cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Suspicious remote activity false alert - how to deal with

ChristianFrielingsdorf
Copper Contributor

‎Dec 06 2020 11:22 PM

‎Dec 06 2020 11:22 PM

Suspicious remote activity false alert - how to deal with

Hello,

we have a customer, who is using Defender for Endpoint and is getting a lot of "suspicious remote activity" because they are using a software on many clients, which is updated via a remote server. During this update process the remote server triggers a creation of a service rsysexecagent64 and also creates and removes temporary exe files.

I have tried to create an exclusion in the asr rule configuration and also for Defender Antiviurs, but the warnings continue. Do you have an idea how I can create an exclusion for this process? 

3,146 Views
0 Likes
2 Replies
Reply
2 Replies
Thijs Lecomte

‎Dec 08 2020 08:37 AM

‎Dec 08 2020 08:37 AM

Re: Suspicious remote activity false alert - how to deal with

Can you check what the detection is these alerts?
Have you tried an alert suppression rule?
0 Likes
Reply
ChristianFrielingsdorf

‎Dec 08 2020 11:54 PM

‎Dec 08 2020 11:54 PM

Re: Suspicious remote activity false alert - how to deal with

The detection technologies are Behavioral and Network. A suppression rule does not work.

 

The detected actions are "... service was created remotely by ..." and "suspicious change to service executable path". I have also excluded the service name in the configuration of the security settings in Endpoint manager.

0 Likes
Reply