Forum Discussion
File block (.bat)
jcescutI noticed that some indicator rules takes time on my environment, is it still the same issue?
- jcescutFeb 20, 2021Copper Contributor
I've rerun the test on a different computer (Win10 v1909), this time, after 10 to 15 minutes, Windows Defender AV quarantined the files. Once the first file from the list of indicators was detected (9 file hashes on the list) auto remediation started on the endpoint, during which all the other custom file indicators were recognized and quarantined.
Then, I was curious what will happen if I restore the just quarantined files (“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock!cl –All), and so I did. 🙂 I was able to access the restored files and only after ~5 minutes AV kicked-in, and once again the auto remediation started (MsMpEng.exe, 1 CPU core 100% utilized), and slowly, one file by one, put the same files back in the quarantine.
I was expecting for the process to happen much more quickly, or even better, that I wouldn't be allowed to access the files.
Nonetheless...the important thing is that the file block functionality works. Although...I would say that there is room for improvement. 😛