Active RMA quarantined as Trojan by Windows Defender

When you post information about some problem, please include the following details: - OS version (e.g. Windows 2000 Professional SP3); HostMonitor version; problem description.
Post Reply
Ben
Posts: 18
Joined: Tue Dec 04, 2018 2:15 am

Active RMA quarantined as Trojan by Windows Defender

Post by Ben »

Title says it all, RMA is 7.64.

Event viewer says:

Antivirus Microsoft Defender a détecté un logiciel malveillant ou potentiellement indésirable.
Pour plus d’informations, reportez-vous aux éléments suivants :
https://go.microsoft.com/fwlink/?linkid ... terprise=0
Nom : Trojan:Win32/Injector.RPZ!MTB
ID : 2147807732
Gravité : Grave
Catégorie : Cheval de Troie
Chemin : process:_pid:4796,ProcessStart:132839746935600679
Origine de la détection : Inconnu
Type de détection : Concret
Source de détection : Système
Utilisateur : AUTORITE NT\Système
Nom du processus : C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe
Version de la veille de sécurité : AV: 1.355.247.0, AS: 1.355.247.0, NIS: 1.355.247.0
Version du moteur : AM: 1.1.18800.4, NIS: 1.1.18800.4

We think it's since server got update KB2267602.
Top
KS-Soft
Posts: 12869
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

We cannot reproduce the problem on our systems and we cannot fix Defender.
We checked using the same Defender definition version: 1.355.247.0

What Windows do you use?

Regards
Alex
Top
Ben
Posts: 18
Joined: Tue Dec 04, 2018 2:15 am

Post by Ben »

I have still yet to consolidate data events but it seems to be happening only on 2016 and 2019 servers.

I'm checking 2012 ones rn.
Top
itelio
Posts: 129
Joined: Thu Nov 06, 2014 11:37 am

Problems with Defender and RMA Process

Post by itelio »

Hi there,

I also had the same problem with a customer. Here the Windows Defender update has classified the rma_active.exe process as a threat and terminated it continuously. Putting the process on the exception list helped.

System: Windows10 Pro 21H1

It has occurred since the pattern update was played.
Installation successful: The following update has been installed. Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.355.269.0)
Top
bmekler
Posts: 38
Joined: Tue Apr 17, 2012 4:51 am

Post by bmekler »

I also have it happening on numerous machines, Windows Defender is identifying RMA as 'Trojan:Win32/Injector.RPZ!MTB'

https://www.microsoft.com/en-us/wdsi/th ... 2147807732

Image
Top
Ben
Posts: 18
Joined: Tue Dec 04, 2018 2:15 am

Post by Ben »

We momentary treated the issue by launching this command on each concerned server:

Code: Select all

powershell.exe -command Set-MpPreference -ExclusionPath 'C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe'
net start ActiveRMAService
It just adds the rma exe to exclusions in windows defender then start the service again.
Top
KS-Soft
Posts: 12869
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

Today Microsoft updated Defender definitions, should work fine after system update:
open command prompt as administrator and run
---------
cd c:\Program Files\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate
---------

Regards
Alex
Top
Ben
Posts: 18
Joined: Tue Dec 04, 2018 2:15 am

Post by Ben »

Thanks for your return.

Did apply it on two servers, it works, but if rma was quarantined you still have to autorize it. I did it manually.

Rma is not flagged by windows defender anymore.
Top
KS-Soft
Posts: 12869
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

Also make sure Defender does not check HostMonitor log and report files, sometimes it uses a lot of system resources.

Regards
Alex
Top
Post Reply

Return to “Bug reports”