Is EDR blockin legimate Azure Arc functions?
We have got now few alerts where EDR is warning/blocking GC
_Service.exe (Azure Policy Guest Configuration – Client) using powershell. It seems to decrypt certificate data and check if the host cert is valid using ocps.digicert.com.
We had one medium alert and the process was completed but then we got 2 high level alerts where powershell.exe was blocked by EPP and it was fagged as Exploit:W32/PowerShellStager.B!DeepGuard
Has anyone else Azure Arc users had these alerts and can we just close these as false positives and unblock from EPP
I have attached few pics about the process tree:
Here is end of the similar non blocked medium alert where you can see that the next step was to connect to ocsp.digicert.com