Forum Discussion
Defender detected malware but didn't quarantine it
Hi All,
Recently saw a malware detection in Defender for Endpoint for a downloaded zip folder linked to alert A file or network connection related to ransomware-linked actor Storm-0494 detected including Ransomware on one endpoint.
My expectation was that Defender would block interaction with file detections of this kind but the user was able to extract the zip folder and run a JS file within the folder? Im a little confused. There are no exclusions configured that would allow this file to behave in this fashion.
Maybe automated actions like this are in different licensing packs for Defender?
Thanks in advance.
Richard
- you can add an indicator to block or allow the file in the MDE settings.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-worldwide- Richard_M1010Copper Contributor
eliekarkafy thanks for the reply but shouldn't block happen automatically rather than having to add a file indicator? I have checked we have our remediation level set to full.
- Peter HollandIron Contributoryeah that shouldn't have been allowed to run from what was described. I would log a ticket with support. I wonder if there were any other fun oopsie's this month other than breaking network inspection for over a fortnight