Windows 10 1809 - Windows Defender + Enpoint Policies SCCM - Quarantine Items and Detections RRS feed

  • Question

  • Hello,

    I have a SCCM installation (current branch) and Windows 10 1809 deployed. As i started to prepare this network almost from scratch, the Endpoint Protection was centralized with Windows Defender and SCCM Endpoint Protection policies. Everything is working as expected, or almost

    The policy I have is set for quarantine all items, except the low ones. After some detection, and also some tests, malware/virus are cleaned as expected but they are not quarantined, they just vanish. When I go to history I have the detection but only an allow option and an error bellow the file name.

    The quarantine folder for Defender is empty and also using CMD to check the threats it just says empty. I checked the GPO and also tried to force the option 2 for all levels (quarantine option) and put 60 days for quarantined files, the same I have on my policy.

    Adding just some information, these are the configurations I have on Windows Defender:

    HighThreatDefaultAction                       : 2
    LowThreatDefaultAction                        : 6
    MAPSReporting                                    : 2
    ModerateThreatDefaultAction                : 2
    PUAProtection                                      : 1
    QuarantinePurgeItemsAfterDelay           : 60
    RandomizeScheduleTaskTimes               : True
    RealTimeScanDirection                         : 0
    RemediationScheduleDay                      : 0
    RemediationScheduleTime                     : 02:00:00
    ReportingAdditionalActionTimeOut          : 10080
    ReportingCriticalFailureTimeOut              : 10080
    ReportingNonCriticalTimeOut                 : 1440
    ScanAvgCPULoadFactor                         : 10
    ScanOnlyIfIdleEnabled                         : False
    ScanParameters                                   : 2
    ScanPurgeItemsAfterDelay                    : 15
    ScanScheduleDay                                 : 6
    ScanScheduleQuickScanTime                 : 10:01:00
    ScanScheduleTime                                : 11:00:00
    SevereThreatDefaultAction                     : 2
    SharedSignaturesPath                           :
    SignatureAuGracePeriod                        : 4320
    SignatureDefinitionUpdateFileSharesSources    :
    SignatureDisableUpdateOnStartupWithoutEngine  : False
    SignatureFallbackOrder                         : InternalDefinitionUpdateServer
    SignatureFirstAuGracePeriod                  : 120
    SignatureScheduleDay                          : 8
    SignatureScheduleTime                         : 12:45:00
    SignatureUpdateCatchupInterval            : 1
    SignatureUpdateInterval                       : 6
    SubmitSamplesConsent                        : 1
    ThreatIDDefaultAction_Actions               :
    ThreatIDDefaultAction_Ids                     :
    UILockdown                                         : False
    UnknownThreatDefaultAction                 : 0

     I looked for some information and on MPOpreationalEvents.txt I have this information regarding the detection:

    1/21/2020 09:15:29 AM Microsoft-Windows-Windows Defender Information 1117 xxxxxxxx.aaaaaaa.bbbbbb
    Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
     For more information please see the following:
      Name: Virus:DOS/EICAR_Test_File
      ID: 2147519003
      Severity: Severe
      Category: Virus
      Path: containerfile:_C:\Users\xxxxxxxx\Downloads\Test_Defender_Malware\; file:_C:\Users\xxxxxxxx\Downloads\Test_Defender_Malware\>; webfile:_C:\Users\xxxxxxxxxxx\Downloads\Test_Defender_Malware\||pid:3724,ProcessStart:132240717071644626
      Detection Origin: Internet
      Detection Type: Concrete
      Detection Source: Downloads and attachments
      Process Name: Unknown
      Action: Quarantine
      Action Status:  No additional actions required
      Error Code: 0x80508023
      Error description: The program could not find the malware and other potentially unwanted software on this device. 
      Signature Version: AV: 1.307.2696.0, AS: 1.307.2696.0, NIS: 1.307.2696.0
      Engine Version: AM: 1.1.16600.7, NIS: 1.1.16600.7

    So it is accord with the SCCM notification I have. The action should be quarantine but when it tries to take action, the file is no longer there...

    My question is if there is a false positive or another file I must restore I can't get it. Tried a bunch of options and checked Defenders logs and Endpoint (from SCCM) logs. Anyone with a behavior like this?

    Thank you in advance!

    Fábio Teles

    Wednesday, January 22, 2020 9:10 PM

All replies

  • Hello.

    I didn't receive any further information about this but I found out what was happening. When the file is downloaded from the internet, the browser just deletes any virus because of the Smart Screen (Edge) or similar (on Chrome, etc.). If the file gets to the computer another way, it's quarantined correctly.

    That's why the log said "The file no longer exists" when trying the quarantine.

    Hope it helps others!

    Fábio Teles

    Thursday, March 5, 2020 3:54 PM