Defender detected powershell_ise.exe as 'Trojan:PowerShell/Mountsi.A!ml'

%3CLINGO-SUB%20id%3D%22lingo-sub-2180534%22%20slang%3D%22en-US%22%3EDefender%20detected%20powershell_ise.exe%20as%20'Trojan%3APowerShell%2FMountsi.A!ml'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180534%22%20slang%3D%22en-US%22%3E%3CP%3EOne%20of%20our%20users%20is%20experiencing%20a%20problem%20when%20it%20comes%20to%20creating%20scripts%20in%20the%20powershell%20ISE%2C%20when%20they%20are%20autosaved%20to%20appdata%2C%20it%20blocks%20them%20on%20his%20machine%20and%20does%26nbsp%3B%3CSTRONG%3Enot%3C%2FSTRONG%3E%20create%20an%20alert%2Fincident%20in%20the%20defender%20ATP%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20one%20has%20managed%20to%20appear%20in%20the%20portal%20(see%20screenshot).%20We%20only%20recently%20implemented%20Defender%20ATP%20so%20im%20not%20100%25%20sure%20how%20to%20interpret%20the%20alert%2C%20and%20since%20this%20behaviour%20isnt%20happening%20on%20anyone%20elses%20machine%20I%20dont%20know%20if%20white%20listing%20powershell_ise.exe%20is%20a%20good%20idea%20(i%20assume%20not)%2C%20or%20if%20theres%20a%20better%20explanation%20for%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20current%20defender%20ATP%20settings%20are%20the%20stock%20standard%20for%20GPO%20as%20stated%20in%20the%20deployment%20guide.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAppreciate%20any%20help%20with%20this!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2180534%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Edefender%20atp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Efalse%20positive%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Regular Visitor

One of our users is experiencing a problem when it comes to creating scripts in the powershell ISE, when they are autosaved to appdata, it blocks them on his machine and does not create an alert/incident in the defender ATP portal.

 

However one has managed to appear in the portal (see screenshot). We only recently implemented Defender ATP so im not 100% sure how to interpret the alert, and since this behaviour isnt happening on anyone elses machine I dont know if white listing powershell_ise.exe is a good idea (i assume not), or if theres a better explanation for it?

 

The current defender ATP settings are the stock standard for GPO as stated in the deployment guide.

 

Appreciate any help with this!

0 Replies