cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

When is malware not malware?

CodnChips
Contributor

‎May 12 2022 03:23 AM

‎May 12 2022 03:23 AM

When is malware not malware?

My 365 Defender Dashboard has populated the "Devices with active Malware" tile, with 1 affected device,

CodnChips_0-1652349764205.png

I view the details, locate the device and check on the device page.  The risk level has nothing and no 365 and Sentinel incidents triggered.  If I hunt through the timeline, no malware\av events are displayed.  If I use the Advanced Threat hunting and run this, I get nothing:

CodnChips_1-1652350136592.png

For a sanity check, if I remove the device element, still nothing:

CodnChips_2-1652350174570.png

I've gone to Sentinel and searched the SecurityAlert table for entities containing the hostname and had a return for AD Account Disabled (It is currently enabled).  The owner didn't mention this but I think this is possibly part of the cause.

 

Does anyone have any experience with this mismatch of information?

Thanks

201 Views
0 Likes
1 Reply
Reply
1 Reply
PaulHb

‎May 26 2022 06:10 PM

‎May 26 2022 06:10 PM

Re: When is malware not malware?

@CodnChips 

Speculative answer: that card takes data from Intune, which collects its own malware detection data from devices. It is possible the device got cleaned by MDAV before enrollment into MDE so no AV events were captured at the time the malware was encountered, or some other mismatch exists due to timing (machine got onboarded again, machine was wiped in between, etc).

 

Suggest running an AV scan just to confirm.

0 Likes
Reply