Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MDE support files submission - too many files

Copper Contributor

Is there anyone who could help me with submission files for MDE support?

There is a detection of our powershell monitoring script. It is detected by AMSI module. I submitted powershell script directly from an alert in Microsoft 365 Defender portal. There was reply: "We cannot reproduce any detection on the file..mpcmdrun.exe -GetFiles All created log files will be compressed into MPSupportFiles.cab . Please send us the detected file and MPSupportFiles.cab  using https://aka.ms/wdsi ."

So I did as they ask but my submission was rejected with comment: "Your submission has been rejected due to too many files."
MPSupportFiles.cab  was generated by Defender. I don't know how to submit less files.

3 Replies

Hi @TomasCinko,

here are a few things you can do to try to submit your MDE support files without getting the "too many files" error:

  1. Reduce the number of files in the MPSupportFiles.cab archive. You can do this by deleting any files that are not necessary for the investigation. For example, you may be able to delete any log files that are older than a certain date.

  2. Compress the MPSupportFiles.cab archive. This will make the file smaller and easier to upload.
  3. Split the MPSupportFiles.cab archive into multiple files. You can use a tool like 7-Zip to split the archive into multiple files that are each smaller than the maximum file size limit.
    www.newsgroupreviews.com

Once you have split the MPSupportFiles.cab archive into multiple files, you can submit them to Microsoft using the https://aka.ms/wdsi link.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

Hi @LeonPavesic

thank for your reply. I unzip cab file then I removed some files and finally I created cab(CabMaker) again with less files. It was hard to decide what to delete. It wasn't about cab file size but it was about lot of small files. I mean the reason of rejection.

 

I'm attaching picture of that files. Do you know what are these for? Is it ok to delete it? There were more than thousand files. 

 

I hope that support wont tell me that something is missing. If it will be fine, I will mark your reply as best response. cabFile.png

Hi @TomasCinko,

thanks for your Update and the screenshot with the list of files.

The screenshot you sent shows a list of files in a CAB archive. The files are all related to Microsoft Defender for Endpoint (MDE).

Here is a short description:

  • MPLog-20231009-133839.Jog: This file contains a log of MDE activity from October 9, 2023 at 13:38:39 UTC.
  • WindowsUpdate.20231011.144816.077.1.ett: This file contains a trace log of a Windows Update that was installed on October 11, 2023 at 14:48:16 UTC.
  • WindowsUpdate.20231011.141806.143.1.etl: This file contains a trace log of a Windows Update that was installed on October 11, 2023 at 14:18:06 UTC.
  • MPCmdRun-NetworkService.log: This file contains a log of MDE activity from the Network Service account.
  • MpCmdRun.exe: This is the main executable file for MDE.

The other files in the CAB archive are all related to MDE, but they are not as important as the files listed above.

If you are trying to reduce the size of the CAB archive, you can delete the following files:

  • All of the files with the .etl extension.
  • All of the files with the .log extension, except for the MPLog-20231009-133839.Jog file.
  • Any other files that you think are not necessary for the investigation.

Once you have deleted the unnecessary files, you can create a new CAB archive using the CabMaker tool.

Please note that I am not an official Microsoft support engineer, so I cannot guarantee that the support team will accept your submission if you delete any of the files in the CAB archive. 

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)