Seeing a flood of these alerts. Defender flagging two public root CAs as Trojan. Looks benign.

Anyone else seeing this?

MDE flagging below digicert hash,

0563B8630D62D75ABBC8AB1 E4BDFB5A899B24D43

DDFB16CD4931C973A2037D3 FC83A4D7D775D05E4

This was kind of an interesting/fun case, so I thought I'd share the story here:

We've been using secure score as a gross metric to make our overall security efforts more translatable to management. We had a couple of items that had just one machine holding us up from capturing full points. When we looked at the workstation in question, it didn't follow our standard naming convention despite having a bunch of markers that clearly identified it as one of ours. When we checked it's serial number in Intune, it was definitely ours and still under warranty.

I opened a live response session and was browsing the user folders. When I went to one set of user folders, they contained several identifying documents, including a FL driver's license. I used Live Response's "get" function to DL those files. My org is in a middle Atlantic state. I went to the guy's FB profile, and it contained Cyrillic characters that Google identified as Ukrainian.

I then remembered that we had a contractor (who was also Ukrainian) whom we had identified as potentially engaging in activities that my infosec team had identified as shady previously. I checked that contractor's FB profile, and he and this FL guy are FB friends; gotcha, fucker.

I turned all this over to our legal dept and our infrastructure director. Good times are going to ensue next week.

This whole thing was super fun in a "figuring out a puzzle" kind of way. Our findings are going to have an impact on this guy, and on the agency that sponsored this contractor into our org, but that's not my problem; my team and I are just the ones who figured out that this guy was stealing from us.

Edit/update: turned all info over to our police. They are now going to do police-y stuff

Yo dawg I heard you liked menus, so i added a menu to your menu and made it so neither can be collapsed. You're welcome.

Edit: reseph was kind enough to let me know that if you click the "all solutions" button on the first menu, it collapses the second one. They're the real microsoft MVP.

Trying to unblock one of our C++ devs. They are on VS 2022 building a native projectS and Defender (MsMpEng) was sitting at ~70% CPU during links..

What we've done so far:

Ran MDAV Performance Analyzer, confirmed link.exe scanning .lib files in Windows Kits\10\Lib was the hot path.

Added Intune AV exclusions for link.exe (wildcarded across VS year/edition/MSVC version) plus the Windows Kits Lib/Include folders and the MSVC toolset's own lib folder.

Enabled Dev Drive on L:, they moved the work there, Defender now async-scans it.

But they complained agian. We ran Performance Analyzer again and the new top offender is the VS Installer package cache (C:\ProgramData\Microsoft\VisualStudio\Packages) eating ~900s of scan time on .vsix payloads whenever VS updates.

What do you think the right approach here? Should we keep chasing whatever clogs resources and mde and add to exclusion.

I am trying to be minimal in exclusions as possible.

Are my exclusions approach correct? Or will it come to bite my butt in the future?

Current excl:

Excluded Paths

C:\Program Files (x86)\Windows Kits\10\Lib,

C:\Program Files (x86)\Windows Kits\10\Include, C:\Program Files\Microsoft Visual Studio\*\*\VC\Tools\MSVC\*\lib,

C\ProgramData\Microsoft\VisualStudio\Packages

Excluded Processes

C:\Program Files\Microsoft Visual Studio\*\*\VC\Tools\MSVC\*\bin\Hostx64\x64\link.exe,

C:\Program Files\Microsoft Visual Studio\*\*\VC\Tools\MSVC\*\bin\Hostx64\arm64\link.exe

I am proud to announce the release of Crow-Eye v0.10.0. This milestone marks the official launch of The Eye a robust intelligence layer designed to integrate your own AI agents directly into Crow-Eye, This isn't just a regular update; it’s a massive milestone for us . My goal from day one has been to build an ecosystem that doesn't just chase known signatures, but actually gives investigators the power to hunt zero-days

But as we celebrate this release and introduce our new AI layer, we need to talk about the elephant in the room.

The Problem with AI in Forensics

There’s a huge rush right now to slap AI onto cybersecurity tools, and honestly, a lot of it is dangerous. We are seeing "black box" solutions where investigators feed raw data into an LLM and just trust the answers it spits out.

