How does Widnows Defender ATP work ? RRS feed

  • Question

  • I need to know what triggers WDATP to sent Alert to SecurityCenter Portal if malware is not executed. Reason why i am asking is because i just kept some support files (not exe's) of malware on my test machine and that folder was excluded from Windows defender scan.

    As these files were NOT executed and were excluded from AV Scan, how was i able to see Alert on Portal ? What triggered machine to send alert ?

    Also is there local logs location were All alerts are logged as well


    Junaid Jan

    Wednesday, December 7, 2016 4:04 AM

All replies

  • Hi Junaid,

    Windows Defender AV exclusions apply only for the AV scans. Windows Defender ATP sensor (which is different to the Windows Defender AV client) will observe everything on your machine. The reason it ignores the exclusions set by you is cause those could have just as well be set by an attacker with control on your network.

    What you can easily do is to suppress any of these detections through the portal for that specific machine (open the alert page and use the control (looks like 3 dots) on the far right side of the main alert title box - the one with the severity color on it). 

    As for local logs - no, there is no detection logic in the WDATP sensor therefore, no local detections can be written to the machine logs.
    Thursday, December 8, 2016 10:28 AM
  • Thanks Raviv. Is there any article/document which has technical information regarding WDATP sensors , kind of WDATP internals

    Junaid Jan

    Friday, December 9, 2016 9:50 PM