Forum Discussion

Sebastianrhenriksen12's avatar
Sebastianrhenriksen12
Copper Contributor
Jan 13, 2022

Unusual volume of file deletion

Our company is starting to get alot of alerts regarding 'Unusual volume of file deletion'. It seems like every deletion path is c\users\appdata\local or  c\users\appdata\local

As we investigate, the deletion of files is happening when we are off work or early in the morning. 

  • Steve Whitcher's avatar
    Steve Whitcher
    Bronze Contributor
    I contacted support, but the person handling my ticket insists that this is working as intended. That's obviously not the case, but I couldn't get him to even consider the possibility that something is broken. I suggest others having this issue open tickets for it as well, hopefully someone will get a better result.
    • BlacksuitHades's avatar
      BlacksuitHades
      Copper Contributor
      Yup, I will do the same because this is ridiculous to get these amount of alerts from the AppData folder. There should be an exclusion option for acceptable risk.
      • Andrew_Woo's avatar
        Andrew_Woo
        Iron Contributor
        any new updates for this?
        It happens in endpoint, and this is weird.
  • sbradbury's avatar
    sbradbury
    Copper Contributor
    We've just started receiving hundreds of these alerts too, starting on September 6, I just had to turn this alert policy completely off.
    • Steve Whitcher's avatar
      Steve Whitcher
      Bronze Contributor
      Yeah, I started getting these again this morning, and have received 18 alert emails in the past 4 hours.
      • BlacksuitHades's avatar
        BlacksuitHades
        Copper Contributor
        This is insane, the amount of false positives blowing up my mailbox. Has anyone made a custom alert for this that excludes the file path? I cannot seem to figure out how to add a path with wildcard for userprofile as an exception.
  • Steve Whitcher's avatar
    Steve Whitcher
    Bronze Contributor
    I've just started seeing these come up in my environment recently. While I could definitely see a malicious actor deleting temp files from the user profile to hide it's tracks, I can't help but wonder if these might just be a new monitor that is a little overzealous. The fact that I'm seeing posts from others who got these alerts as far back as november though has me wondering what changed that they're suddenly happening here.
    • Steve Whitcher's avatar
      Steve Whitcher
      Bronze Contributor
      Since my last post, these alerts have only increased. I have received over 30 of these messages in past ~3 hours. It's getting ridiculous. Has anyone found a solution to adjust the sensitivity on these?
      • vinicarmo's avatar
        vinicarmo
        Copper Contributor
        I have this same scenario, I received 190 alerts of this type, I analyzed most of them and they all point to the appdata folder, I realized that they are false positives, I will close the incidents on the defender portal with the false positive information, now I need to wait if I will still receive this large mass of incidents of this type
  • Paul_Kern's avatar
    Paul_Kern
    Copper Contributor

    Sebastianrhenriksen12 

     

    We have also seen this behavior. Ours started in early February. Right now, I see no indication that this is anything other than normal system behavior. Hoping someone can help us confirm.

Resources