View previous topic :: View next topic |
Author |
Message |
Ben
Joined: 04 Dec 2018 Posts: 18
|
Posted: Tue Dec 14, 2021 11:03 am Post subject: Active RMA quarantined as Trojan by Windows Defender |
|
|
Title says it all, RMA is 7.64.
Event viewer says:
Antivirus Microsoft Defender a détecté un logiciel malveillant ou potentiellement indésirable.
Pour plus d’informations, reportez-vous aux éléments suivants :
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Injector.RPZ!MTB&threatid=2147807732&enterprise=0
Nom : Trojan:Win32/Injector.RPZ!MTB
ID : 2147807732
Gravité : Grave
Catégorie : Cheval de Troie
Chemin : process:_pid:4796,ProcessStart:132839746935600679
Origine de la détection : Inconnu
Type de détection : Concret
Source de détection : Système
Utilisateur : AUTORITE NT\Système
Nom du processus : C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe
Version de la veille de sécurité : AV: 1.355.247.0, AS: 1.355.247.0, NIS: 1.355.247.0
Version du moteur : AM: 1.1.18800.4, NIS: 1.1.18800.4
We think it's since server got update KB2267602. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12801 Location: USA
|
Posted: Tue Dec 14, 2021 1:19 pm Post subject: |
|
|
We cannot reproduce the problem on our systems and we cannot fix Defender.
We checked using the same Defender definition version: 1.355.247.0
What Windows do you use?
Regards
Alex |
|
Back to top |
|
|
Ben
Joined: 04 Dec 2018 Posts: 18
|
Posted: Wed Dec 15, 2021 2:52 am Post subject: |
|
|
I have still yet to consolidate data events but it seems to be happening only on 2016 and 2019 servers.
I'm checking 2012 ones rn. |
|
Back to top |
|
|
itelio
Joined: 06 Nov 2014 Posts: 120
|
Posted: Wed Dec 15, 2021 3:21 am Post subject: Problems with Defender and RMA Process |
|
|
Hi there,
I also had the same problem with a customer. Here the Windows Defender update has classified the rma_active.exe process as a threat and terminated it continuously. Putting the process on the exception list helped.
System: Windows10 Pro 21H1
It has occurred since the pattern update was played.
Installation successful: The following update has been installed. Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.355.269.0) |
|
Back to top |
|
|
bmekler
Joined: 17 Apr 2012 Posts: 38
|
|
Back to top |
|
|
Ben
Joined: 04 Dec 2018 Posts: 18
|
Posted: Wed Dec 15, 2021 4:35 am Post subject: |
|
|
We momentary treated the issue by launching this command on each concerned server:
Code: | powershell.exe -command Set-MpPreference -ExclusionPath 'C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe'
net start ActiveRMAService |
It just adds the rma exe to exclusions in windows defender then start the service again. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12801 Location: USA
|
Posted: Wed Dec 15, 2021 7:11 am Post subject: |
|
|
Today Microsoft updated Defender definitions, should work fine after system update:
open command prompt as administrator and run
---------
cd c:\Program Files\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate
---------
Regards
Alex |
|
Back to top |
|
|
Ben
Joined: 04 Dec 2018 Posts: 18
|
Posted: Wed Dec 15, 2021 7:53 am Post subject: |
|
|
Thanks for your return.
Did apply it on two servers, it works, but if rma was quarantined you still have to autorize it. I did it manually.
Rma is not flagged by windows defender anymore. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12801 Location: USA
|
Posted: Wed Dec 15, 2021 8:26 am Post subject: |
|
|
Also make sure Defender does not check HostMonitor log and report files, sometimes it uses a lot of system resources.
Regards
Alex |
|
Back to top |
|
|
|