Sep 13 2022 05:53 AM
Sep 13 2022 05:53 AM
All of a sudden we're getting large volumes of alerts from Defender for unusual volume of file deletions. We seldom get these and when we do it has previously turned out to be a user clearing old files etc. But these alerts now are mostly for the app-data folder and and now today some from C:/temp.
The thing that has me questioning is the items deleted and the apps involved. For example, most deleted items seem to be from the appdata folder, but for Microsoft.Windows.Search_cw5n1h2txyewy and some of the files are named things like Photo, but they are json files.
Second thing that has me questioning is the applications involved, which a few are from taskhostw.exe which im worried is being used to setup some sort of persistent access.
Has anyone else been experiencing these unusual volume of alerts? Wondering if its due to some sort of windows update or a bug in defender.
Sep 15 2022 07:54 AM
@Paragon06 You're not alone, others have been getting these alerts again recently as well. I opened a support ticket about it, as this seems like the rule is obviously broken when it's alerting constantly on routine programmatic deletion of files from the local appdata folder, but the rep just insists that this is how it's supposed to work, and if I don't like it I should turn the rule off (and possibly create a replacement rule that is more targeted.) Maybe someone else will have better luck than I did at convincing them that the rule/detection is broken.
There are other threads that have been discussing this on & off issue for a while, here's one:
Sep 15 2022 07:58 AM
Thanks for the reply. I've worked out whats going on, but not why. So its actually reporting people as deleting files, but the people are actually using the files. Most of the alerts were for app data deletion, it turns out its just people using the apps. And the odd report where it showed a network file, once i checked with the users, they were using those files, but non were deleted.
So its very broken. I've opened a support ticket about it. I'll let you know if i get sense out of them.
Sep 22 2022 04:10 AM
Sep 22 2022 04:17 AM
@Hussayn We do have defender and compliance intergration.
Our case has been passed on to a back end team but i've not heard anything in a few days. Once I do, i'll post the outcome.
Sep 23 2022 09:55 AM
Thanks for sharing, the only reason I was asking is I guess this is how the compliance tool and therefore the alerting rule knows about files being 'deleted' within the users' local profiles - the Defender telemetry, plus its only something I enabled in our environment around the the time (9th Sept). I suspect you and others have had this intergration running for some time.
I too was told by the first support rep after they spoke with their TL, this is how it is, just set a limit on the email notification to reduce the notification, but I pushed back and its been reassigned to someone else.
Oct 09 2022 12:59 PM
Oct 10 2022 01:34 AM
Thanks for this, this makes sense now as I enabled the intune data collection policy a few weeks back.
Nov 03 2022 10:12 AM
Nov 10 2022 08:29 AM
Nov 10 2022 08:40 AM
@Leo_Lopez To the contrary, I had disabled the original rule and created a custom one per support's recommendation. That did seem to help, we were seeing few alerts from it, right up until about 8am CST on 11/8/22. I received 22 emails from this alert, again related to appdata folders on the local machine, over the next 48 hours.
The date does coincide though, I wonder if something was changed that day?
Nov 10 2022 08:45 AM
I have not revisited it since finding out it was linked app data collection policy in EPM. I havent turned the alert back on since due to being tied up with other projects. I will turn it back on tomorrow and see if the alerts still trigger.
Nov 22 2022 09:08 AM
Nov 22 2022 10:08 AM
I was also informed my MS support that the policy is "...in the process of being deprecated based on customer feedback..." Then, I was told I can just recreate the policy myself.
Nov 24 2022 02:45 AM - edited Nov 24 2022 02:46 AM
Hahh, I just spotted this MC447684 which explains but tbh I dont recall being asked or giving any feedback to say I want to remove this old rule - do any of you?
It took these MS support people 6 weeks of this case being open to corrolate this. I wish they would have pointed me to this when I opened the case.
I'm 100% . Thanks Microsoft