topic Re: AMSI Deleted for Windows Defender/Security in Endpoint Security

AMSI Deleted for Windows Defender/Security

vendeville_lj — Thu, 20 Apr 2023 20:55:36 GMT

We've had a handful of machines get flagged for the AMSI provider being deleted from the registry, and haven't been able to put a finger on the cause. The registry key being deleted looks like it's the one for Windows' built-in AV ( {2781761E-28E0-4109-99FE-B9D127C57AFE} ). All the flagged machines have their AMSI keys pointing set correctly for Secure Endpoint, and testing of uninstalling Secure Endpoint to go back to Windows Security has had the deleted key (listed above) be restored, and then get replaced once Secure Endpoint is reinstalled.

All the detected machines have had their connector versions upgraded recently, but for some the AMSI key deletion was detected within minutes of the upgrade, while several hours pass on other machines before getting flagged.

All scans have come back clean, and the vast majority of clients that had their connectors upgraded haven't triggered this, so we're trying to figure out if this is just a bug, or if there's actual suspicious activity going on.

If anyone's run into this before, or has advice for further investigation, it would be much appreciated.

Re: AMSI Deleted for Windows Defender/Security

ventaran — Tue, 25 Apr 2023 15:47:04 GMT

Re: AMSI Deleted for Windows Defender/Security

ventaran — Mon, 24 Apr 2023 11:06:27 GMT

I put in a TAC case. If anything of value comes back, I will comment back.

Re: AMSI Deleted for Windows Defender/Security

ventaran — Tue, 25 Apr 2023 15:47:28 GMT

Still waiting on a TAC response. Not leaving anyone hanging.

Re: AMSI Deleted for Windows Defender/Security

ventaran — Tue, 25 Apr 2023 16:32:50 GMT

TAC response

"We have confirmed through Talos that there is a new BP feature introduced which can now delete "Registry" values if a BP Signature with that specific action gets triggered and that is essentially why we see this causing issues only with 8.1.7.

As most of these are actions taken against known and trusted AV solutions, much like in this case “MsMpEng.exe”, we can conclude these are false positives. There is an ongoing investigation with Talos to address these BP Engine false positives but as of right now, the known workaround that has worked for other customers is setting a BP engine exclusion:"

Re: AMSI Deleted for Windows Defender/Security

vendeville_lj — Tue, 25 Apr 2023 16:44:43 GMT

Thanks for checking this out and providing the information, it's much appreciated.

Re: AMSI Deleted for Windows Defender/Security

ventaran — Tue, 25 Apr 2023 16:52:57 GMT

If you want, email me for the future - ventaran@uhnj.org or anyone who uses AMP and updates regularly. It would be great to have a group of folks who use the tool we can bounce issues/ideas off of.

Re: AMSI Deleted for Windows Defender/Security

Ken Stieers — Tue, 25 Apr 2023 19:05:59 GMT

That's what this space is for...

There is also a public WebEx space here:
Https://eurl.io/#TmrReXaEj

Re: AMSI Deleted for Windows Defender/Security

Systema Support — Mon, 22 May 2023 13:14:43 GMT

Hello, thanks for sharing this. But i still don't know how to set up this "BP engine exclusion" Can someone help with this?

Re: AMSI Deleted for Windows Defender/Security

Roman Valenta — Mon, 22 May 2023 14:14:00 GMT

Hi,

As you already know the MsMPEng is a defender, and it is a trusted application the reasoning why this is getting triggered is because defender is modifying its registry keys and that is being flagged by the BP engine as potential thread.

You can do two things here:

#1: You can add an custom exclusion for this. This will be done under exclusion there is an option to select Engine option where you should select Behavior Protection and chose either SHA256 or Path. Also verify that Cisco Maintained exclusions are in place as well

#2: Ensure that the APDE signature is up to date.

Hope this helped...

Regards,

Roman