Forum Discussion
Defender365 Alerts for high volume file deletion
All of a sudden we're getting large volumes of alerts from Defender for unusual volume of file deletions. We seldom get these and when we do it has previously turned out to be a user clearing old files etc. But these alerts now are mostly for the app-data folder and and now today some from C:/temp.
The thing that has me questioning is the items deleted and the apps involved. For example, most deleted items seem to be from the appdata folder, but for Microsoft.Windows.Search_cw5n1h2txyewy and some of the files are named things like Photo, but they are json files.
Second thing that has me questioning is the applications involved, which a few are from taskhostw.exe which im worried is being used to setup some sort of persistent access.
Has anyone else been experiencing these unusual volume of alerts? Wondering if its due to some sort of windows update or a bug in defender.
Paragon06 You're not alone, others have been getting these alerts again recently as well. I opened a support ticket about it, as this seems like the rule is obviously broken when it's alerting constantly on routine programmatic deletion of files from the local appdata folder, but the rep just insists that this is how it's supposed to work, and if I don't like it I should turn the rule off (and possibly create a replacement rule that is more targeted.) Maybe someone else will have better luck than I did at convincing them that the rule/detection is broken.
There are other threads that have been discussing this on & off issue for a while, here's one:Re: Unusual volume of file deletion - Microsoft Tech Community
Thanks for the reply. I've worked out whats going on, but not why. So its actually reporting people as deleting files, but the people are actually using the files. Most of the alerts were for app data deletion, it turns out its just people using the apps. And the odd report where it showed a network file, once i checked with the users, they were using those files, but non were deleted.
So its very broken. I've opened a support ticket about it. I'll let you know if i get sense out of them.
- Hi
Same issue here at around the same time, just logged a call with MS now.
Ours look like a bunch of files in appdata as well as other files in users' user profile on thier AAD joined device.
Keep us posted with your progress and what the support say.
Do you guys have Defender and Complinace intergration by any chance setup/enabled?
- Joining the party. We're seeing this alert activity in multiple tenant defender consoles as well. Have also contacted support (early Sept) - they stated they knew and were working on the issue, and had offered similar advice of disabling default policy and creating a new one - This is what we tried.
Reporting back, over a month later, and we are getting the same alerts from the custom policy - Although volume is much less. I know there is a burn in period for these heuristic/ai policies but I thought it was only about a week, and we not seen any alerts for at least 6 weeks. Thought we had this one resolved, but apparently not... 😞
Oddly enough, the custom policy clearly states ‘files deleted from a site’, yet these are LOCAL temp/appdata/inetcache files.- Sorry although i am late, i am joining the party
- Did anyone else stop getting these alerts since 11/8? Looked in our Purview portal, and the alert policy isn't there anymore.
Leo_Lopez To the contrary, I had disabled the original rule and created a custom one per support's recommendation. That did seem to help, we were seeing few alerts from it, right up until about 8am CST on 11/8/22. I received 22 emails from this alert, again related to appdata folders on the local machine, over the next 48 hours.
The date does coincide though, I wonder if something was changed that day?
- Interesting you mention this, I sitll have a MS ticket open, they asked me to check it again, I reenabled this rule I beleive on 7th Nov, then MS asked whats the status of the rule, I went to check and I thought I was going crazy as it was not there on the 8th.
I was informed yesterday 21st Nov that it was deleted by MS, however I assumed it was just in my tenant and that was infuriating, however it seems you have the same, no rule. This is extremly frustrating that they would simply delete the rule without giving notification. These 1st line guys from MS said it wsa done because my origional issues was getting too many alerts... Jokers.
What I would say is they did come back to me before the 7th and say MS had adjusted the algorithm which was too agresive, then they changed it agian, but I only got 1 alert email between 7th and 8th.
I was also informed by on of their 1st line guys that they may soon remove this alerting rule and we would need to create one in its place manually, but I was not expecting it to be deleted straight away.
Today they said they will check why it was deleted and get it added back in
Lets see what these jokers come back with tomorrow.I was also informed my MS support that the policy is "...in the process of being deprecated based on customer feedback..." Then, I was told I can just recreate the policy myself.
I have not revisited it since finding out it was linked app data collection policy in EPM. I havent turned the alert back on since due to being tied up with other projects. I will turn it back on tomorrow and see if the alerts still trigger.
