Jan 03 2024 02:03 AM
Hi ,
We have VM in Azure portal and we used perform the file scan using MSdefender command. Either MSdefender command nor MSDefender endpoint in VM detected the eicar test file.
Please let us know whether we are missing any setup for detecting the false positive test files in server.
This will be a great help.
Regards,
Alagumuthu
Jan 03 2024 06:23 AM
Hi @Alagumuthu,
If Microsoft Defender for Endpoint isn't detecting the EICAR test file on your Azure VM, there could be several reasons for this. Here are some troubleshooting steps to address the issue:
Ensure Microsoft Defender for Azure is enabled for the file share:
By default, Microsoft Defender for Azure may be disabled for new file shares.
Check Microsoft Defender for Azure service status:
Confirm that the Microsoft Defender for Azure service is running and configured correctly.
Examine Microsoft Defender for Azure logs:
Review the logs for more insights into why the test file isn't being detected.
Verify the test file's status as a known malware:
Microsoft Defender for Azure should detect known malware. If the file isn't recognized as malware, it might not trigger detection.
Review exclusion settings:
Check for any exclusions in Microsoft Defender for Azure, ensuring the test file isn't excluded.
Refresh policy and reboot: After enabling settings, refresh the policy, and reboot to apply changes.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Jan 10 2024 01:50 AM
Thanks for your reply, really appreciate. We have noticed a different behavior with the below testing, and it is ruling out understanding of policy change.
Case1:
I have created a text file manually and copied the EICAR test file virus content and saved the file. MS defender identified the threat.
Case2:
Earlier reported issue is for the file ""eicar_word_macro_cmd_echo.doc" file format. This file was not identified the threat by MS Defender hence we raised an help in the forum.
Today i have opened the file in the server and "Enable Macro content" message pop up and i run the macro. Now MS Defender identified the threat. By default, "Disable all Macro" setting enabled for the word file in our server.
This conclude that MS Defender unable to identify the threat until the Macro executes. Correct us if i am wrong.
Why MS Defender unable to identify the threat in Macro file? Any settings needed to be enabled for MS Defender to identify when threat in Macro.
Regards,
Alagumuthu
Jan 10 2024 02:34 AM
Hi @Alagumuthu,
you are correct, similar to many antivirus solutions, Microsoft Defender may not detect a threat within a macro until the macro is executed.
This is due to macros often containing legitimate code, and it's the actions performed during execution that may turn out to be malicious.
In the scenario you described with the EICAR test file virus content, Microsoft Defender did not initially detect it in the Word document because the macro was disabled. Once the macro was enabled and executed, Microsoft Defender successfully identified the threat.
To increase security, Microsoft has a default setting blocking macros from running in Office applications for files downloaded from the internet. Users receive a warning message when attempting to open such files, and they have the option to enable macros if necessary. However, users should be cautious about the security implications of enabling macros.
For better macro threat detection, you may need to adjust your Microsoft Defender settings or consider additional security measures. Microsoft Defender for Office 365, for instance, provides enhanced security against potentially harmful macros.
Protect yourself from macro viruses - Microsoft Support
Macros from the internet are blocked by default in Office - Deploy Office | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Jan 11 2024 05:21 PM
Jan 12 2024 12:33 AM
Hi @Alagumuthu,
thanks for the update.
regarding your question, here are some helpful resources:
Protect yourself from macro viruses - Microsoft Support: This page explains how Microsoft 365 handles active content like macros and mentions that Microsoft Defender Antivirus should detect and block known macro viruses.
Protect yourself from macro viruses - Microsoft Support
Configure scanning options for Microsoft Defender Antivirus: This resource provides information on configuring scanning options for Microsoft Defender Antivirus.
Configure scanning options for Microsoft Defender Antivirus | Microsoft Learn
Configure exclusions for files opened by specific processes: Learn how to configure exclusions for files opened by specific processes to tailor Microsoft Defender's behavior.
Configure exclusions for files opened by specific processes | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Jan 15 2024 10:41 PM