A
AlHoff25
In an enterprise, users can have $Home drives, Roaming Profiles, and/or Shell folders like Desktop/Documents located on a storage server.
Is anyone seeing DATP quarantining the same file non-malicious file, creating the same alert, because it doesn't get removed? How is the false-positive file returning if it says it was quarantined??
--
I know it should be deleted in both places.
So, there's a couple of ways to ask this question.
Can there be a situation where Defender ATP quarantines a file on a computer, but the storage server puts it back and creates a loop of alerts?
Is there ever a case where DATP removes something, but doesn't sync to storage and delete that copy?
Could the large enterprise have a setup where the file has to be removed on a computer and specific from the server's drive itself?
You might have seen when DATP keeps quarantining the same file over and over, creating the same alert. I'm not truly concerned with malware persistence or the Registry/bigger concerns/types of malware/etc, but instead quarantining any file and continuously creating an alert because of how infrastructure is set up.
Technically, DATP should delete your file and it's gone everywhere, but Microsoft can create unexpected, variable situations where its not fixed by definition. I had a situation like this with OneDrive syncing to my personal computer after a reimage. The file name was in a .tmp state, so AV>OneDrive>AV>OneDrive, and I couldn't go and just delete it.
Continue reading...
Is anyone seeing DATP quarantining the same file non-malicious file, creating the same alert, because it doesn't get removed? How is the false-positive file returning if it says it was quarantined??
--
I know it should be deleted in both places.
So, there's a couple of ways to ask this question.
Can there be a situation where Defender ATP quarantines a file on a computer, but the storage server puts it back and creates a loop of alerts?
Is there ever a case where DATP removes something, but doesn't sync to storage and delete that copy?
Could the large enterprise have a setup where the file has to be removed on a computer and specific from the server's drive itself?
You might have seen when DATP keeps quarantining the same file over and over, creating the same alert. I'm not truly concerned with malware persistence or the Registry/bigger concerns/types of malware/etc, but instead quarantining any file and continuously creating an alert because of how infrastructure is set up.
Technically, DATP should delete your file and it's gone everywhere, but Microsoft can create unexpected, variable situations where its not fixed by definition. I had a situation like this with OneDrive syncing to my personal computer after a reimage. The file name was in a .tmp state, so AV>OneDrive>AV>OneDrive, and I couldn't go and just delete it.
Continue reading...