@CCWTech said in Windows defender quarentined my VM... WTH?:

@Obsolesce said in Windows defender quarentined my VM... WTH?:

@CCWTech said in Windows defender quarentined my VM... WTH?:

Server down this morning...
VHDX File is just gone... It's missing...
I found out that Windows Defender had detected it was (or had) a virus and quarantined it...

How Windows defender even would ever quarantine a VHDX is beyond me.

Come on Microsoft!

That's odd. VHD/VHDX files are NOT ever scanned by the host, unless of course they are mounted in the same way as a disk or USB disk is to the host OS for example. Otherwise, they are treated like a black box. So something else had to have happened for it to be quarantined by the host OS. That doesn't just happen willy-nilly.

Additionally, VM files are automatically excluded when the Hyper-V server role is installed. So again, something isn't configured correctly or something weird is going on.

What happened to you isn't default behavior.

Not sure, we 'inherited' the server. We don't do HYPER-V any longer. Everything is KVM now. (Proxmox)

But it was for sure quarantiined. Funny thing is that Windows defender scan of the actual VM shows no virus... So weird.

My guess would be that the VM's AV cleaned it up separate from the host's AV killing the VM.

@Dashrender said in When Anti-Virus Companies Get Hacked: Symantec, Trend Micro, and Intel McAfee:

I can't recall if the bad ccleaner was signed or not?

Even if it was, that would be a Microsoft compromise. This is about the AV vendors getting hacked.

@dbeato said in ScreenConnect/Connectwise control client exe (marked as malicious):

@JaredBusch said in ScreenConnect/Connectwise control client exe (marked as malicious):

@dbeato said in ScreenConnect/Connectwise control client exe (marked as malicious):

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

@dbeato no, just an online file by file virus scanner?

No, (although it should be for another thread) it gives you information about the file, file hash. or URL in question. Example below is the Itarian Remote Control application Executable:
2019-04-23_0039.png

It compares the has of the file to multiple AV and Technology companies to see if the hash has been flagged as malicious or not or if it is questionable.

How is that useful? The executable is rebuilt on every install for every group that it auto links to. that makes a hash useless.

That might be true for ConnectWise but not all Executables create a new hash everytime.

And in those unrelated cases, lots of things flagging the would be more meaningful.

@black3dynamite said in Windows Server 2019 Need to Download and Run without AV Deleting Files:

https://www.thomasmaurer.ch/2016/07/how-to-disable-and-configure-windows-defender-on-windows-server-2016-using-powershell/

For now, just temporary disable Real-Time Protection via PowerShell
Set-MpPreference -DisableRealtimeMonitoring $true

Download the executable and scan it manually before you install
Start-MpScan -ScanPath C:\datastore\file.exe -ScanType QuickScan

Enable Real-Time Protection after the install
Set-MpPreference -DisableRealtimeMonitoring $false

Excellent, now THAT did it.

@Dashrender said in Microsoft Security Essentials - Script?:

Do you have a remote access solution for these machines?

If not, Mesh Central might be a real life saver - then you could remote in and run these commands. No driving required.

What do you meant "Remote access solution"?
if the question is "DO i have remote access" ?
then the answer is yes .

@wrx7m said in Webroot SecureAnywhere Business Replacement?:

@momurda said in Webroot SecureAnywhere Business Replacement?:

This task Manager behavior is from Webroot?
I see it occasionally; one developer in particular says it is always a problem.

https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/Task-Manager/td-p/309032

According to the most recent post in that thread (edit - the most recent post is currently 2 weeks old), a beta release fixes this issue. Being that the thread started in December of 2017, it goes to show how long it takes them to fix things.

yes, that is also what we found out, especially in Windows 10.

@wrx7m said in Webroot - Limiting Access to Shutdown Protection to Admins:

Thanks, everyone. Policies are the way to handle it.

Has anyone needed to exclude services/files/directories from being scanned by webroot? For instance, Exchange, SQL, IIS, etc?

Not really. It was recommended by some software vendors but we ignored it and everything kept humming along without issue.

@momurda - I will have to keep an eye on the last seen. So far, those reports are accurate on mine, as they are newly-imaged computers that have not been deployed.

@stacksofplates Yeah, I work mostly in WIndows 10 but my laptop is based on Ubuntu right now.

Please don't reference bad links.

Rough week, first Webroot, now Netgear.

And a lot of people set it to "always do" something bad, then it doesn't ask again.

@RojoLoco Today on this too:
https://community.spiceworks.com/topic/1985267-av-conspiracy-theory-or-reality

@scottalanmiller said in Installing Linux Malware Detect and ClamAV on CentOS 7:

@travisdh1 said in Installing Linux Malware Detect and ClamAV on CentOS 7:

Any reason to use LMD instead of or in addition to rkhunter?

Doesn't rkhunter focus only on root kits?

Mostly, but this was the first time I remember hearing about LMD.

Windows Defender... works well enough and is included with the operating system.

https://vimeo.com/182707041

@Dashrender said in Sophos False Positive with WinLogon.EXE:

@StrongBad said in Sophos False Positive with WinLogon.EXE:

@Dashrender said in Sophos False Positive with WinLogon.EXE:

other than webroot, who's had more false positives at my one client who uses them than panda that I have been running for 10+ years.

I'm not understanding your statement. This feels like only part of a sentence. Is this a question?

It's a statement - I'll re-word.

Webroot has had more false positives in the 3 years a client of mine has been using Webroot, than I have had in the 10+ years another client has been using Panda AV.

So while I love Webroot (primarily the journaling), it does require more support than other options I have/do use.

I see, thanks for the clarification. That's not what I had read you to mean at all. That makes more sense.

@Richard_Cylance said in Cylance Questions:

FTFY - Sold = Lost. Exec = guru

This reminded me of the following Simpsons clip:
Youtube Video