Deploying windows defender exclusions
If you DON'T administer windows defender exclusion lists, then please DON'T answer, thank you!
I found defender to mistakenly detect a command line as virus. The command
So I'd like to create an exception. If I exclude
C:\Windows\System32\vssadmin.exe as path, it still gets detected.
If I exclude it as process, it still gets detected.
So whatever MS is thinking by detecting this, they don't let me deploy a rule to stop their scanner (up2date) detecting it! Logs get flooded and users get anxious.
So right now I am removing that command from my script.
I never had problems adding a path or process before, so I am clueless what to do about it.
Here's the log entry:
I found defender to mistakenly detect a command line as virus. The command
C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
So I'd like to create an exception. If I exclude
C:\Windows\System32\vssadmin.exe as path, it still gets detected.
If I exclude it as process, it still gets detected.
So whatever MS is thinking by detecting this, they don't let me deploy a rule to stop their scanner (up2date) detecting it! Logs get flooded and users get anxious.
So right now I am removing that command from my script.
I never had problems adding a path or process before, so I am clueless what to do about it.
Here's the log entry:
Affected items:
CmdLine: C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
Last Comment
ASKER
Hi.
"If you want to exclude a path, you should only provide the path... (wihout the executable)." - MS says differently and gives examples including the executable as path,
It does not work, try it.
"And even can call it on different machines without triggering an alert (including Win 10 Defender)." - so can I. It will only trigger alerts very rarely. Quality code. We have 50 machines using that same script and on three days now, only 6 detections (code runs daily!)
"If you want to exclude a path, you should only provide the path... (wihout the executable)." - MS says differently and gives examples including the executable as path,
It does not work, try it.
"And even can call it on different machines without triggering an alert (including Win 10 Defender)." - so can I. It will only trigger alerts very rarely. Quality code. We have 50 machines using that same script and on three days now, only 6 detections (code runs daily!)
ASKER
Sorry, I was really in a hurry when I tried to write an answer.
So, to re-iterate:
"I can not see Win32/ShadowCopyDelQuiet.A
Question is, what pattern list do you have in mind?
Back to the problem: the eventlog says:
Question: line 8 - what is that silly notation? Sure, the detection doesn't recognize vssadmin itself as virus, no, but the command line it is used with, because that resembles ransomware behavior (delete restore points and shadow copies). But what will I need to put on the exclusion list? Right that,
path: CmdLine:_C:\Windows\System
?
Problem is, I cannot test that since I can't even reproduce it. All machines have the most current AV updates, and yet, only 6 have found that yet, although it's a script that runs daily. On those machines, I can run that script again and again - never it gets detected. Totally puzzling.
So, to re-iterate:
"I can not see Win32/ShadowCopyDelQuiet.A
Question is, what pattern list do you have in mind?
Back to the problem: the eventlog says:
Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Shad ...
Name: Trojan:Win32/ShadowCopyDelQuiet.A
ID: 2147785319
Severity: Severe
Category: Trojan
Path: CmdLine:_C:\Windows\System32\vssadmin.exe delete shadows /all /quiet
Detection Origin: Unknown
Detection Type: Concrete
Detection Source: System
Process Name: Unknown
Action: Not Applicable
Action Status: No additional actions required
Error Code: 0x00000000
Error description: The operation completed successfully.
Security intelligence Version: AV: 1.343.1268.0, AS: 1.343.1268.0, NIS: 1.343.1268.0
Engine Version: AM: 1.1.18300.4, NIS: 1.1.18300.4
Question: line 8 - what is that silly notation? Sure, the detection doesn't recognize vssadmin itself as virus, no, but the command line it is used with, because that resembles ransomware behavior (delete restore points and shadow copies). But what will I need to put on the exclusion list? Right that,
path: CmdLine:_C:\Windows\System
?
Problem is, I cannot test that since I can't even reproduce it. All machines have the most current AV updates, and yet, only 6 have found that yet, although it's a script that runs daily. On those machines, I can run that script again and again - never it gets detected. Totally puzzling.
