Question about testing SpyShelter

%3CLINGO-SUB%20id%3D%22lingo-sub-3009489%22%20slang%3D%22en-US%22%3EQuestion%20about%20testing%20SpyShelter%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3009489%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20currently%20building%20a%20PoC%20for%20a%20customer.%3C%2FP%3E%3CP%3EWe%20are%20about%20100%20Windows%2010%20onboard%20into%20MDE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECustomer%20is%20in%20healthcare%20thus%20many%20users%20have%20local%20Admin%20privilege.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20a%20test%20phase%2C%20customer%20was%20able%20to%20run%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.spyshelter.com%2Fsecurity-test-tool%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.spyshelter.com%2Fsecurity-test-tool%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EKeylogging%20could%20run%3C%2FP%3E%3CP%3ERegistry%20entry%20modification%20could%20run%3C%2FP%3E%3CP%3EMany%20other%20stuff%20could%20run%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENothing%20came%20up%20in%20MDE%20Alerts.%3C%2FP%3E%3CP%3ECan%20someone%20explain%20why%20no%20alert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3010006%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20about%20testing%20SpyShelter%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3010006%22%20slang%3D%22en-US%22%3EDo%20you%20have%20any%20other%20endpoint%20protection%20solution%20also%20running%20in%20the%20Machine%20%3F%20If%20you%20have%20other%20endpoint%20protection%20running%20as%20primary%20then%20you%20may%20need%20to%20enable%20EDR%20in%20Block%20mode%20but%20you%20will%20have%20limited%20edr%20capabilities%20while%20running%20defender%20in%20passive%20mode.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3010711%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20about%20testing%20SpyShelter%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3010711%22%20slang%3D%22en-US%22%3ENo%20other%20Endpoint%2C%20except%20the%20MDE%20stack%20(Defender%20AV%2F%20SmartScreen)%3CBR%20%2F%3EPure%20Microsoft%3CBR%20%2F%3ENo%20passive%20mode.%3CBR%20%2F%3EEDR%20in%20Block%20Mode%20is%20also%20enable.%3C%2FLINGO-BODY%3E
Contributor

We are currently building a PoC for a customer.

We are about 100 Windows 10 onboard into MDE.

 

Customer is in healthcare thus many users have local Admin privilege.

 

During a test phase, customer was able to run https://www.spyshelter.com/security-test-tool/

Keylogging could run

Registry entry modification could run

Many other stuff could run

 

Nothing came up in MDE Alerts.

Can someone explain why no alert 

5 Replies
Do you have any other endpoint protection solution also running in the Machine ? If you have other endpoint protection running as primary then you may need to enable EDR in Block mode but you will have limited edr capabilities while running defender in passive mode.
No other Endpoint, except the MDE stack (Defender AV/ SmartScreen)
Pure Microsoft
No passive mode.
EDR in Block Mode is also enable.
Does events are coming in device timeline ?does mde client analyser tool results shows any connectivity issue between client and mde cloud?
There is no issue between MDE client and cloud. Have you tried https://www.spyshelter.com/security-test-tool/ ?
So customer has EDR block mode = OFF. Even thought there is no third party, I set it to ON. And boom re-running again SpyShelter did triigger all the Alerts :)

After some digging. many person did mention that setting EDR in block mode to ON did help to have more granular alert.