To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Is EDR blockin legimate Azure Arc functions?

Options
IT_Guy81
IT_Guy81 W/ Member Posts: 4 Security Scout

We have got now few alerts where EDR is warning/blocking GC

_Service.exe (Azure Policy Guest Configuration – Client) using powershell. It seems to decrypt certificate data and check if the host cert is valid using ocps.digicert.com.

We had one medium alert and the process was completed but then we got 2 high level alerts where powershell.exe was blocked by EPP and it was fagged as Exploit:W32/PowerShellStager.B!DeepGuard

Has anyone else Azure Arc users had these alerts and can we just close these as false positives and unblock from EPP

I have attached few pics about the process tree:

Here is end of the similar non blocked medium alert where you can see that the next step was to connect to ocsp.digicert.com

Answers

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 245 Moderator
    Options

    Hi @IT_Guy81

    Thank you for reaching out the WithSecure Community,

    It's challenging to provide a definitive assessment without conducting a thorough examination of the issue. Usually, we recommend submitting the fsdiag logs and samples to our virus lab to secure a confirmation. However, in order to address this security concern, we would advise trying to execute the script without employing base64 encoding, if that is feasible. Eliminating base64 encoding can serve as a precautionary measure to reduce the potential risks associated with malicious activities.

    If the issue persists even without base64 encoding, please don't hesitate to contact our WithSecure support team for assistance. Alternatively, you can submit a sample of the script to our virus lab by visiting here for a more comprehensive analysis. They can conduct an in-depth examination to determine whether the script's behavior is genuinely malicious or possibly a false positive.

    Feel free to reach out if you have any other questions or concerns.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home

  • IT_Guy81
    IT_Guy81 W/ Member Posts: 4 Security Scout
    Options

    Hello Sethu and thanks for your response.

    I really can not do that beacuse this is Microsofts service and code. I just realised that this started to happen only on our three 2012 R2 servers, immediatly after enabling ESU (Extended Software Updates) through Azure Arc on these three servers.

    I am goint to ask Microsoft about this too.

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 245 Moderator
    Options

    Hi @IT_Guy81

    For some challenging situations, WithSecure Elements Endpoint Detection and Response (EDR) offers a distinctive built-in "Elevate to WithSecure" service, providing expert incident analysis and prompt guidance for rapid response during security threats.

    You can refer to this page to know more about the feature. Upon request, our threat analysts will do complete analysis and provide response suggestion.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™  https://www.withsecure.com/en/home