In DFIR, an AI hallucination can ruin a case. An answer without mathematical, binary proof is worthless. If an AI agent cannot anchor its reasoning to exact offsets, hashes, and unmanipulated timestamps, we cannot trust it. To fix this, I realized we had to architect a system where the AI is bound by the exact same strict evidentiary rules as a human analyst.

The Starting Line: Automated Triage

Before the AI even wakes up, Crow-Eye does the heavy lifting. When you launch The Eye, the platform immediately runs a high-speed Automated Triage phase.

It queries the underlying SQLite databases to map out the ground truth: active users, execution histories, accessed files, USB devices, and Auto Run configs. This builds a comprehensive Initial Report. This report isn't the final investigation it’s the baseline. It’s the verified starting line before we let the AI touch the data.

The Brain of "The Eye"

I believe you should have total control over your data and your analytical "brain." That’s why The Eye is completely modular. You can plug in whatever intelligence fits your environment:

• Cloud AI Models: Hook up your public API keys for high-performance reasoning.
• Offline Servers & Local Inference: For air-gapped labs where privacy is non-negotiable.
  • Dev Note: A lot of my testing and development for The Eye was actually done using LM Studio and Google’s open-weights models (like the Gemma family). If you're a solo investigator, running Gemma locally on your own machine is incredibly powerful. Just a tip: push your context window as high as possible to handle the dense forensic payloads!
• CLI Agents: If you are a developer or researcher, you can hook up your own custom-built local agents, or seamlessly pipe in tools like Claude Code and the Gemini CLI.

https://preview.redd.it/zdg32192ic0h1.png?width=2023&format=png&auto=webp&s=a1458500b3765ccb1a7fb4018a9dcd2203bd7a1a

Keeping the AI Honest: The Ghassan Elsman Protocol (GEP)

Triage gives us the data, but the Ghassan Elsman Protocol (GEP) ensures the AI doesn't mess it up. The GEP is a strict set of rules hardcoded into the workflow to maintain a perfect chain of custody:

1. Case Awareness: The Initial Report is injected directly into the prompt to ground the AI in reality.
2. Pre-Flight Ping: Validates backend connectivity to stop silent failures.
3. Evidence Anchoring: Automatically tags and preserves raw hashes, IPs, and timestamps in the chat history.
4. Chain of Custody: Every truncation or data preservation event is meticulously logged.
5. Non-Repudiation: Messages are assigned deterministic, hash-linked IDs so records can't be altered.
6. Context Pinning: Critical evidence is locked and excluded from automated AI summarization.
7. Tool Traceability: Every tool the AI uses (like querying LOLBAS) is logged with exact execution counts.
8. Machine-Readable Synthesis: You get a clean JSON audit trail at the end to prove compliance.

What's Next: Bridging Analysis and Anatomy

While The Eye handles the high-speed analysis, our educational hub, Eye Describe, In upcoming updates, we are going to start building a bridge between these two tools. The goal is to gradually integrate visual references alongside the AI's findings. We want to reach a point where the AI doesn't just give you an answer, but helps point you toward the structural anatomy of the artifact it analyzed. It’s an iterative, ongoing project, but we believe it is an important step toward total forensic transparency.

This is the very first release of The Eye. You might hit a few bumps connecting to certain local backends or managing specific CLI tools, but we are actively squashing bugs and refining the experience over the next few weeks. Please submit any issues you find!

The latest source code and release are available right now on our GitHub. For those waiting for the compiled .exe version, it will be dropping very soon on our official website.

GitHub : https://github.com/Ghassan-elsman/Crow-Eye

good hunting

Hi, we are blocking most AI already in our environnement (some are allowed) but the question is how to automatically block new discovered AI

I tried to make an app discovery policy saying to unsaction Generative AI but it seems to take in note those we want to allow is there a way to make sure it only blocks NEW discovered AI and not touch those we do not allow?

Thanks

Hi everyone,

Curious how other teams are handling the “knowledge management” side of Defender XDR / MDE.

