User Profile
yongrheemsft
MicrosoftJoined 9 years ago
User Widgets
Recent Discussions
Re: Microsoft Defender onboarding issues
Konrad_P630 on the 'manual' onboarding environment, please make sure that you delete all the current 'onboarding packages'. Why? CVE-2022-23278 (March 8th, 2022) And then share the new (as of March 2022) 'onboarding package' to the folks doing the 'manual' onboarding. Also, make sure that the image (e.g. sysprep or sccm task sequence) is not onboarding MDE before the image is sealed. If this symptom still persists, please grab a aka.ms/MDEClientAnalyzer and open a MSFT Security MDE support ticket. Thanks, Yong Rhee - MSFT2.5KViews0likes0CommentsRe: Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event
MikeP751860 the following AH query should do the trick: let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']); let shortcuts = DeviceEvents //| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14) | where ActionType contains "BrowserLaunchedToOpenUrl" | where RemoteUrl endswith ".lnk" | where RemoteUrl contains "start menu" | summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType | sort by Timestamp asc; //let badsignatures = dynamic(['1.381.2134.0','1.381.2140.0','1.381.2152.0','1.381.2163.0']); DeviceTvmInfoGathering | evaluate bag_unpack(AdditionalFields) | where isnotempty( AvSignatureVersion ) | join kind=inner (shortcuts) on DeviceId | summarize arg_max(Timestamp,*) by DeviceId | project DeviceName, AvSignatureVersion, AvPlatformVersion, AvEngineVersion, RemoteUrl,ActionType //Timestamp, | where AvSignatureVersion in (badsignatures)5.7KViews0likes4CommentsRe: Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event
MikeP751860 please try the following Advanced Hunting query: DeviceEvents | where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14) | where ActionType contains "BrowserLaunchedToOpenUrl" | where RemoteUrl endswith ".lnk" | where RemoteUrl contains "start menu" | summarize by Timestamp, DeviceName, DeviceId, RemoteUrl,ActionType | sort by Timestamp asc6.2KViews0likes7CommentsRe: antimalware Service Executable High CPU Usage
davordmitric, as henryjs mentioned, it depends on when the high cpu usage occurs. If it's during a 'scheduled scan' (quick or full scan), then it would be expected. If it's not during a 'scheduled scan' or 'on-demand' scan, then there might be either an app compatibility where the app/script is doing something that MDE's AV (msmpeng.exe, Antimalware Service Executable, Microsoft Defender Antivirus Service, WInDefend) is observing. The Perf Analyzer for MDAV is the easiest way to figure out what's causing the high cpu usage. And where you could find what process/patch/extension you can add to provide relief. The MDAV Perf Analyzer info is located here: Announcing performance analyzer for Microsoft Defender Antivirus https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-performance-analyzer-for-microsoft-defender-antivirus/ba-p/2713911 Performance analyzer for Microsoft Defender Antivirus https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide Thanks, Yong - MSFT7.7KViews1like1CommentRe: mdatp directory consume lot of space in linux.
Ram_roshith, it's not expected for the "Security Intelligence Updates" (aka signatures/definitions) to take up that much of disk space. Check that the permissions are correct. You could try changing the locations of the path where they are downloaded to, use the 'mdatp definitions' command, and look at the 'path' switch. If this doesn't help, please open a Microsoft CSS Security MDE support ticket. Thx, Yong Rhee - MSFT3.2KViews0likes4CommentsRe: multiple Setting Bitlocker causing conflict?
I can't tell what management tool was used to setup the Bitlocker policy. You can find out by running "Gpresult.exe -h GPResult_output.html" or mdmdiagnosticstool.exe -out c:\temp Look at the output of the logs to see if it's a GPO or MDM (Intune) policy that is being used. Thx.763Views0likes0CommentsRe: Defender for Endpoint - Unified onboarding failed on 2012 R2 - MpAsDesc.dll 310
LoicM, sorry to hear about the challenges with the 2012 R2 install. Regarding the high cpu in MSSense and .cat, can you please open a Microsoft support ticket, it's something that we should be able to take care of. Thx, Yong - MSFT6.5KViews0likes0CommentsRe: Device Groups not working as expected
rob_wood_8894, RE: "they can see all of the devices in the inventory still, not as expected!!", if the end-user is a part AAD "Global administrator" or "Security Administrator" group, this is expected and by design. Now, if your end-user account is not a part of these groups, please open a Microsoft CSS support ticket for further investigation.7.3KViews0likes7CommentsRe: Device Groups not working as expected
rob_wood_8894, when you go to Permissions-> Endpoints -> Roles, do you see: "Start using roles? Role-based access control provides granular options for regulating permissions to portal features and data. Users with read-only permissions will lose access to the portal until they are assigned one of the new roles through their Azure AD groups. Users with admin permissions are automatically assigned the Microsoft Defender for Endpoint administrator role with full permissions. Turn on roles" or something else? Thanks, Yong Rhee - MSFT7.6KViews0likes9CommentsRe: MDE Linux Managed JSON
ericl42, a few alternative options to Ansible, Chef, and Puppet are, to use either Azure Automation + DSC or run custom script extensions: Run Custom Script Extension on Linux VMs in Azure - Azure Virtual Machines https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux Thanks, Yong Rhee - MSFT3.1KViews1like1Comment
Recent Blog Articles
No content to show