Trojan.Win32.Agent.xcajyl? When a free antivirus program like Kaspersky Free and Microsoft Defender Free doesn't have a malware signature database and it doesn't appear in a complete scan, is it still active and all protection barriers have been breached? without signature is dead antivirus?Microsoft Defender on Android (MAM-WE)
We are asking our users to install Microsoft Defender on their BYO devices but are running into issues with certain (not all) Android devices - they are getting the below error. What could be wrong? Their devices are not enrolled - we do not use MDM for personal devices. They are installing the regular Defender app from the public Play Store.Need report query for Vulnerable devices
Im looking for the query that generates the graph in the built in report that is found under Reports > Endpoints > Vulnerable devices The picture below is from the documentation https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-vulnerable-devices-report The issue with building the query by myself is that the table DeviceTvmSoftwareVulnerabilities does not contain Timestamp, if i join in the DeviceTvmSoftwareVulnerabilitiesKB then there is a PublishedDate atleast.Question Malware modify, delete, corrupt files
What are the names of types of malware that acess, modify, delete, or corrupt PC hdd and ssd files (Windows files and personal files, games, music, executables, ISO, IMG, RAR, ZIP, 7Z)? Does all malware have the potential to do this? In this case, how are the malware QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml), Caller.exe (DrWeb detects Trojan.DownLoader47.36298), and Caller.exe (VBA32 detects TrojanPSW.Rhadamanthys) classified?
High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs
Hello, I’m running into a recurring issue on Windows Server 2019 Datacenter VMs running in Azure where MsMpEng.exe (Antimalware Service Executable) consistently spikes CPU usage every day. Here’s what I’ve observed so far: Microsoft Defender pulls threat intelligence from the cloud continuously in real-time, in addition to multiple scheduled updates per day. Despite this continuous checking, I’ve noticed a consistent CPU spike only between 4:40 PM and 4:55 PM daily. During this time, Defender consumes 100% CPU. I’ve checked Task Scheduler and Defender scan settings — there are no scans or tasks scheduled during this period. Limiting CPU usage using Set-MpPreference -ScanAvgCPULoadFactor 30 has had no effect on these background maintenance routines. Automatic provisioning via Defender for Cloud is enabled on these Azure VMs, so the MDE agent installs and updates automatically. Logs from Microsoft-Windows-Windows Defender/Operational during the high CPU window: 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:49:41 PM 1150 Endpoint Protection client is up and running in a healthy state... These logs confirm that Defender’s cloud intelligence updates and endpoint checks run exactly during the CPU spike window. Even though Defender continuously checks for cloud protection updates throughout the day, the CPU spike occurs only during this particular window. The pattern is consistent across multiple Azure VMs, suggesting this is part of Defender’s automated behavior. Questions for the community: Is this behavior expected for Azure VMs, or could it indicate a bug in Defender on Windows Server 2019? Is there a supported way to throttle, defer, or better manage CPU usage during these maintenance and cloud intelligence routines? Are there recommended best practices for always-on production environments in Azure to avoid performance degradation caused by Defender? Any guidance or advice would be really appreciated. Thanks, Nikunj
Ransomeware query
If any ransomware detection i need following query for advance hunting in defender Look for rapid file modification or creation or deletion 2. Rapid file encryption one 3. look for a ransom note 4. look for encryption algorithms 5. look for double extension 6. Also query for birth time of the fileRegistry modifications
If a file was downloaded, executed, and created a registry entry for persistence, is it enough to just delete the file from its original location? Or does the registry entry also need to be removed? What happens if it is not removed? If a malicious file created an entry under HKLM Run, HKCU Run, or RunOnce, and the file is later deleted but the registry entry is left behind, will the system still try to execute it at startup?
MDE-Onboarding issue
Hello Community, while i am trying to onboard a windows 10 machine into MDE where there is already another AV running which is Kaspersky, i am facing that issue that Microsoft AV is not able to revert its status from disabled into running state (passive mode). even if i am trying to start the service manually, it will revert itself back to the disable status. Did anyone experience that issue before between Defender AV and Kaspersky?
Recent Blogs
- This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attack...Nov 18, 2025
- Root detection is a critical security control that identifies whether an Android device has been compromised to gain elevated privileges or unrestricted access to the operating system. When a device ...Nov 17, 2025
