Microsoft Defender / Antivirus detections removed in new releases #168
Comments
|
Hey @AnthoLaMalice Thanks for flagging this. I'll take a look next week and get back to you after I've figured out what's going on. |
|
Does undoing this 9e04039 change to the Chainsaw |
|
It indeed seems like it fixed the issue : |
|
Awesome, okay that should not break it but now we know where to look. |
|
I tried to reproduce this using the same rules but only switching the Chainsaw version on Windows between v2.8.1 and v2.9.0 but I was unable to. They produced identical results apart from a few lines changing positions on the csv which is expected. 1116 and 1117 events appeared correctly using EVTX Attack Samples to test. I noticed in the screenshots you were using Linux so this may be a platform specific bug? |
|
@AnthoLaMalice are you able to provide the event log so that I can try and replicate this behaviour? @reece394 thank you for doing some further triage. |
|
Yep, not able to replicate on my machine using the example EVTX files. |
Hey guys,
I have observed that the latest version of Chainsaw no longer seems to report Microsoft Defender/AV detection.
I ran both v2.9.0 and v2.8.0 on the same log set, which I know contains Microsoft Defender detection for CVE-2021-31207. The default raw output was redirected to a file for testing.
v2.9.0 vs v2.8.0 :
As you can see v2.8.0 indeed showed Microsoft Defender detection which is not the case for v2.9.0.
It also seems that with version 2.8.0, if you output your results to a csv or json file, a specific file has been created for AV detection, which is not the case with version 2.9.0.
Is there an explanation for this?
Thanks for your work!
The text was updated successfully, but these errors were encountered: