I recently ran into an issue where Defend is triggering on suspicious activity. Unfortunately, the suspicious activity is due to a legitimate software install that is adding itself to the windows defender exclusions directory via subprocessing powershell to add the entry. What this ends up meaning is that i can add powershell as a trusted application to allow the install, which isn't really what i want.
My question is, is there a way for me to add an exclusion or trusted application where the exclusion is basically if the parent of the application causing a specific malicious trigger has a specific validated signature then allow it? Otherwise i need to jump through hoops every time i want to update this specific software.
Hi @FranklinFurter. You can create an Endpoint Alert Exception on any field that Endpoint sends in the alert. If process.parent.code_signature or process.parent.Ext.code_signature are present, you can use them in exceptions.
When trusting signers, make sure to also check trusted: true as a nested condition paired with subject_name. A file can have multiple signers. Nested checks ensure that the two fields are validated as a tuple.
Thanks, I'll check that out. I was under the impression that the alert exception was simply not creating an alert on the elastic server side but would still stop the process on the client side. That's not the case then?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
