Solved: Re: AMSI Deleted for Windows Defender/Security

vendeville_lj · ‎04-20-2023

We've had a handful of machines get flagged for the AMSI provider being deleted from the registry, and haven't been able to put a finger on the cause. The registry key being deleted looks like it's the one for Windows' built-in AV ( {2781761E-28E0-4109-99FE-B9D127C57AFE} ). All the flagged machines have their AMSI keys pointing set correctly for Secure Endpoint, and testing of uninstalling Secure Endpoint to go back to Windows Security has had the deleted key (listed above) be restored, and then get replaced once Secure Endpoint is reinstalled.

All the detected machines have had their connector versions upgraded recently, but for some the AMSI key deletion was detected within minutes of the upgrade, while several hours pass on other machines before getting flagged.

All scans have come back clean, and the vast majority of clients that had their connectors upgraded haven't triggered this, so we're trying to figure out if this is just a bug, or if there's actual suspicious activity going on.

If anyone's run into this before, or has advice for further investigation, it would be much appreciated.

ventaran · ‎04-25-2023

TAC response

"We have confirmed through Talos that there is a new BP feature introduced which can now delete "Registry" values if a BP Signature with that specific action gets triggered and that is essentially why we see this causing issues only with 8.1.7.

As most of these are actions taken against known and trusted AV solutions, much like in this case “MsMpEng.exe”, we can conclude these are false positives. There is an ongoing investigation with Talos to address these BP Engine false positives but as of right now, the known workaround that has worked for other customers is setting a BP engine exclusion:"

View solution in original post

ventaran · ‎04-24-2023

_

ventaran · ‎04-24-2023

I put in a TAC case. If anything of value comes back, I will comment back.

ventaran · ‎04-25-2023

Still waiting on a TAC response. Not leaving anyone hanging.

ventaran · ‎04-25-2023

TAC response

"We have confirmed through Talos that there is a new BP feature introduced which can now delete "Registry" values if a BP Signature with that specific action gets triggered and that is essentially why we see this causing issues only with 8.1.7.

As most of these are actions taken against known and trusted AV solutions, much like in this case “MsMpEng.exe”, we can conclude these are false positives. There is an ongoing investigation with Talos to address these BP Engine false positives but as of right now, the known workaround that has worked for other customers is setting a BP engine exclusion:"

vendeville_lj · ‎04-25-2023

Thanks for checking this out and providing the information, it's much appreciated.

ventaran · ‎04-25-2023

If you want, email me for the future - ventaran@uhnj.org or anyone who uses AMP and updates regularly. It would be great to have a group of folks who use the tool we can bounce issues/ideas off of.

Ken Stieers · ‎04-25-2023

That's what this space is for...

There is also a public WebEx space here:
Https://eurl.io/#TmrReXaEj

Systema Support · ‎05-22-2023

Hello, thanks for sharing this. But i still don't know how to set up this "BP engine exclusion" Can someone help with this?

Roman Valenta · ‎05-22-2023

Hi,

As you already know the MsMPEng is a defender, and it is a trusted application the reasoning why this is getting triggered is because defender is modifying its registry keys and that is being flagged by the BP engine as potential thread.

You can do two things here:

#1: You can add an custom exclusion for this. This will be done under exclusion there is an option to select Engine option where you should select Behavior Protection and chose either SHA256 or Path. Also verify that Cisco Maintained exclusions are in place as well

#2: Ensure that the APDE signature is up to date.

Hope this helped...

Regards,

Roman