question

ConnorPoort-8302 avatar image
0 Votes"
ConnorPoort-8302 asked azure-cxp-api edited

How to allow development exe files to be run in an environment?

looking to find an answer regarding how to allow a .exe which is marked as malicious to be run within our development subscription for testing auto-deployment of known good software. The exe file is being marked as malicious and blocked within our Azure environment.

azure-security-center
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ConnorPoort-8302
Thank you for your post and I apologize for the delayed response!

  • When it comes to your .exe, is this something you/your company create and just dragged/copied into an Azure VM? Or?

  • What happens when you try to run this .exe? Is there a firewall that could potentially be block the software from running?


Any additional information or screenshots would be greatly appreciate!
Thank you for your time and patience throughout this issue.


0 Votes 0 ·

The .exe is a locally developed auto-deploy file that will be deployed via SCCM. This file was downloaded/dragged onto an Azure VM and attempted to execute via "Run as Admin" with a user account that had global admin rights at the time.

When the .exe file is run it does not open, instead we are given an alert on Azure Security Center that "Malicious software was blocked"

There are no firewall rules which affect the program or any components on the development machine that we are using.
@JamesTran-MSFT

0 Votes 0 ·

@ConnorPoort-8302
Thank you for the quick follow up on this!

Can you share a screenshot of the message you're seeing within ASC? Based off of your scenario, there might be something blocking the .exe from running from within the VM, and not related to ASC. However, a screenshots would help me gain a better understanding of your issue and I can pass this info along to our ASC team as well.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT edited

@ConnorPoort-8302
Thank you for the quick response on this!

I reached out to our Azure Security Center team and was told that ASC is working as expected when it comes to the alerts. However, as for the "Block" action taken by Antimalware or Windows Defender, this would be better handled by our Microsoft Defender for Endpoint Community.


However, I did do some research and it looks like you might have to Modify your default antimalware policy or create a new policy, configure exclusions for files opened by processes, and exclude the .exe file. When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the file exclusion list.


If you have any other questions or would like to work closer with our support team on this, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ConnorPoort-8302 avatar image
0 Votes"
ConnorPoort-8302 answered JamesTran-MSFT edited

@JamesTran-MSFT

In our internal investigation, we noticed that by allowing the file hash through Defender ATP it stopped flagging it in Azure Security Center alerts. Can you elaborate on why that may have happened?

TenantId [ID]
TimeGenerated 2021-04-29T16:37:56
DisplayName Antimalware Action Taken
AlertName Antimalware Action Taken
AlertSeverity Low
Description Microsoft Antimalware has taken an action to protect this machine from malware or other potentially unwanted software.
VendorName Microsoft Antimalware
SystemAlertId 2517825874909999999_8da7e78b-f45b-45a7-a05d-d9e4ae3a88db
ResourceId /subscriptions/<removed>/resourceGroups/[PATH]/[MACHINE]
SourceComputerId <removed>
AlertType AntimalwareActionTaken
IsIncident False
StartTime 2021-04-29T16:21:49
EndTime 2021-04-29T16:21:49
ProcessingEndTime 2021-04-29T16:37:56
RemediationSteps [ "No user action is necessary" ]
ExtendedProperties { "ActionTaken": "Blocked", "Threat Status": "Remediated", "Protection Type": "Windows Defender", "ThreatName": "Trojan:Win32/Spursint.F!cl", "Category": "Trojan", "Threat ID": "2147717281", "File Path": "C:\\Users\[super-user]\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\EG486XOM\\AutoDeployDownloader.exe", "Webfile": "C:\\Users\[super-user]\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\EG486XOM\\AutoDeployDownloader.exe https://tsg-dev.cherwellondemand.com/cherwellautodeploy/AutoDeployDownloader.exe pid:8160,ProcessStart:132641821123301244", "resourceType": "Virtual Machine" }
Entities [ { "$id": "4", "DnsDomain": "tsg.theshyftgroup.com", "HostName": "[MACHINE]", "AzureID": "/subscriptions/<removed>/resourceGroups/dev-winupdates-rg/providers/Microsoft.Compute/virtualMachines/AZNC-WD10-D01", "OMSAgentID": "59a78e9e-dcad-4b2c-aac6-cf9cc2b32116", "Type": "host" }, { "$id": "5", "Directory": "c:\\users\[super-user]\\appdata\\local\\microsoft\\windows\\inetcache\\ie\\eg486xom", "Name": "autodeploydownloader.exe", "Type": "file" }, { "$id": "6", "Name": "Trojan:Win32/Spursint.F!cl", "Category": "Trojan", "Files": [ { "$ref": "5" } ], "Type": "malware" } ]
SourceSystem Detection
WorkspaceSubscriptionId <removed>
WorkspaceResourceGroup dev-management-rg
ExtendedLinks [ { "Href": "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan:Win32/Spursint.F!cl", "Category": "Threat Information", "Label": "Trojan:Win32/Spursint.F!cl", "Type": "webLink" } ]
ProductName Microsoft Antimalware
AlertLink https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2517825874909999999_8da7e78b-f45b-45a7-a05d-d9e4ae3a88db/subscriptionId/<removed>/resourceGroup/dev-winupdates-rg/referencedFrom/alertDeepLink/location/centralus

Status New
CompromisedEntity [MACHINE.DOMAIN]
Tactics Unknown
Type SecurityAlert

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.