Tutorial: The fastest way to report a False negative in Defender for Endpoint!

ByThomas Verheyden

Intro

Encountering a false negative during a customer engagement can be a critical issue. Recently, I faced a similar situation where a particular exploit went undetected. While I won’t delve into the specifics of the exploit, I want to highlight an efficient method to report false negatives promptly for resolution.

In my recent experience, the false negative case was addressed within just 4 days of thorough investigations.

During my writing (25/12) , Microsoft updated their docs about “how to address Address false positives/negatives in Microsoft Defender for Endpoint” (12/01). I suggest to also read it. You can find it here , it covers more use case then my blog.

Evidence

My advise is before you submit your case, get as much evidence you can provide. Here is a list I put into my case:

  • Described the steps that would allow Microsoft to reproduce the issue internally
  • A document backed with screenshots of the process and devices involved incl. Device ID where the activity was observed, the org ID , the exact date/time of the event (in UTC preferably) , the event details and observed telemetry (device timeline)
  • Clarified what was the vulnerability that was exploited and that was not alerted incl. CVE Reference.
  • Reproduced the issue with the lasted version of MDATP and confirmed if the alert is triggered in the MDE portal
  • Collected logs from the device that was exploited:

Submission

There are a couple public submission methods:

The first two didn’t fit into my category, its more if you want to report malicious files, URL’s or security research. So what I did was, I created a support case in the costumers tenant:

  1. Go to https://security.microsoft.com/
  2. On the right op click on ‘Help’

3. Choose a contact method and preferred settings

4. Fill in the additional required fields and upload the evidence you created earlier. It’s important to put the following line in your title: “EDR False Negative (FN) Detection.”

5. click on ‘Contact me’

That is! Now the waiting game can start and i hope you get your False negative resolved as soon as possible !

Similar Posts

Tool: MDE-Troubleshooter is born !

ByThomas Verheyden

Background story During my consultancy work, I have received feedback from numerous clients indicating that they consistently encountered difficulties when attempting to troubleshoot issues with Defender for Endpoint on their local endpoints. They often found it a struggle to navigate through various locations, such as PowerShell for security configuration, the event viewer for log files,…

Your isolated device stuck in Defender for Endpoint Isolation mode , not anymore !

ByThomas Verheyden

Intro When you want to investigate a endpoint that has indication of being comprised you might want to put the endpoint in Defender for Endpoint isolation mode. Isolation will disconnected the potential comprised endpoint from the network and will only allow connection to Defender for Endpoint Service. Depending on your OS level you can also…

| |

Defender for Endpoint Migration: Troubleshooting Persistent Third-Party AV Registration

ByThomas Verheyden

Intro I recently assisted a costumer with migrating to Defender for Endpoint. They had some windows 10/11 endpoints where the 3rd party Antivirus (AV) kept registered as primary Antivirus which by default put Defender for Endpoint in disable state on Windows 10/11: Together with the Internal system engineers we tested multiple uninstall packages/scripts provided by…

Leave a Reply