none
Why remediation action: "NoAction" on detecting malware with Windows Defenders periodic scan? RRS feed

  • Question

  • I am in the process of testing Windows Defenders periodic scan on Windows 10 1703/1709 via SCCM. 

    In the SCCM Antimalware Policy I configured default action "Quarantine" for all levels (severe, high, medium and low) .

    But on finding malware Defender says:

    Remediation action: NoAction

    Action status:Succeeded

    I would expect that the Remediation action would be "Quarantined".

    Anyone who can explain this?

    TIA

    Thursday, November 23, 2017 8:41 AM

All replies

  • Hi AdminL,

    Remediation action is an undertaking to correct a problem. this says noaction.

    It could be that No Action is necessary because the infection is already gone.  To be sure, feel free to scan the device with another tool.  When I have doubts about something being cleaned, I prefer to use an offline scanner so that it’s unlikely an infection can interfere with the scan.

    https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-offline

    Review Windows Defender AV scan results

    https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, November 24, 2017 7:04 AM
    Moderator
  • Hi,

    Haven't received your message a few days, was your issue resolved?
    I am proposing previous helpful replies as "Answered". Please feel free to try it and let me know the result. If the reply is helpful, please remember to mark it as answer which can help other community members who have same questions and find the helpful reply quickly.
    Best regards,
    Carl


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 27, 2017 2:45 PM
    Moderator
  • Hi,

    Any update?


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 29, 2017 12:51 PM
    Moderator
  • I've been using SCEP / Defender for around 5 years, and this behaviour has been one of the banes of my life. I escalated this query all the way through Premier support and never received a straight answer.

    The best I have been able to come up with is that each time this occurs the SOC need to take manual action to verify what happened and what needs to be done. The scenarios I have observed causing this result include:

    • The malware type was not configured to be quarantined or removed.
    • The malware file or process was not found when Defender tried to remove it
    • Another process (or another simultaneous Defender thread) already quarantined the file
    • The file was locked or on a read-only drive.

    In practice, my SOC would first check the SCCM logs to see if there was also a successful remove/quarantine at the same time. Then they would access the machine and manually check that location to see if the file existed before manually cleaning the file. 

    I would be keen to hear if anyone has found a clearer answer to this. Manual remediation of these alerts is a significant burden to the SOC and negatively impacts users if you don't have an EDR product to investigate and remediate remotely.

    (Posted this earlier to a thread from 2014 before I noticed the date...)

    Wednesday, September 26, 2018 10:33 AM