Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, November 23, 2017 8:41 AM
I am in the process of testing Windows Defenders periodic scan on Windows 10 1703/1709 via SCCM.
In the SCCM Antimalware Policy I configured default action "Quarantine" for all levels (severe, high, medium and low) .
But on finding malware Defender says:
Remediation action: NoAction
Action status:Succeeded
I would expect that the Remediation action would be "Quarantined".
Anyone who can explain this?
TIA
All replies (4)
Friday, November 24, 2017 7:04 AM
Hi AdminL,
Remediation action is an undertaking to correct a problem. this says noaction.
It could be that No Action is necessary because the infection is already gone. To be sure, feel free to scan the device with another tool. When I have doubts about something being cleaned, I prefer to use an offline scanner so that it’s unlikely an infection can interfere with the scan.
/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-offline
Review Windows Defender AV scan results
Hope it will be helpful to you
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, November 27, 2017 2:45 PM
Hi,
Haven't received your message a few days, was your issue resolved?
I am proposing previous helpful replies as "Answered". Please feel free to try it and let me know the result. If the reply is helpful, please remember to mark it as answer which can help other community members who have same questions and find the helpful reply quickly.
Best regards,
Carl
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, November 29, 2017 12:51 PM
Hi,
Any update?
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, September 26, 2018 10:33 AM | 1 vote
I've been using SCEP / Defender for around 5 years, and this behaviour has been one of the banes of my life. I escalated this query all the way through Premier support and never received a straight answer.
The best I have been able to come up with is that each time this occurs the SOC need to take manual action to verify what happened and what needs to be done. The scenarios I have observed causing this result include:
- The malware type was not configured to be quarantined or removed.
- The malware file or process was not found when Defender tried to remove it
- Another process (or another simultaneous Defender thread) already quarantined the file
- The file was locked or on a read-only drive.
In practice, my SOC would first check the SCCM logs to see if there was also a successful remove/quarantine at the same time. Then they would access the machine and manually check that location to see if the file existed before manually cleaning the file.
I would be keen to hear if anyone has found a clearer answer to this. Manual remediation of these alerts is a significant burden to the SOC and negatively impacts users if you don't have an EDR product to investigate and remediate remotely.
(Posted this earlier to a thread from 2014 before I noticed the date...)