Forum Discussion
Defender ATP Suppression Rules Still Action Files?
Hello,
We have setup numerous suppression rules for various software within our environment but even though we no longer get an alert from ATP due to the rules, it still looks like it is preventing the file from running according to the items listed under matching alerts for the rule. I have created exceptions within SCCM for our users but it seems like the suppression rule should be doing that for us.
- Suppression rules are only to suppress alerts from popping up. They do not create exclusions for MDE to stop scanning certain processes and folders. You still need exclusions for that.
- If I understand correctly there are exclusions which are being pushed via SCCM: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-configuration-manager-to-configure-file-name-folder-or-file-extension-exclusions
Maybe EDR/ASR could be the root of the "problem" (blocking suspicious activity is never a problem of course 😉)?
- Hello zposz365,
Isn't that just monitoring of the rules that are being applied?
Do you actually have a problem with running the files?
I've you aren't able to open the files then you should investigate this of course.
