Wiki source code of VirTool: Win32/DefenderTamperingRestore triggert einen Bedrohungs-Alarm
Last modified by Jannis Klein on 2024/08/13 07:31
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{aagon.priorisierung}} | ||
| 2 | 20 | ||
| 3 | {{/aagon.priorisierung}} | ||
| 4 | |||
| 5 | There are Defender settings in the GPO that are detected as threats. These are settings that disable modules, creating a vulnerability. | ||
| 6 | If such settings are set, they will be detected as threats "VirTool:Win32/DefenderTamperingRestore" and the event type //Alert //with event ID 1116 is raised. | ||
| 7 | |||
| 8 | {{aagon.warnungsbox}} | ||
| 9 | Please note that disabling modules is generally not recommended! | ||
| 10 | {{/aagon.warnungsbox}} | ||
| 11 | |||
| 12 | If you must disable modules, you must define the threat as an exception so that it is ignored when it is detected. | ||
| 13 | |||
| 14 | Proceed as follows: | ||
| 15 | ~1. Double-click //Defender Management// > //Configuration// //Profiles// > //Default// //Defender// to open the settings. | ||
| 16 | |||
| 17 | {{figure}} | ||
| 18 | (% style="text-align:center" %) | ||
| 19 | [[image:18_64_Defender Management_ Konfigurationsprofile_1561.png||alt="63_Defender Management_Konfig Einstellungen_3838.png"]] | ||
| 20 | |||
| 21 | {{figureCaption}} | ||
| 22 | Configuration Profile settings | ||
| 23 | {{/figureCaption}} | ||
| 24 | {{/figure}} | ||
| 25 | |||
| 26 | 2. Navigate to //Actions for threats// and add the threat name and ID using the plus sign under //Threat action//. Use the drop-down menu under //Actions// to decide what to do with the threat. It is recommended that you ignore the threat. | ||
| 27 | |||
| 28 | {{figure}} | ||
| 29 | [[image:63_Defender Management_Bedrohungsaktion_577.png]] | ||
| 30 | |||
| 31 | {{figureCaption}} | ||
| 32 | Define threat action | ||
| 33 | {{/figureCaption}} | ||
| 34 | {{/figure}} | ||
| 35 | |||
| 36 | This will cause the threat to be ignored and removed from the event list. |