Suspicious remote activity false alert - how to deal with

Occasional Contributor

Hello,

we have a customer, who is using Defender for Endpoint and is getting a lot of "suspicious remote activity" because they are using a software on many clients, which is updated via a remote server. During this update process the remote server triggers a creation of a service rsysexecagent64 and also creates and removes temporary exe files.

I have tried to create an exclusion in the asr rule configuration and also for Defender Antiviurs, but the warnings continue. Do you have an idea how I can create an exclusion for this process? 

2 Replies
Can you check what the detection is these alerts?
Have you tried an alert suppression rule?

The detection technologies are Behavioral and Network. A suppression rule does not work.

 

The detected actions are "... service was created remotely by ..." and "suspicious change to service executable path". I have also excluded the service name in the configuration of the security settings in Endpoint manager.