When is malware not malware?

Brass Contributor

My 365 Defender Dashboard has populated the "Devices with active Malware" tile, with 1 affected device,

CodnChips_0-1652349764205.png

I view the details, locate the device and check on the device page.  The risk level has nothing and no 365 and Sentinel incidents triggered.  If I hunt through the timeline, no malware\av events are displayed.  If I use the Advanced Threat hunting and run this, I get nothing:

CodnChips_1-1652350136592.png

For a sanity check, if I remove the device element, still nothing:

CodnChips_2-1652350174570.png

I've gone to Sentinel and searched the SecurityAlert table for entities containing the hostname and had a return for AD Account Disabled (It is currently enabled).  The owner didn't mention this but I think this is possibly part of the cause.

 

Does anyone have any experience with this mismatch of information?

Thanks

1 Reply

@CodnChips 

Speculative answer: that card takes data from Intune, which collects its own malware detection data from devices. It is possible the device got cleaned by MDAV before enrollment into MDE so no AV events were captured at the time the malware was encountered, or some other mismatch exists due to timing (machine got onboarded again, machine was wiped in between, etc).

 

Suggest running an AV scan just to confirm.