Defender
14 TopicsInconsistent Defender Search Results When Searching by Hash
I am seeing inconsistent search results in Defender when searching for a file by hash. I saved a file to my desktop and sent it via email. I hashed the file with SHA1, SHA256, and MD5 algorithms. When I perform searches in https://securitycenter.windows.com/for the MD5 hash the search completely fails. When I search using the SHA256 hash for the same file the search completes but finds no results. If I search for the SHA1 value for the same file, the file is found, and it lists the SHA256 and MD5 values for the file that previously yielded no results or failed. If I do the same searches in the M365 portal (https://security.microsoft.com) the MD5 search still fails. The SHA256 search finds an occurrence of the file in email but the result doesn't show any results for the file on endpoints. Searching for the SHA1 hash of the file again finds the file on the endpoint and email and also lists the corresponding SHA256 and MD5 but doesn't show any email results. Has anyone encountered the same issue? This seems to be a bug in Microsoft's platform.4.4KViews0likes4CommentsMDM Security Baseline vs Intune Profile
Hi all, I am testing currently the 2 profiles in the Security Baselines in default configuration. As they are now checked against the endpoint there is one Error in the Per-settings status: Type of system scan to perform Problem is now - I cannot see anything configured in theMDM Security Baseline for May 2019 the setting itself in the Intune profile is configured. Any idea? Best regards Miguel6KViews2likes5CommentsDefender Antivirus (AV) Passive Mode
Hi, While researching how to set Defender AV to passive mode I stumbled upon two registry keys: ForceDefenderPassiveMode https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide#set-microsoft-defender-antivirus-to-passive-mode-using-a-registry-key ForcePassiveMode https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard?view=o365-worldwide#set-microsoft-defender-antivirus-on-windows-server-to-passive-mode-manually https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup?view=o365-worldwide#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server Does either of you know which one is the correct one? Thanks, AndreSolved24KViews2likes3CommentsMicrosoft Defender for Endpoint on Mac
Hello all, I have recently deployed Defender on several Macs. However, most of the features are greyed out. On Windows devices, everything works like a charm. Please, see imaged attached. Any advise will be appreciated. Thanks, JoseSolved1.6KViews1like3CommentsMigrating workstations and servers to Defender
Hi all, My organisation is moving its AV to defender for endpoint. I've not administered defender in a corporate environment before so would was hoping to get some advice/help? We have already begun onboarding our laptops, vdis and workstations and are looking to onboard a couple fileservers too. Our devices are not currently managed via Intune, so it's a case of setting up the policies in the security portal which hasn't been too bad so far.. However, I wanted to know- -do we need seperate licences for the file servers? -how can I split the policies between user devices and servers? I don't see a way to define granular policies per device? And of course, I don't want to set the same user policies on the servers. Thanks! TejLicensing and Where's the Endpoint List?
I recently moved some users on E5 licenses so we could see about using Endpoint Defender in place of our current endpoint AV. The license description says ED is included in E5. But I cannot find the list of those users' endpoints anywhere. The MS documentation is an endless circle of waffle. Documentation suggests I should have a Device Inventory in the new Security admin console, but I have none. It seems to want me to start a trial of an additional service even though it's supposed to be included with E5. The only place I can find anything likely is with the Intune (bleah) console. We dropped Intune 5 years ago as it was very very poor. I'd be grateful if anyone can say: - Is Intune needed for ED? - Where can I see a list of endpoints and status? - Do I really need an additional service on top of the E5 licenses?1.3KViews0likes2CommentsWindows Defender Full Scan renders devices unusable for 6-7 hours (while scan is running)
We are using Microsoft Defender for Endpoint and configured daily quick scans and weekly full scans. The quick scans don't create any problems but the full scans are a big problem. Devices are not usable while the scan is running, e.g. one click in MS Teams takes about one minute to complete. We are using the defaults recommended by Microsoft in our configuration profiles. What are the recommended settings for fine tuning full scans (e.g.ScanAvgCPULoadFactor) or are there specifi settings which are to be disabled in order to improve performance (e.g.DisableArchiveScanning). Thank you!5KViews0likes7CommentsDefender for Endpoint VDI - definitions update from File shares no longer works after onboarding ATP
Hey We have non persistent VDI and the VM's were updating at Start-up by downloading definitions from a UNC file share. This has worked fine until we then introduced the Defender ATP on-boarding script. The on-boarding script works (we can see the devices in the portal, albeit many duplicates, but we've since rectified this by using the 'single entry' method described in the MS kb) - however, the local VM's do not display their Defender engine status (as below) - and there's no indication that they are updating from the file share anymore? attached are images from log file entries (are these expected)? We're stuck can anyone help as to why the File share updating would stop working for Security center-enrolled devices?1.1KViews0likes0CommentsMicrosoft Security Client - Log off Network
We have an issue with a 3rd-party application freezing after about 6min of inactivity - the only evidence in the Event Viewer is in the Application Log: Log Name: Application Source: Microsoft Security Client Date: 10/04/2021 6:30:54 PM Event ID: 5000 Task Category: None Level: Error Keywords: Classic User: N/A Computer: SOLVit-LOAN-01 Description: Log off network Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft Security Client" /> <EventID Qualifiers="0">5000</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-04-10T08:30:54.5764042Z" /> <EventRecordID>4819</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>SOLVit-LOAN-01</Computer> <Security /> </System> <EventData> <Data>0x1</Data> <Data>ProtectionManagement</Data> </EventData> </Event> We run Malwarebytes Endpoint which is registered in 'Virus & threat protection', so unsure if we need to be registering this application as an exception in things like AppGuard or Tamper Protection or somewhere in Defender?11KViews0likes1CommentMicrosoft Defender EDR for old Windows Server 2008/2012/2016
Microsoft documentation states EDR feature is supported on older windows server versions like Server 2012/2016. Then it goes on to say to deploy the MMA agent. But, isn't MMA agent just a read-only log analytics agent that can only report the status of the server but can take no action. Hence, EDR means only detection but no response. Am I correct in understanding that? We are evaluating Defender for Servers and have gone through quite a lot of documentation but still no definitive answer.1.4KViews1like0Comments