How to allow development exe files to be run in an environment?

Connor Poort 21 Reputation points
2021-04-29T17:49:13.87+00:00

looking to find an answer regarding how to allow a .exe which is marked as malicious to be run within our development subscription for testing auto-deployment of known good software. The exe file is being marked as malicious and blocked within our Azure environment.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
673 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 26,616 Reputation points Microsoft Employee
    2021-05-04T21:39:59.443+00:00

    @Connor Poort
    Thank you for the quick response on this!

    I reached out to our Azure Security Center team and was told that ASC is working as expected when it comes to the alerts. However, as for the "Block" action taken by Antimalware or Windows Defender, this would be better handled by our Microsoft Defender for Endpoint Community.

    However, I did do some research and it looks like you might have to Modify your default antimalware policy or create a new policy, configure exclusions for files opened by processes, and exclude the .exe file. When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the file exclusion list.

    If you have any other questions or would like to work closer with our support team on this, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    No comments

1 additional answer

Sort by: Most helpful
  1. Connor Poort 21 Reputation points
    2021-05-04T17:09:28.667+00:00

    @JamesTran-MSFT

    In our internal investigation, we noticed that by allowing the file hash through Defender ATP it stopped flagging it in Azure Security Center alerts. Can you elaborate on why that may have happened?

    TenantId [ID]
    TimeGenerated 2021-04-29T16:37:56
    DisplayName Antimalware Action Taken
    AlertName Antimalware Action Taken
    AlertSeverity Low
    Description Microsoft Antimalware has taken an action to protect this machine from malware or other potentially unwanted software.
    VendorName Microsoft Antimalware
    SystemAlertId 2517825874909999999_8da7e78b-f45b-45a7-a05d-d9e4ae3a88db
    ResourceId /subscriptions/<removed>/resourceGroups/[PATH]/[MACHINE]
    SourceComputerId <removed>
    AlertType AntimalwareActionTaken
    IsIncident False
    StartTime 2021-04-29T16:21:49
    EndTime 2021-04-29T16:21:49
    ProcessingEndTime 2021-04-29T16:37:56
    RemediationSteps [ "No user action is necessary" ]
    ExtendedProperties { "ActionTaken": "Blocked", "Threat Status": "Remediated", "Protection Type": "Windows Defender", "ThreatName": "Trojan:Win32/Spursint.F!cl", "Category": "Trojan", "Threat ID": "2147717281", "File Path": "C:\Users\[super-user]\AppData\Local\Microsoft\Windows\INetCache\IE\EG486XOM\AutoDeployDownloader.exe", "Webfile": "C:\Users\[super-user]\AppData\Local\Microsoft\Windows\INetCache\IE\EG486XOM\AutoDeployDownloader.exe https://tsg-dev.cherwellondemand.com/cherwellautodeploy/AutoDeployDownloader.exe pid:8160,ProcessStart:132641821123301244", "resourceType": "Virtual Machine" }
    Entities [ { "$id": "4", "DnsDomain": "tsg.theshyftgroup.com", "HostName": "[MACHINE]", "AzureID": "/subscriptions/<removed>/resourceGroups/dev-winupdates-rg/providers/Microsoft.Compute/virtualMachines/AZNC-WD10-D01", "OMSAgentID": "59a78e9e-dcad-4b2c-aac6-cf9cc2b32116", "Type": "host" }, { "$id": "5", "Directory": "c:\users\[super-user]\appdata\local\microsoft\windows\inetcache\ie\eg486xom", "Name": "autodeploydownloader.exe", "Type": "file" }, { "$id": "6", "Name": "Trojan:Win32/Spursint.F!cl", "Category": "Trojan", "Files": [ { "$ref": "5" } ], "Type": "malware" } ]
    SourceSystem Detection
    WorkspaceSubscriptionId <removed>
    WorkspaceResourceGroup dev-management-rg
    ExtendedLinks [ { "Href": "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan:Win32/Spursint.F!cl", "Category": "Threat Information", "Label": "Trojan:Win32/Spursint.F!cl", "Type": "webLink" } ]
    ProductName Microsoft Antimalware
    AlertLink https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517825874909999999_8da7e78b-f45b-45a7-a05d-d9e4ae3a88db/subscriptionId/<removed>/resourceGroup/dev-winupdates-rg/referencedFrom/alertDeepLink/location/centralus

    Status New
    CompromisedEntity [MACHINE.DOMAIN]
    Tactics Unknown
    Type SecurityAlert

    No comments