Question about testing SpyShelter

Question

We are currently building a PoC for a customer.

We are about 100 Windows 10 onboard into MDE.

Customer is in healthcare thus many users have local Admin privilege.

During a test phase, customer was able to run https://www.spyshelter.com/security-test-tool/

Keylogging could run

Registry entry modification could run

Many other stuff could run

Nothing came up in MDE Alerts.

Can someone explain why no alert

mas18 · Answer

Do you have any other endpoint protection solution also running in the Machine ? If you have other endpoint protection running as primary then you may need to enable EDR in Block mode but you will have limited edr capabilities while running defender in passive mode.

jean-philippe breton · Answer

No other Endpoint, except the MDE stack (Defender AV/ SmartScreen)Pure MicrosoftNo passive mode.EDR in Block Mode is also enable.

mas18 · Answer

Does events are coming in device timeline ?does mde client analyser tool results shows any connectivity issue between client and mde cloud?

jean-philippe breton · Answer

There is no issue between MDE client and cloud. Have you tried https://www.spyshelter.com/security-test-tool/ ?

jean-philippe breton · Answer

So customer has EDR block mode = OFF. Even thought there is no third party, I set it to ON. And boom re-running again SpyShelter did triigger all the Alerts 🙂After some digging. many person did mention that setting EDR in block mode to ON did help to have more granular alert.

Forum Discussion

Question about testing SpyShelter

5 Replies