Defender365 Alerts for high volume file deletion

Occasional Contributor

All of a sudden we're getting large volumes of alerts from Defender for unusual volume of file deletions. We seldom get these and when we do it has previously turned out to be a user clearing old files etc. But these alerts now are mostly for the app-data folder and and now today some from C:/temp.

 

The thing that has me questioning is the items deleted and the apps involved. For example, most deleted items seem to be from the appdata folder, but for Microsoft.Windows.Search_cw5n1h2txyewy and some of the files are named things like Photo, but they are json files.

 

Second thing that has me questioning is the applications involved, which a few are from taskhostw.exe which im worried is being used to setup some sort of persistent access. 

 

Has anyone else been experiencing these unusual volume of alerts? Wondering if its due to some sort of windows update or a bug in defender. 

15 Replies

@Paragon06  You're not alone, others have been getting these alerts again recently as well.  I opened a support ticket about it, as this seems like the rule is obviously broken when it's alerting constantly on routine programmatic deletion of files from the local appdata folder, but the rep just insists that this is how it's supposed to work, and if I don't like it I should turn the rule off (and possibly create a replacement rule that is more targeted.)  Maybe someone else will have better luck than I did at convincing them that the rule/detection is broken. 
There are other threads that have been discussing this on & off issue for a while, here's one: 

Re: Unusual volume of file deletion - Microsoft Tech Community

 

@Steve Whitcher 

 

Thanks for the reply.  I've worked out whats going on, but not why. So its actually reporting people as deleting files, but the people are actually using the files.  Most of the alerts were for app data deletion, it turns out its just people using the apps.  And the odd report where it showed a network file, once i checked with the users, they were using those files, but non were deleted. 

 

So its very broken. I've opened a support ticket about it. I'll let you know if i get sense out of them. 

Hi

Same issue here at around the same time, just logged a call with MS now.
Ours look like a bunch of files in appdata as well as other files in users' user profile on thier AAD joined device.

Keep us posted with your progress and what the support say.

Do you guys have Defender and Complinace intergration by any chance setup/enabled?

@Hussayn We do have defender and compliance intergration. 

 

Our case has been passed on to a back end team but i've not heard anything in a few days. Once I do, i'll post the outcome. 

 

Cheers

Jamie

@Paragon06 

Thanks for sharing, the only reason I was asking is I guess this is how the compliance tool and therefore the alerting rule knows about files being 'deleted' within the users' local profiles - the Defender telemetry, plus its only something I enabled in our environment around the the time (9th Sept). I suspect you and others have had this intergration running for some time.

 

I too was told by the first support rep after they spoke with their TL, this is how it is, just set a limit on the email notification to reduce the notification, but I pushed back and its been reassigned to someone else.


Thanks

We enabled the Intune profile Intune data collection policy / Device Configuration Profiles - Windows health monitoring and set Health monitoring Enable / Scope Endpoint analytics. It looks like this is triggering the same behavior with Inet and Windows search cache being deleted.

@Ed_Carmody 

 

Thanks for this, this makes sense now as I enabled the intune data collection policy a few weeks back. 

 

Kind Regards

Jamie

Joining the party. We're seeing this alert activity in multiple tenant defender consoles as well. Have also contacted support (early Sept) - they stated they knew and were working on the issue, and had offered similar advice of disabling default policy and creating a new one - This is what we tried.

Reporting back, over a month later, and we are getting the same alerts from the custom policy - Although volume is much less. I know there is a burn in period for these heuristic/ai policies but I thought it was only about a week, and we not seen any alerts for at least 6 weeks. Thought we had this one resolved, but apparently not... :(

Oddly enough, the custom policy clearly states ‘files deleted from a site’, yet these are LOCAL temp/appdata/inetcache files.
Sorry although i am late, i am joining the party
Did anyone else stop getting these alerts since 11/8? Looked in our Purview portal, and the alert policy isn't there anymore.

@Leo_Lopez To the contrary, I had disabled the original rule and created a custom one per support's recommendation.  That did seem to help, we were seeing few alerts from it, right up until about 8am CST on 11/8/22.  I received 22 emails from this alert, again related to appdata folders on the local machine, over the next 48 hours.  

 

The date does coincide though, I wonder if something was changed that day? 

I have not revisited it since finding out it was linked app data collection policy in EPM. I havent turned the alert back on since due to being tied up with other projects. I will turn it back on tomorrow and see if the alerts still trigger. 

Interesting you mention this, I sitll have a MS ticket open, they asked me to check it again, I reenabled this rule I beleive on 7th Nov, then MS asked whats the status of the rule, I went to check and I thought I was going crazy as it was not there on the 8th.

I was informed yesterday 21st Nov that it was deleted by MS, however I assumed it was just in my tenant and that was infuriating, however it seems you have the same, no rule. This is extremly frustrating that they would simply delete the rule without giving notification. These 1st line guys from MS said it wsa done because my origional issues was getting too many alerts... Jokers.

What I would say is they did come back to me before the 7th and say MS had adjusted the algorithm which was too agresive, then they changed it agian, but I only got 1 alert email between 7th and 8th.
I was also informed by on of their 1st line guys that they may soon remove this alerting rule and we would need to create one in its place manually, but I was not expecting it to be deleted straight away.

Today they said they will check why it was deleted and get it added back in
Lets see what these jokers come back with tomorrow.

I was also informed my MS support that the policy is "...in the process of being deprecated based on customer feedback..." Then, I was told I can just recreate the policy myself. :unamused:

Hahh, I just spotted this MC447684 which explains but tbh I dont recall being asked or giving any feedback to say I want to remove this old rule - do any of you?
It took these MS support people 6 weeks of this case being open to corrolate this. I wish they would have pointed me to this when I opened the case.
I'm 100% :unamused:. Thanks Microsoft