Wiki source code of VirTool: Win32/DefenderTamperingRestore triggert einen Bedrohungs-Alarm
Last modified by Jannis Klein on 2024/08/13 07:31
Show last authors
author | version | line-number | content |
---|---|---|---|
1 | {{aagon.priorisierung}} | ||
2 | 20 | ||
3 | {{/aagon.priorisierung}} | ||
4 | |||
5 | There are Defender settings in the GPO that are detected as threats. These are settings that disable modules, creating a vulnerability. | ||
6 | If such settings are set, they will be detected as threats "VirTool:Win32/DefenderTamperingRestore" and the event type //Alert //with event ID 1116 is raised. | ||
7 | |||
8 | {{aagon.warnungsbox}} | ||
9 | Please note that disabling modules is generally not recommended! | ||
10 | {{/aagon.warnungsbox}} | ||
11 | |||
12 | If you must disable modules, you must define the threat as an exception so that it is ignored when it is detected. | ||
13 | |||
14 | Proceed as follows: | ||
15 | ~1. Double-click //Defender Management// > //Configuration// //Profiles// > //Default// //Defender// to open the settings. | ||
16 | |||
17 | {{figure}} | ||
18 | (% style="text-align:center" %) | ||
19 | [[image:18_64_Defender Management_ Konfigurationsprofile_1561.png||alt="63_Defender Management_Konfig Einstellungen_3838.png"]] | ||
20 | |||
21 | {{figureCaption}} | ||
22 | Configuration Profile settings | ||
23 | {{/figureCaption}} | ||
24 | {{/figure}} | ||
25 | |||
26 | 2. Navigate to //Actions for threats// and add the threat name and ID using the plus sign under //Threat action//. Use the drop-down menu under //Actions// to decide what to do with the threat. It is recommended that you ignore the threat. | ||
27 | |||
28 | {{figure}} | ||
29 | [[image:63_Defender Management_Bedrohungsaktion_577.png]] | ||
30 | |||
31 | {{figureCaption}} | ||
32 | Define threat action | ||
33 | {{/figureCaption}} | ||
34 | {{/figure}} | ||
35 | |||
36 | This will cause the threat to be ignored and removed from the event list. |