ENS Exploit prevention - User State Migration Tool Detection - Windows EFS abuse
Our engineers use Microsoft USMT to save user state prior to upgrading a systems OS. We are seeing literally hundreds of detections as "Malware Behavior: Windows EFS abuse" Analyzer rule ID 6148. There is no hash only a target path C:\Users\*********\AppData\Roaming\Microsoft\Crypto\RSA\......... My Question is, would you white list the path as that detection is useless unless we do?
Many thanks for posting on the Community. Your query has multiple way to deal with it.
If you are facing an False positive due to the new Signature introduced exploit prevention content (9845) with the Threat name: Malware Behavior: Windows EFS Abuse. I will suggest you to refer below url to check steps mentioned by one of our engineer and see if that helps and if you are still not able to resolve issue by adding an exclusions then Please open a Service Request with us to confirm the validity of the trigger and if an exclusion can be added at the content level.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.