cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

AMSI Deleted for Windows Defender/Security

vendeville_lj
Level 1
Level 1

We've had a handful of machines get flagged for the AMSI provider being deleted from the registry, and haven't been able to put a finger on the cause. The registry key being deleted looks like it's the one for Windows' built-in AV ( {2781761E-28E0-4109-99FE-B9D127C57AFE} ). All the flagged machines have their AMSI keys pointing set correctly for Secure Endpoint, and testing of uninstalling Secure Endpoint to go back to Windows Security has had the deleted key (listed above) be restored, and then get replaced once Secure Endpoint is reinstalled.

All the detected machines have had their connector versions upgraded recently, but for some the AMSI key deletion was detected within minutes of the upgrade, while several hours pass on other machines before getting flagged.

All scans have come back clean, and the vast majority of clients that had their connectors upgraded haven't triggered this, so we're trying to figure out if this is just a bug, or if there's actual suspicious activity going on.

If anyone's run into this before, or has advice for further investigation, it would be much appreciated.

Who Me Too'd this topic