Windows Server Posted December 18, 2024 Posted December 18, 2024 Security team have been often receiving alert that during the installation of Symantec Encryption Desktop, Windows is using bcdedit.exec to modify the boot configuration, where its disabling windows default system recovery. It might be an expected behavior to ensure no one can bypass the encryption at boot time and It could be a Defense Mechanism. As we're receiving lots of alerts on this, we want to get to the root cause and ensure this is an expected behavior. That way we can have it documented and fine tune our detection.Does any one know if it it would interact with system boot configuration and any mention of bcdedit tasks being used during installation. Command Line: "cmd.exe" /c schtasks.exe /Create /RU %USERNAME% /SC DAILY /TN runBCDEDIT /RL HIGHEST /TR "bcdedit.exe /set recoveryenabled No " & schtasks.exe /run /TN runBCDEDIT & schtasks.exe /Delete /TN runBCDEDIT /F & schtasks.exe /Delete /TN "runBCDEDIT" /FView the full article Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.