-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft Defender / Antivirus detections removed in new releases #168
Comments
Hey @AnthoLaMalice Thanks for flagging this. I'll take a look next week and get back to you after I've figured out what's going on. |
Does undoing this 9e04039 change to the Chainsaw |
Awesome, okay that should not break it but now we know where to look. |
I tried to reproduce this using the same rules but only switching the Chainsaw version on Windows between v2.8.1 and v2.9.0 but I was unable to. They produced identical results apart from a few lines changing positions on the csv which is expected. 1116 and 1117 events appeared correctly using EVTX Attack Samples to test. I noticed in the screenshots you were using Linux so this may be a platform specific bug? |
@AnthoLaMalice are you able to provide the event log so that I can try and replicate this behaviour? @reece394 thank you for doing some further triage. |
Hey guys,
I have observed that the latest version of Chainsaw no longer seems to report Microsoft Defender/AV detection.
I ran both v2.9.0 and v2.8.0 on the same log set, which I know contains Microsoft Defender detection for CVE-2021-31207. The default raw output was redirected to a file for testing.
v2.9.0 vs v2.8.0 :
As you can see v2.8.0 indeed showed Microsoft Defender detection which is not the case for v2.9.0.
It also seems that with version 2.8.0, if you output your results to a csv or json file, a specific file has been created for AV detection, which is not the case with version 2.9.0.
Is there an explanation for this?
Thanks for your work!
The text was updated successfully, but these errors were encountered: