Dec 06 2020 11:22 PM
Hello,
we have a customer, who is using Defender for Endpoint and is getting a lot of "suspicious remote activity" because they are using a software on many clients, which is updated via a remote server. During this update process the remote server triggers a creation of a service rsysexecagent64 and also creates and removes temporary exe files.
I have tried to create an exclusion in the asr rule configuration and also for Defender Antiviurs, but the warnings continue. Do you have an idea how I can create an exclusion for this process?
Dec 08 2020 08:37 AM
Dec 08 2020 11:54 PM
The detection technologies are Behavioral and Network. A suppression rule does not work.
The detected actions are "... service was created remotely by ..." and "suspicious change to service executable path". I have also excluded the service name in the configuration of the security settings in Endpoint manager.