Wiki source code of VirTool: Win32/DefenderTamperingRestore triggert einen Bedrohungs-Alarm
Last modified by Jannis Klein on 2024/08/13 07:31
Hide last authors
author | version | line-number | content |
---|---|---|---|
![]() |
1.1 | 1 | {{aagon.priorisierung}} |
2 | 20 | ||
3 | {{/aagon.priorisierung}} | ||
4 | |||
![]() |
2.1 | 5 | There are Defender settings in the GPO that are detected as threats. These are settings that disable modules, creating a vulnerability. |
6 | If such settings are set, they will be detected as threats "VirTool:Win32/DefenderTamperingRestore" and the event type //Alert //with event ID 1116 is raised. | ||
![]() |
1.1 | 7 | |
8 | {{aagon.warnungsbox}} | ||
![]() |
2.1 | 9 | Please note that disabling modules is generally not recommended! |
![]() |
1.1 | 10 | {{/aagon.warnungsbox}} |
11 | |||
![]() |
2.1 | 12 | If you must disable modules, you must define the threat as an exception so that it is ignored when it is detected. |
![]() |
1.1 | 13 | |
![]() |
2.1 | 14 | Proceed as follows: |
15 | ~1. Double-click //Defender Management// > //Configuration// //Profiles// > //Default// //Defender// to open the settings. | ||
![]() |
1.1 | 16 | |
17 | {{figure}} | ||
18 | (% style="text-align:center" %) | ||
19 | [[image:18_64_Defender Management_ Konfigurationsprofile_1561.png||alt="63_Defender Management_Konfig Einstellungen_3838.png"]] | ||
20 | |||
21 | {{figureCaption}} | ||
![]() |
2.1 | 22 | Configuration Profile settings |
![]() |
1.1 | 23 | {{/figureCaption}} |
24 | {{/figure}} | ||
25 | |||
![]() |
2.1 | 26 | 2. Navigate to //Actions for threats// and add the threat name and ID using the plus sign under //Threat action//. Use the drop-down menu under //Actions// to decide what to do with the threat. It is recommended that you ignore the threat. |
![]() |
1.1 | 27 | |
28 | {{figure}} | ||
29 | [[image:63_Defender Management_Bedrohungsaktion_577.png]] | ||
30 | |||
31 | {{figureCaption}} | ||
![]() |
2.1 | 32 | Define threat action |
![]() |
1.1 | 33 | {{/figureCaption}} |
34 | {{/figure}} | ||
35 | |||
![]() |
2.1 | 36 | This will cause the threat to be ignored and removed from the event list. |