At the moment we have some many notes in OneNote, but it’s starting to get messy and not very useful during actual triage. We’re trying to find a better way to document things like:

• Playbooks for custom detections / recurring KQL-based alerts
• Notes for alerts that keep coming back on the same assets or same type of activity (that we for some reason cannot filter)
• Known benign / expected behaviour for specific devices, users, apps, etc.
• Working incidents with multiple analysts without stepping on each other. I really don't like the comment experience in the security portal. And e.g. teams doesn't archive the comments in context of the incident.
• Lessons learned after bigger incidents, so we don’t repeat the same investigation every time
• Finding related incidents, with notes on those incidents, so you're not figuring it out all over again when a similar incident has already been handled.

Defender incident comments exist, but in practice I don’t find the user experience good enough for proper investigation notes, handover, or building any kind of useful knowledge base. OneNote works okay for storing information, but searching, ownership, versioning and linking it back to alerts/incidents is not great.

For those of you running Defender XDR day to day:

1. Where do you keep your internal playbooks and investigation notes?
2. Do you use SharePoint, Confluence, ServiceNow, something else?
3. Do you document recurring alerts per alert title, per detection rule, per asset, or in some other way?
4. How do you handle handover when multiple people work the same incident?
5. How do you communicate with each other? And do you save that communication in the context of the incident?

Not looking for a “perfect SOC platform” answer, more interested in what actually works in practice without becoming another admin burden.

Thanks!

We often see Defender being installed on non-corporate devices. In some cases, users access corporate services from their personal computers (Teams, desktop Outlook), or simply connect their work profile to Windows, which then triggers automatic antivirus enrollment on that device.

What I currently don’t understand is how these devices should be properly removed afterwards. What is considered the best practice for offboarding Defender from non-corporate devices? So far, I haven’t found a reliable way to remove it remotely.

Also, how can we prevent Defender from being automatically installed on personal/non-corporate devices in the first place?

Did I fuck up by deleting this? I saw defender flag a threat, went onto it and immediately deleted it

This was before I learnt it was just from an update. So I did I mess up by deleting it?

Microsoft Defender XDR now provides visibility into devices that still need this update, making it easier to track readiness and reduce exposure across the environment.

Exposure Management → Recommendations → Devices → Misconfigurations (good adjustment if you have also Windows Servers onboarded to Defender for Endpoint P2)

https://preview.redd.it/0zmvahs01g0h1.png?width=1903&format=png&auto=webp&s=a04983627c933f6ad2ddeca62445ccc40a85e1cd

https://preview.redd.it/liu81hs01g0h1.png?width=1901&format=png&auto=webp&s=45ac528a844e4c5bac2af9344705953e14be4122

The company that I work in has a E5 license and there is still quota left for the E5 license.I have also create RBAC in both Intune and Entra yet I cannot connect Intune with Defender for enpoints. PO: Yes Ik you need a separate license for servers but i want to use it for employee laptops/macs. And my account is added to security admin role as well

I turned off the internet and ran the Microsoft defender scan. Nothing was found except the Trojan virus everyone has been talking about today. I use Windows 11

Is there any outage on Web Content filtering. I've observed for It's working on edge but not on chrome.??

Can anyone confirm

SOC team needs to know the current status of the scan they initiated on the machine from the portal. The AMRunningQuickScan remains blank even if the machine is running a quick scan.

Get-MpComputerStatus | Select-Object `

AntivirusEnabled,

RealTimeProtectionEnabled,

IsTamperProtected,

AMRunningFullScan,

AMRunningQuickScan,

FullScanAge,

QuickScanAge,

QuickScanEndTime,

LastFullScanSource,

LastQuickScanSource,

AntivirusSignatureAge,

AntivirusSignatureVersion

Is there a better way to get the status info please?

I'm currently getting into the Microsoft Defender Suite – Defender for Endpoint, Defender for Office, the whole thing. I'm an admin, not a security specialist by trade, and I'm realizing I've fallen into a pretty deep rabbit hole here.

The problem: ask 20 people how to configure it properly and you get 30 different answers. One guy swears by the preset security policies in EOP/MDO, the next one says custom is the only way to go, and the third has copied something from a 3 year old blog post.

I just want a solid, stable baseline config that I actually understand and can defend – not maximum overkill that triggers an alert on every normal attachment.

What do you base your configs on? Microsoft Secure Score? CIS Benchmarks? Any community resources you'd recommend? Or just trial and error until it works?

Open to any input, real world experience especially welcome.