VirTool: Win32/DefenderTamperingRestore raises an alert

Last modified by Jannis Klein on 2024/08/13 08:20

There are Defender settings in the GPO that are detected as threats. These are settings that disable modules, creating a vulnerability.
If such settings are set, they will be detected as threats "VirTool:Win32/DefenderTamperingRestore" and the event type Alert with event ID 1116 is raised.

Warning  Warning:  

Please note that disabling modules is generally not recommended!

If you must disable modules, you must define the threat as an exception so that it is ignored when it is detected.

Proceed as follows:
1. Double-click Defender Management > Configuration Profiles > Default Defender to open the settings.

63_Defender Management_Konfig Einstellungen_3838.png

Configuration Profile settings

2. Navigate to Actions for threats and add the threat name and ID using the plus sign under Threat action. Use the drop-down menu under Actions to decide what to do with the threat. It is recommended that you ignore the threat.

63_Defender Management_Bedrohungsaktion_577.png

Define threat action

This will cause the threat to be ignored and removed from the event list.

© Aagon GmbH 2024
Besuchen Sie unsere neue Aagon-Community