About EddieRowe

Ah, I see now... I overlooked the first picture!  Thanks!  I was not the original poster, but we appear to have a conflict with an encryption product. ... View more

My interpretation of the setting for exclusion for files in the Malware profile is only for dormant files when you use the weekly/monthly scan.  How do you exclude an entire folder completely? ... View more

It does appear the setting disappeared from my tenant as well!  The online documentation no longer makes no mention of it, but I have the PDF version from last week so I have PROOF. 8-)  Here is what the PDF copy of the manual had for the feature which was not mentioned anywhere in last week's release notes. ... View more

I appreciate the info - Pro was way outside of our budget.  I thought for a moment I had overlooked something (and the Palo Alto person who helped with the PoC didn't share this) so it nice to get confirmation I should not see the BIOC options on the web console. ... View more

@DKasabji, No it cannot be disabled any longer unless you have an Intune subscription per MS documentation (link below).  Our GPO has had Windows Defender turned off for many years now going back to before we added Cortex XDR Prevent to our environment.  (The prior solution did not disable automatically so we have always used the GPO setting.)  The GPO setting is active and Defender has never been observed doing anything on our systems to my knowledge.  But for some reason some systems, all running Win10 v1903, some systems have the Windows Defender Antivirus Service running and others do not.  I am going to guess that this was an issue before Cortex XDR Prevent and it was just not noticed.  We have an application misbehaving and the vendor claims Windows Defender is the cause so as part of my info gathering I noticed the service running on the system.   https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection     ... View more

Yes, Cortex XDR Prevent's Restrictions profile works as you described -- I tested the setup last week.  The issue is that it is a maintenance nightmare...it was not really designed with this in mind.  You can stop all .EXE files from running from the user profile, but to allow some to run is based on the filename/hash.  AppLocker should allow me to setup things so that .EXE files signed by GotoMeeting are allowed, but not others. Oh, and Microsoft keeps stuffing Office 365 stuff under the user profile like Teams, OneDrive, etc. ... View more

I was hoping to do this with Cortex-XDR Prevent by blocking programs from running from the user profile, but the hashes change too often. I was hoping we could block everything from running and then allow some signed applications to run from the user profile.  I have had AppLocker on the list for some time to learn about.   ... View more

@tech_noob, doesn't ncat have legtimate uses so in and of itself it is not evil?  Do you have the grayware protection enabled? (Just thinking out loud...I am not experienced with Kali or ncat. ... View more

@DKasabji, I am seeing some devices where Windows Defender Antivirus still have the service running.  I disable it via GPO and surprised to see it running on my system.  With the new tamper protections I have yet to figure out how to disable the service so it is like it is "off" but still running the app behind the scenes.  We are not Intune subscribers so there does not appear to be a way to turn it off if Cortex fails to do so. ... View more

On some Win10 v1903 (x64) systems running 7.1.3 the Windows Defender Antivirus service is set to "manual" and others it is set to "automatic".  I cannot make heads or tails of it.  We setup our GPO way before Cortex XDR to turn off Windows Defender Antivirus.   GPO Setting: Location:  Computer Configuration - Administative Templates - Windows Components - Windows Defender Antivirus Setting:  Turn off Windows Defender Antivirus - Set to Enabled (Enabled = it is not supposed to run or scan) ... View more