topic Re: another FP on MPAVDTLA.VDM from Windows Defender in Endpoint Security

another FP on MPAVDTLA.VDM from Windows Defender

Ken Stieers — Thu, 13 Apr 2023 16:46:26 GMT

Talos reputation ticket created...

And resolved before I finished this post...

Detection: W32.1C27878DDF.RET.SBX.TG
File: mpavdlta.vdm
File path: \\?\C:\Windows\Temp\D3A7A9B3-EF42-4962-BED8-953AD7FE65811330.1d96d3272ec45c5\mpavdlta.vdm
Detection SHA-256: 1c27878ddf28aa426f8daac8def7e897d85f8bd026af0d2873fada2497c86ae4

Detection: W32.224742194C.RET.SBX.TG
File: mpavdlta.vdm
File path: \\?\C:\Windows\Temp\A56C8674-9F74-46B2-8134-2B0D2AAD350D888.1d96d8e153f0f3d\mpavdlta.vdm
Detection SHA-256: 224742194cda7d4157636f514c069da910ed53c32aa5bf324586f6d486a716fd

Detection: W32.63002A1C7C.RET.SBX.TG
File: mpavdlta.vdm
File path: \\?\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{55774125-9101-4640-8BEF-F8435CF0A64A}\mpavdlta.vdm
Detection SHA-256: 63002a1c7c87736270f2cea1b03a0b6d58f226eeb8ff8b73c9fc59fbd2d302c5

Re: another FP on MPAVDTLA.VDM from Windows Defender

lucky1378 — Thu, 13 Apr 2023 20:06:14 GMT

Nothing from Cisco official on this potential FP yet? 100's of notifications and isolated machines today on this one.

Glad this post was here so I could see we weren't the only one, TAC response to a potential FP does not move at the speed of incident response.

Re: another FP on MPAVDTLA.VDM from Windows Defender

cisco2020 — Wed, 26 Apr 2023 05:18:22 GMT

Team, what was the fix. These only showed up today for us.

Re: another FP on MPAVDTLA.VDM from Windows Defender

Ken Stieers — Wed, 26 Apr 2023 11:37:05 GMT

I opened a file reputation ticket with TalosIntelligence.com and at some point they cleared it.
Looking it up now on Talos, it still shows that its not malicious, so I'm not sure what's going on in your tenant...
You can add it to your whitelist for the moment... but you may want to open a TAC case.

Re: another FP on MPAVDTLA.VDM from Windows Defender

Josh Meischner — Fri, 28 Apr 2023 15:34:00 GMT

We had this false positive as well. I opened a TALOS reputation ticket, it is marked resolved but still in AMP we have hundreds of "compromised" machines.

Re: another FP on MPAVDTLA.VDM from Windows Defender

Ken Stieers — Fri, 28 Apr 2023 16:11:39 GMT

You have to clear that yourself.
The hash is now marked "not bad", if you click in, you'll see that under the "related compromise events".
But it doesn't clear the inbox, you have to mark those as resolved and move the machines to their old group if you have an automated action enabled to move them to Triage.

Re: another FP on MPAVDTLA.VDM from Windows Defender

Josh Meischner — Fri, 28 Apr 2023 16:13:17 GMT

Thank you Ken, appreciate your direction.