This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 56.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
So recently since using Intune and Defender for Endpoint we have noticed that when we create a wrapped MSI file with an exe inside it that it appears that something is scanning and running the file to see what it is? I appears to be ran by a low spec windows 10 VM so I'm thinking this is some sort of cloud sandbox that would do this?
I cant seem to find any logs on either local machines or 365 to say that this is happening. It is very strange.
Has anyone else had this issue or know which setting in windows 10 baseline etc that i would need to change to stop this from happening.
just to add to this the reason for asking is that by something running the files to scan it onboards into our systems, hence wanting to find out what's causing it.
@James Griffiths Thanks for posting in our Q&A. For this issue, it is more related to Defender for Endpoint. To get more accurate help, it is suggested to contact Microsoft Defender for Endpoint support. Here is the support link:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/contact-support?view=o365-worldwide
Hope everything goes well with you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Microsoft Anti-Malware engine including Microsoft Defender will scan inside compress and MSI files. However, to check if Microsoft Defender is really causing this issue or not, you may try disable the Microsoft Defender and see if the problem persist?