ASKER
And guys, believe me, there are VERY good reasons to delete these volume shadow copies...
https://twitter.com/gentilkiwi/status/1417467063883476992
https://twitter.com/gentilkiwi/status/1417467063883476992
Hello McKnife,
Possibly the exclusion doesn't work because you run it insinde a command promt.
I just had a look at your twitter link, and my Microsoft Scanners has eaten the mimikats tool.
Will check later...
I interpret you comment, that you can also run it manually on the systems, right? Without triggering an alert. So, if the policies / exceptions are the same on all systems, and the alert is only triggered on a few machines, I would have the imagination that is is only triggered, when vssadmin really deletes something?
According the path names... Sure you can exclude pathes as well as files. As I use SCCM to distribute the policies, SCCM doesn't make a difference between files and folders, but WIN 10 do. So maybe woth the check the Win10 settings, if a path exclusion is also marked as folder and a file exclusion as file exceptions.
As the process is not recognized, possibly the action as it triggers it?
I checked a Win 2016 machine with no Shadow Copies, so enabled them, created a shadow copy, ran your command and Defender doesn't take any notice of it. Pattern are actual (1.343.1390)
Shadow copies were deleted as expected
The same behavior if I just run it as a *.bat file.
So, I'm wondering why your clients trigger it and mine not?
True / False reaction?
Even if some clients react, others not, I would always ask, what they have in commonand what is different. (Settings, OS Build etc.).
Be aware that you also can exclude items even they are recognized...
I do this usually with tools, which are regularly recognized as they are categorised a hack tools.
Also in Win 10:
Also if you look under Protection History, you can enable or disable thread protection...
Possibly the exclusion doesn't work because you run it insinde a command promt.
I just had a look at your twitter link, and my Microsoft Scanners has eaten the mimikats tool.
Will check later...
I interpret you comment, that you can also run it manually on the systems, right? Without triggering an alert. So, if the policies / exceptions are the same on all systems, and the alert is only triggered on a few machines, I would have the imagination that is is only triggered, when vssadmin really deletes something?
According the path names... Sure you can exclude pathes as well as files. As I use SCCM to distribute the policies, SCCM doesn't make a difference between files and folders, but WIN 10 do. So maybe woth the check the Win10 settings, if a path exclusion is also marked as folder and a file exclusion as file exceptions.
As the process is not recognized, possibly the action as it triggers it?
I checked a Win 2016 machine with no Shadow Copies, so enabled them, created a shadow copy, ran your command and Defender doesn't take any notice of it. Pattern are actual (1.343.1390)
Shadow copies were deleted as expected
The same behavior if I just run it as a *.bat file.
So, I'm wondering why your clients trigger it and mine not?
True / False reaction?
Even if some clients react, others not, I would always ask, what they have in commonand what is different. (Settings, OS Build etc.).
Be aware that you also can exclude items even they are recognized...
I do this usually with tools, which are regularly recognized as they are categorised a hack tools.
Also in Win 10:
Also if you look under Protection History, you can enable or disable thread protection...
ASKER
Yes, I know all that.
"So, I'm wondering why your clients trigger it and mine not?" - as said, hundreds of script executions as we run the same script on 60 clients for weeks and only 5 or 6detections so far. Reason is "quality code" (code of defender) I believe.
Of course will "mimikatz be eaten". But there are ways to fool any scanner not to eat it, see https://www.ws-its.de/wp-content/uploads/2019/07/WSHowTo-Die-Mutation-eines-Schadcodes-mimikatz-vs.-Win10-1903.pdf
But that is off-topic.
All machines are equal, same definitions, same OS build, same number (=zero) of shadow copies.
All I want is someone that has successfully excluded this funny type "Path: CmdLine:_C:\..." before to tell me how he did it.
"So, I'm wondering why your clients trigger it and mine not?" - as said, hundreds of script executions as we run the same script on 60 clients for weeks and only 5 or 6detections so far. Reason is "quality code" (code of defender) I believe.
