Defender detected malware but didn't quarantine it

Question

Hi All,&nbsp;Recently saw a malware detection in Defender for Endpoint for a downloaded zip folder linked to alert A file or network connection related to ransomware-linked actor Storm-0494 detected including Ransomware on one endpoint.&nbsp;My expectation was that Defender would block interaction with file detections of this kind but the user was able to extract the zip folder and run a JS file within the folder? Im a little confused.&nbsp; There are no exclusions configured that would allow this file to behave in this fashion.&nbsp;Maybe automated actions like this are in different licensing packs for Defender?&nbsp;Thanks in advance.&nbsp;Richard

deleted · Answer

Thanks everyone for your input, Ill get this raised with support and let you know what they feedback with.

elieelkarkafi · Answer

you can add an indicator to block or allow the file in the MDE settings.https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-worldwide

deleted · Answer

elieelkarkafi&nbsp;thanks for the reply but shouldn't block happen automatically rather than having to add a file indicator? I have checked we have our remediation level set to full.

peter holland · Answer

yeah that shouldn't have been allowed to run from what was described. I would log a ticket with support. I wonder if there were any other fun oopsie's this month other than breaking network inspection for over a fortnight

elieelkarkafi · Answer

raise a ticket with the security team so can check that kind of ransomware received to this endpoint

Forum Discussion

Defender detected malware but didn't quarantine it

5 Replies

Resources