Forum Discussion
Solved
M365 Defender flags MMAExtensionHeartbeatService and GCService as potential risk
This feedback is provided for improvement of Azure Monitor experience in customers using the M365 Defender Security Recommendations feature.
M365 Defender produces a vulnerability recommendation of Change service executable path to a common protected location for the default setup of MMA on Windows computers. Both the "GCService" (Azure Policy Guest Configuration) and the "MMAExtensionHeartbeatService" (Microsoft Monitoring Agent Azure VM Extension Heartbeat) are located in C:\Packages. The remediation option is "Move your service executable to a common protected path like 'C:\Windows', 'C:\Program Files', 'C:\Program Files(x86)', or 'C:\ProgramData'."
Of course, you can 'Create Exception' with "Third party control" justification that would clear the vulnerability finding, however this exposes the computer to all threats of this type, it is not granular to only permit the allowed exceptions. Recommend either add C:\Packages to the common protected paths list or allow for granular application of exceptions to this policy.
I agree. This is happening for the Azure Monitor Agent. Is anyone at Microsoft going to respond or fix this?
- Well.. here we are, nearly 2 years later.. and Microsoft still has not tuned their recommendation to account for their own C:\Packages folder 🤦
- I second this feedback. In addition to the "GCService" and "MMAExtensionHeartbeatService" that John mentioned, I'm also seeing this recommendation for "vmGuestHealthAgent" and "HybridWorkerService" as well. Both of these additions also reside in "C:\Packages." Does the security recommendation *actually* intend that I change the executable path for Microsoft services??
I agree. This is happening for the Azure Monitor Agent. Is anyone at Microsoft going to respond or fix this?
