Forum Discussion
Sebastianrhenriksen12
Jan 13, 2022Copper Contributor
Unusual volume of file deletion
Our company is starting to get alot of alerts regarding 'Unusual volume of file deletion'. It seems like every deletion path is c\users\appdata\local or c\users\appdata\local
As we investigate, the deletion of files is happening when we are off work or early in the morning.
- Steve WhitcherBronze ContributorI contacted support, but the person handling my ticket insists that this is working as intended. That's obviously not the case, but I couldn't get him to even consider the possibility that something is broken. I suggest others having this issue open tickets for it as well, hopefully someone will get a better result.
- BlacksuitHadesCopper ContributorYup, I will do the same because this is ridiculous to get these amount of alerts from the AppData folder. There should be an exclusion option for acceptable risk.
- Andrew_WooIron Contributorany new updates for this?
It happens in endpoint, and this is weird.
- sbradburyCopper ContributorWe've just started receiving hundreds of these alerts too, starting on September 6, I just had to turn this alert policy completely off.
- Steve WhitcherBronze ContributorYeah, I started getting these again this morning, and have received 18 alert emails in the past 4 hours.
- BlacksuitHadesCopper ContributorThis is insane, the amount of false positives blowing up my mailbox. Has anyone made a custom alert for this that excludes the file path? I cannot seem to figure out how to add a path with wildcard for userprofile as an exception.
- Steve WhitcherBronze ContributorI've just started seeing these come up in my environment recently. While I could definitely see a malicious actor deleting temp files from the user profile to hide it's tracks, I can't help but wonder if these might just be a new monitor that is a little overzealous. The fact that I'm seeing posts from others who got these alerts as far back as november though has me wondering what changed that they're suddenly happening here.
- Steve WhitcherBronze ContributorSince my last post, these alerts have only increased. I have received over 30 of these messages in past ~3 hours. It's getting ridiculous. Has anyone found a solution to adjust the sensitivity on these?
- vinicarmoCopper ContributorI have this same scenario, I received 190 alerts of this type, I analyzed most of them and they all point to the appdata folder, I realized that they are false positives, I will close the incidents on the defender portal with the false positive information, now I need to wait if I will still receive this large mass of incidents of this type
- Paul_KernCopper Contributor
We have also seen this behavior. Ours started in early February. Right now, I see no indication that this is anything other than normal system behavior. Hoping someone can help us confirm.