I am receiving alerts in MS-Defender type " 'ScrInject' malware was detected".
The context is elastic-endpoint.exe and some .ndjson files like
elastic-agent-event-log-20241103-156.ndjson
I made an exclusion as i think this is a false positive.
But i only "think it is" and do not know 
Is this a known issue and what is causing this? As far as i understand the alert it is about "injecting" malicious code. I'd not expect this in event log data?
I don't know what would cause this. elastic-endpoint.exe doesn't write to that file but elastic-agent.exe would, I assume that's what happened?
It would help understand what happened if you shared the MS-Defender alert and a copy of the ndjson file (or at least logs from when the alert happened). You can DM me those things.
Thank you @ferullo,
here's the defender alert - no sensitive data so can be published:
11/2/2024 3:37:50 PM
[1060] wininit.exe
Process id 1060
Execution details Elevated
Image file path wininit.exe
11/2/2024 3:37:50 PM
[1176] services.exe
Process id 1176
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\services.exe
Image file SHA1 395aa8b83cf4087ef62ca5407c6f69abf229411b
Image file creation time Jun 25, 2024 12:11:51 PM
Image file last modification time Jun 25, 2024 12:11:51 PM
PE metadata services.exe
User NT-AUTORITÄT\SYSTEM
11/2/2024 3:37:52 PM
[5160] elastic-endpoint.exe run
Command line "elastic-endpoint.exe" run
Process id 5160
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
Image file SHA1 b3bd22b619b8c1fd965084edb6230a4d46d9f63e
Image file creation time Jun 22, 2024 8:02:33 PM
Image file last modification time Aug 19, 2024 3:12:17 PM
PE metadata elastic-endpoint.exe
User NT-AUTORITÄT\SYSTEM
11/3/2024 5:23:45 PM
elastic-endpoint.exe interacted with file elastic-agent-event-log-20241103-156.ndjson
SHA1 1df5aa76f85185c8c721dfc0e5c4f94b0d404ebb
Path C:\Program Files\Elastic\Agent\data\elastic-agent-8.15.0-25075f\logs\events\elastic-agent-event-log-20241103-156.ndjson
Size 5 MB
Remediation details Defender detected 'Trojan:HTML/ScrInject.TDAA!MTB' in file 'elastic-agent-event-log-20241103-156.ndjson', during attempted open by 'elastic-endpoint.exe'
'ScrInject' malware was detected Resolved Detected Informational
Additional related files
11/3/2024 5:23:45 PM
elastic-agent-event-log-20241103-156.ndjson
SHA1 1df5aa76f85185c8c721dfc0e5c4f94b0d404ebb
Path C:\Program Files\Elastic\Agent\data\elastic-agent-8.15.0-25075f\logs\events\elastic-agent-event-log-20241103-156.ndjson
Size 5 MB
Remediation details Defender detected 'Trojan:HTML/ScrInject.TDAA!MTB' in file 'elastic-agent-event-log-20241103-156.ndjson', during attempted open by 'elastic-endpoint.exe'
'ScrInject' malware was detected Resolved Detected Informational
Also - to make it more visible - as image:
I checked for the .json file but it is not on the machine. If i find it somewhere i will upload.
Double-check the extension. It appears to be .ndjson not .json. These .ndjson files are log files human-readable text logs. They don't contain executable code. This appears to be a false positive in MDE. Something in that log file is matching a signature in the MDE AV database.
I've created a secure upload link specific to this case, if you'd like to share the file with us.
This Microsoft page documents how to suppress MDE alerts and/or report false positives to the MDE team:
thank you @gabriel.landau the extension was a typo. The file is no longer on the machine.
As you mentioned i also think this is a false positive. And i changed the setting in defender to ignore this alert.
Having a signature in a human readable file is something rare in my opinion.
I will try to collect an evidence file so it can be investigated. Maybe i find some more info in the defender portal.
Thank you for taking time and investigating.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.