Forum Discussion

ChristianFrielingsdorf's avatar
ChristianFrielingsdorf
Copper Contributor
Dec 07, 2020

Suspicious remote activity false alert - how to deal with

Hello,

we have a customer, who is using Defender for Endpoint and is getting a lot of "suspicious remote activity" because they are using a software on many clients, which is updated via a remote server. During this update process the remote server triggers a creation of a service rsysexecagent64 and also creates and removes temporary exe files.

I have tried to create an exclusion in the asr rule configuration and also for Defender Antiviurs, but the warnings continue. Do you have an idea how I can create an exclusion for this process? 

2 Replies

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Can you check what the detection is these alerts?
    Have you tried an alert suppression rule?
    • ChristianFrielingsdorf's avatar
      ChristianFrielingsdorf
      Copper Contributor

      The detection technologies are Behavioral and Network. A suppression rule does not work.

       

      The detected actions are "... service was created remotely by ..." and "suspicious change to service executable path". I have also excluded the service name in the configuration of the security settings in Endpoint manager.

Resources