Forum Discussion
MDE repeatable false positive "Multi-stage incident involving Privilege escalation..." How to fix?
Thanks 🙂 However, this happens with any Windows 10 device that we install MDE on to, and I'd like to figure out why it is happening and fix the root cause.
What does the detection source of 'Custom TI' relate to? I double checked the MDE api (ran list indicators) and it has nothing that would result in this repeated multi-stage incident showing up every 24 hours.
ActualCassandra all your devices onboarded to MDE are triggering the same type of alerts as below? or its specific to a single machine as from your screenshot I can see that only a single machine is being affected.
elieelkarkafiAny Windows 10 device, the screenshot is just from the latest test where I created a Windows 10 VM in Azure since no one had tested that scenario yet, and it had the same issue.
ActualCassandra The wermgr.exe executable represents the Windows Error Reporting Manager. that service is usually in manual state in the services of the windows.
Under the General tab, you should change the Startup type from Automatic to Manual.
Hi - it is already set to manual. I've also seen this exact same false positive (which is always 57 alerts long) linked to:
- CompatTelRunner.exe
- wuauclt.exe
- MicrosoftEdgeUpdate.exe
- sppsvc.exe
and more.