KS-Soft. Network Management Solutions
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister    ProfileProfile    Log inLog in 

Active RMA quarantined as Trojan by Windows Defender

 
Post new topic   Reply to topic    KS-Soft Forum Index -> Bug reports
View previous topic :: View next topic  
Author Message
Ben



Joined: 04 Dec 2018
Posts: 15

PostPosted: Tue Dec 14, 2021 11:03 am    Post subject: Active RMA quarantined as Trojan by Windows Defender Reply with quote

Title says it all, RMA is 7.64.

Event viewer says:

Antivirus Microsoft Defender a détecté un logiciel malveillant ou potentiellement indésirable.
Pour plus d’informations, reportez-vous aux éléments suivants :
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Injector.RPZ!MTB&threatid=2147807732&enterprise=0
Nom : Trojan:Win32/Injector.RPZ!MTB
ID : 2147807732
Gravité : Grave
Catégorie : Cheval de Troie
Chemin : process:_pid:4796,ProcessStart:132839746935600679
Origine de la détection : Inconnu
Type de détection : Concret
Source de détection : Système
Utilisateur : AUTORITE NT\Système
Nom du processus : C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe
Version de la veille de sécurité : AV: 1.355.247.0, AS: 1.355.247.0, NIS: 1.355.247.0
Version du moteur : AM: 1.1.18800.4, NIS: 1.1.18800.4

We think it's since server got update KB2267602.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12606
Location: USA

PostPosted: Tue Dec 14, 2021 1:19 pm    Post subject: Reply with quote

We cannot reproduce the problem on our systems and we cannot fix Defender.
We checked using the same Defender definition version: 1.355.247.0

What Windows do you use?

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
Ben



Joined: 04 Dec 2018
Posts: 15

PostPosted: Wed Dec 15, 2021 2:52 am    Post subject: Reply with quote

I have still yet to consolidate data events but it seems to be happening only on 2016 and 2019 servers.

I'm checking 2012 ones rn.
Back to top
View user's profile Send private message
itelio



Joined: 06 Nov 2014
Posts: 99

PostPosted: Wed Dec 15, 2021 3:21 am    Post subject: Problems with Defender and RMA Process Reply with quote

Hi there,

I also had the same problem with a customer. Here the Windows Defender update has classified the rma_active.exe process as a threat and terminated it continuously. Putting the process on the exception list helped.

System: Windows10 Pro 21H1

It has occurred since the pattern update was played.
Installation successful: The following update has been installed. Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.355.269.0)
Back to top
View user's profile Send private message
bmekler



Joined: 17 Apr 2012
Posts: 38

PostPosted: Wed Dec 15, 2021 3:47 am    Post subject: Reply with quote

I also have it happening on numerous machines, Windows Defender is identifying RMA as 'Trojan:Win32/Injector.RPZ!MTB'

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aWin32%2fInjector.RPZ!MTB&threatid=2147807732

Back to top
View user's profile Send private message
Ben



Joined: 04 Dec 2018
Posts: 15

PostPosted: Wed Dec 15, 2021 4:35 am    Post subject: Reply with quote

We momentary treated the issue by launching this command on each concerned server:

Code:
powershell.exe -command Set-MpPreference -ExclusionPath 'C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe'
net start ActiveRMAService


It just adds the rma exe to exclusions in windows defender then start the service again.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12606
Location: USA

PostPosted: Wed Dec 15, 2021 7:11 am    Post subject: Reply with quote

Today Microsoft updated Defender definitions, should work fine after system update:
open command prompt as administrator and run
---------
cd c:\Program Files\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate
---------

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
Ben



Joined: 04 Dec 2018
Posts: 15

PostPosted: Wed Dec 15, 2021 7:53 am    Post subject: Reply with quote

Thanks for your return.

Did apply it on two servers, it works, but if rma was quarantined you still have to autorize it. I did it manually.

Rma is not flagged by windows defender anymore.
Back to top
View user's profile Send private message
KS-Soft



Joined: 03 Apr 2002
Posts: 12606
Location: USA

PostPosted: Wed Dec 15, 2021 8:26 am    Post subject: Reply with quote

Also make sure Defender does not check HostMonitor log and report files, sometimes it uses a lot of system resources.

Regards
Alex
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    KS-Soft Forum Index -> Bug reports All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

KS-Soft Forum Index