Of course will "mimikatz be eaten". But there are ways to fool any scanner not to eat it, see https://www.ws-its.de/wp-content/uploads/2019/07/WSHowTo-Die-Mutation-eines-Schadcodes-mimikatz-vs.-Win10-1903.pdf
But that is off-topic.
All machines are equal, same definitions, same OS build, same number (=zero) of shadow copies.
All I want is someone that has successfully excluded this funny type "Path: CmdLine:_C:\..." before to tell me how he did it.
@Mimikatz:
I just put it on my local machine, excluded it from defender and it runs...
@All machines are equal,...
I would put this a little bit into doubt. They can't be equal if the react differently.
I mean it happens from time to time that also Defender has sometimes true / false results. It is usually solved with the next pattern update. But rarely seen in the past.
But, by the way, disabling system protection (at least on WIN 10) would also disable restore point and shadow copies.
So if you do not want ot have them, why not just disabling the function which creates them?
I just put it on my local machine, excluded it from defender and it runs...
@All machines are equal,...
I would put this a little bit into doubt. They can't be equal if the react differently.
I mean it happens from time to time that also Defender has sometimes true / false results. It is usually solved with the next pattern update. But rarely seen in the past.
But, by the way, disabling system protection (at least on WIN 10) would also disable restore point and shadow copies.
So if you do not want ot have them, why not just disabling the function which creates them?
ASKER
There is no doubt that exclusions work in general. Just this particular case here, where MS added definitions for a certain command line call, seems to be very special. SR is disabled anyway, it's just a precaution to have that command still around in case they get re-enabled somehow.
Enough said - I will wait a little, sometimes new ideas form after a little rest.
Enough said - I will wait a little, sometimes new ideas form after a little rest.
ASKER
Ok, one step further.
After I finally found a machine that I could reproduce this on (although the circumstances remain unclear), I could only make it stop by defining an "allowed threat" (see pic1)
That is not to be confused with an exclusion (see pic2)
Exclusions don't work here. Allowed threats do work, so the question finally boils down to:
How to deploy allowed threats using GPOs?
I cannot even make out where these (manually added) allowed threats manifest. It seems, they go into C:\ProgramData\Microsoft\W
Any idea?
After I finally found a machine that I could reproduce this on (although the circumstances remain unclear), I could only make it stop by defining an "allowed threat" (see pic1)
That is not to be confused with an exclusion (see pic2)Exclusions don't work here. Allowed threats do work, so the question finally boils down to:
How to deploy allowed threats using GPOs?
I cannot even make out where these (manually added) allowed threats manifest. It seems, they go into C:\ProgramData\Microsoft\W
Any idea?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Hello McKnife...
This is what I have said above...
Or WIN 10:
And the corresponding registry keys...
(For Win 10: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
The lack here is, that it is connected with the threat, not with a process.
And the settings are excluding all items, which are classified with the threats above.
This is what I have said above...
Or WIN 10:
And the corresponding registry keys...
(For Win 10: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
The lack here is, that it is connected with the threat, not with a process.
And the settings are excluding all items, which are classified with the threats above.
ASKER
Yes, you mentioned the allowed threats but not how to deploy them (and I was somehow looking at the right spot in the documentation but still missing it :-| )
Security
Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection. Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.
32K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
If you want to exclude a path, you should only provide the path... (wihout the executable).
If you want to exclude the file, you can provide the file including the path name.
If you want to exclude a process, you can exclude it by exe name or full path name.
The placeholders makes it more easier to reflect the different OS types and locations.
Works since years without any issues.
The question is, if you catch the correct process. You may try to use placeholders instead of a named path.
I can not see Win32/ShadowCopyDelQuiet.A in the current pattern list. And even can call it on different machines without triggering an alert (including Win 10 Defender).
Possibly your virus definitions are not up to date?
In defender (i.e. on Win 10), it looks a little bit different, but the settings are the same...
Examples are taken from Win7 / Win 10 clients which gets the same policy.