Forum Widgets
Latest Discussions
Linux (Ubuntu 22.04) Discovered Vulnerabilities/Missing Security Updates
Hello we have Defender for endpoint P2 server is reporting correctly enrolled. Everything MDE is updated Full and quick scan are completed Inventory software is complete No weaknesses / no vulnerable components reported No discovered vulnerabilities No missing security update Licence issue/installation issue...any hints where i could look ? Thanks
MPScanSkip error codes
From the MPScanSkip log file, does anyone know what these error codes are C:\ProgramData\Microsoft\Windows Defender\Support\MPScanSkip-xxxxxxxx-xxxxxx.log OnDemandScan skipped or partial scan for [filepath]. Reason [Scan Error]. Error Code [80500021] OnDemandScan skipped or partial scan for [pid:xx]. Reason [Scan Error]. Error Code [8050012b] OnDemandScan skipped or partial scan for [process]. Reason [Scan Error]. Error Code [8050007b]
Device Heath Status
We have recently been onboarding Server 2019 into Defender. We are using the standard WindowsDefenderATPOnboardingScript.bat file that is available to perform the onboarding. When running the .bat file, reports back ran succesfullly. After a few hours the servers showed up on the MDE site. However, they are not showing green health check marks fo for the following options in MDE under overview > Device health status Security intelligence, Engine, and Platform are all greyed out. I have ran the MDE analyzer tool on multiple servers reporting like this and the report returns successful results. Powershell commands also confirm devices are updating. Why do I have some devices that have all "green" vs "greyed out" states"? Sensor status for each of these are healthy also. This also applies to persisent servers and our Citrix application servers. For Citrix application servers we do not onboard the golden image and we are using the standard PS onboarding implementation there.discovering options such as adding device groups in defender
Hello everyone, I'm just discovering options such as device groups, and I would like to learn how to set it up correctly. Let me know if I understand it correctly: the option is meant to separate important and less important devices. What are the recommendations for important like servers and for less important ones like standard user workstations? What level of remediation is there if it's not enabled? Does it need to be set up at all? Thanks!Duplicate alerts generated when unsanctioned app is accessed
We use defender for endpoint and also sanction/unsanction cloud applications in defender. When unsanctioned application is blocked we get two alerts generated for it. One titled "Connection to a custom network indicator" and second "Unsanctioned cloud app access was blocked" We expect and want only one of these alerts, but can't seem to find correct area to edit policy for "Unsanctioned cloud app access was blocked" and editing "Connection to a custom network indicator" seems to require editing alert settings for each indicator. Maybe there is better way for latter one. Connection to a custom network indicator When application is unsanctioned, it creates a custom indicator which is further vieweable at Defender > System > Settings > Endpoints > Rules > Indicators URLs/Domains. Application column is displaying cloud app which was sanctioned and alert with title "Unsanctioned cloud app access was blocked" for each indicator can be furter edited from this area. This would be one place we can turn off these alerts, but hoping there is bulk edit or a global setting to not create these alerts when cloud app is unsanctioned. This is the alert policy/rule we would like to turn off and not have created automatically for each unsanctioned cloud app. Is there a setting to disable autoamtic creating of these alerts with each new unsanctioned cloud app? Unsanctioned cloud app access was blocked Only severity can be changed for these alerts as far as I can find under Settings > Cloud apps > Cloud Discovery > Microsoft Defender for Endpoint. That is okay as this is the preffered alert that would like to retain
Can't Access Defender Because I Haven't Activated Defender
Company portal tells me I need to install and activate MS Defender. I've installed it, but when I open Defender and sign in, it just tells me I need to "Install and activate Microsoft Defender for Endpoint to protect your devices," which is exactly what the company portal tells me and doesn't help me at all. I've tried clearing the app cache and data and restarting the device, but it doesn't change anything. I think it's not considered active because I haven't granted it all the required permissions, but I'm not sure what it's missing without the walkthrough that defender is supposed to give me for adding all perms. I've added a few of the ones it needs manually (file access, display over other apps, notifications), but that hasn't fixed the issue. I believe there's some VM setup required, which I haven't been able to do manually. Tried asking on the Microsoft Community but was redirected here.
Attack Surface Reduction rules with Packaged app
Our application is a Packaged App, distributed using a signed MSIX package. The executable files inside the MSIX package is not signed, since it is our belief that this is not promoted by Microsoft. The package creation tool (inside Visual Studio) does not support signing the individual files going into the package. We have a customer running Microsoft Defender for Endpoint with a massive set of ASR rules. One of these rules prevents our application from running, since it is not signed (the .exe-file that is). In this article: Microsoft Defender for Endpoint attack surface reduction rules deployment overview - Microsoft Defender for Endpoint | Microsoft Learn, it is stated at the end: "Caveat Some rules don't work well if unsigned, internally developed application and scripts are in high usage. It's more difficult to deploy attack surface reduction rules if code signing isn't enforced." So my question is: Is it possible to have ASR rules with Zero-day protection act on the Package Identity instead of the signature of the Exe-file? And if not, should we try to get Microsoft to support signing binary files going into the Msix package?
