Hi all,
Does anyone know if Automox has any recommended Microsoft Defender exclusions please? We use Microsoft Defender for Endpoint and want to ensure we’re not impeding on Automox performance / usability at all please. Further, if anyone knows of any local client firewall rules (other than the 7844 for Cloudflare Tunnels) that might be needed please.
I tried to search but I can’t seem to see anything, so thought I’d best double check.
Thanks in advance!
Best answer by Marshyp
Hey Marshyp,
The Automox Agent Notifier must be added to the Windows Defender firewall allowed applications. Here are some articles detailing the EPP and Firewall allowlisting requirements for Automox!
Please don’t hesitate to reach out if you have any other questions!
Thanks Corey,
Looks like I’ve covered everything there, so that’s great news - Thanks for confirming!
Hey Marshyp,
The Automox Agent Notifier must be added to the Windows Defender firewall allowed applications. Here are some articles detailing the EPP and Firewall allowlisting requirements for Automox!
Please don’t hesitate to reach out if you have any other questions!
Hey Marshyp,
The Automox Agent Notifier must be added to the Windows Defender firewall allowed applications. Here are some articles detailing the EPP and Firewall allowlisting requirements for Automox!
Please don’t hesitate to reach out if you have any other questions!
Thanks Corey,
Looks like I’ve covered everything there, so that’s great news - Thanks for confirming!
+1For MDE, after observing this alert Suspicious 'PsHiddenWindowLaunch' behavior was blocked. The following rule was added under Security Settings > Endpoints > Folder Exclusions at https://security.microsoft.com/securitysettings/endpoints/folder_exclusions
Example of the rule added:
For MDE, after observing this alert Suspicious 'PsHiddenWindowLaunch' behavior was blocked. The following rule was added under Security Settings > Endpoints > Folder Exclusions at https://security.microsoft.com/securitysettings/endpoints/folder_exclusions
Thanks Jack,
I am eager not to exclude a folder if possible as this feels like an unnecessary attack surface. Will be running some test Worklets later today to test the functionality, and if I get the blocks or alerts as you mention then will revisit but confident I can get away with the processes and firewall rules for now.
Appreciate your assistance!
+1
The culprit behind Suspicious 'PsHiddenWindowLaunch' behavior was blocked, was having to sometimes execute code as 64-bit. If you had not run into it yet, when Automox uses PowerShell, it is done so with the 32-bit binary. Making access to certain cmdlets, directories and registry entries a challenge on 64-bit systems. This was the work around https://help.automox.com/hc/en-us/articles/31578327798548-Using-64-bit-PowerShell-Code-with-Automox but it also introduced EDR blocking the request.
The culprit behind Suspicious 'PsHiddenWindowLaunch' behavior was blocked, was having to sometimes execute code as 64-bit. If you had not run into it yet, when Automox uses PowerShell, it is done so with the 32-bit binary. Making access to certain cmdlets, directories and registry entries a challenge on 64-bit systems. This was the work around https://help.automox.com/hc/en-us/articles/31578327798548-Using-64-bit-PowerShell-Code-with-Automox but it also introduced EDR blocking the request.
Ahh super! Thanks so much for the clarification, that’s very handy.
For the most part, we use Microsoft Intune for script deployments so I suspect this might not be too much of an issue, but I’ve noted it on the Project RAID log and will assess with the gang. Appreciate your input.
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
