Atera agent being flagged by Windows Defender

Incident Report for Atera

Resolved

This incident has been resolved.

Posted Nov 18, 2022 - 15:09 EST

Monitoring

We’re pleased to report that Microsoft’s Windows Defender error has been resolved!

This error had been caused due to a change in Microsoft’s Windows Defender policy, and has nothing to do with Atera specifically. We responded as quickly as possible and worked diligently to get Microsoft to fix it as soon as possible.

The fix is reflected in the security intelligence version 1.379.508.0 or above. Please update to the latest security intelligence version, which can be done here:
https://www.microsoft.com/en-us/wdsi/defenderupdates

Ideally, Windows Defender should automatically update itself when coming online or within 24 hours, in this case, Atera agents will automatically be restored and there is no need for manual intervention.

If automatic restore did not work, you can manually restore the agents using one of the following commands:

“C:\Program Files\Windows Defender\MpCmdRun.exe" -Restore -Name "HackTool:Win32/RemoteAdmin" -All -path "C:\Program Files\ATERA Networks\AteraAgent

"C:\Program Files\Windows Defender\MpCmdRun.exe" -Restore -Name HackTool:Win32/RemoteAdmin -All -path "C:\Program Files (x86)\ATERA Networks\AteraAgent"

You can also read our step-by-step guide here: https://support.atera.com/hc/en-us/articles/6658561781788

As always, we’re here 24/7, so if you need further assistance, feel free to contact us on our live chat, or at support@atera.com.

Posted Nov 17, 2022 - 14:17 EST

Update

[Windows Defender Update]
We’ve been working hard alongside Microsoft, and have been informed that Microsoft “confirms that the sample is clean. Based on that, we’ve removed detection on the file.”
The fix changes will be reflected in the security intelligence version 1.379.516.0 or above. Currently, the security intelligence version corresponding to these changes is in the process of merging and will release soon.

We will update you as soon as it's released and this error will be resolved.

Thank you for your patience and understanding!

Posted Nov 17, 2022 - 09:52 EST

Identified

We are aware that some customers may be experiencing Windows Defender removing Atera Agents in some workstations. This change is on Microsoft’s side and not Atera-related.

Our Security Team and Development Teams are working with Microsoft to resolve this issue ASAP! We apologize for any inconvenience.
In the meantime, you can whitelist Atera Agents in Microsoft Defender until this is resolved on Microsoft’s side as described in this link:

https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-the-Atera-Agent-Windows-

You can use this command to whitelist Atera in Windows defender:

Add-MpPreference -ExclusionPath "C:\Program Files\Atera Networks\AteraAgent" -Force
Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Atera Networks\AteraAgent" -Force
Add-MpPreference -ExclusionProcess "AteraAgent.exe" -Force

This is a PowerShell command that needs to run as an Administrator. We also added this to our shared script library, for easier and more convenient mass deployment.

Please note that if the agent was already removed, you’ll have to add an exception to whitelist the download folder as well in order to allow re-download and re-installation.

As always, we’re here 24/7, so if you need further assistance, feel free to contact us on our live chat, or at support@atera.com

Posted Nov 17, 2022 - 07:56 EST