Microsoft Defender Exploit Guard - C:\Windows\Temp\odt875C.tmp.exe

Regular Visitor

I get a lot of Defender notifications like this one, the .tmp.exe name is just slightly different:

ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2

Detection time: 2022-11-04T17:55:38.821Z

User: NT AUTHORITY\SYSTEM

Path: C:\Windows\Temp\odt875C.tmp.exe

Process Name: C:\Windows\System32\lsass.exe

Target Commandline: C:\Windows\TEMP\odt875C.tmp.exe /configure C:\Windows\TEMP\cfgCD8D.tmp

Parent Commandline:

Involved File:

Inheritance Flags: 0x00000000

Security intelligence Version: 1.377.1295.0

Engine Version: 1.1.19700.3

Product Version: 4.18.2210.4

 

Is there a standard update process anyone is aware of the triggers from the Windows\Temp directory like this?

Seems like I shouldn't whitelist this behavior but I also wonder if it's slowing or prevent a security update from running (Google Chrome, Office, Adobe etc.). 

 

Any thoughts?

0 Replies