Windows 10: Zerologon EventID 5827 false-positive?

Hi mates,


I have a lot of DC patched Sep 2020 patch to monitor events related to Zerologon. My graylog showed PCs got the EventID 5827 and I updated for those PCs and enabled 3 policies:

-Domain member: Digitally encrypt or sign secure channel data always

-Domain member: Digitally encrypt secure channel data when possible

-Domain member: Digitally sign secure channel data when possible

as Microsoft's instruction. But those PCs still logged on graylog with EventID "5827 The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account." and make lots of confuse to my team if everything work fine.

Could you please explain for me about those cases when we enabled the policies but still got the alerts?


Thanks & Regards

:)

 

False positive for desktop shortcut scanner.lnk

The 1.239.488.0 virus / spyware definition update that rolled out about 24 hours ago appears to be producing a false positive for any shortcut placed on the desktop called "Scanner.lnk". I can consistently replicate a false positive for Trojan:Win32/FakeSysdef
with the following steps.

• Create a shortcut to an exe file.
• Place the shortcut on the desktop.
• Name the shortcut "Scanner".
• Run "Quick Scan".

I don't get the same result by directly scanning the file, nor by uploading the file to www.virustotal.com, so it would appear this is as a result of a heuristic rather than a file content analysis. I also don't get the same result with a shortcut that links
to a website.

Can anyone else replicate? How can we go about getting the Windows Defender team to reconsider this heuristic? It's a bit heavy-handed.

 

defender false positive

Hi Bob,

To better assist you, kindly verify the following:

• Where did you submit the file about Windows Defender being false positive?
• Right after the recent Windows 10 update, your Zara Radio stopped working?
• Regarding the 404 error, what application were you using when you got that error?

Let us know.

 

Questioning a false positive for a Windows Defender virus scan

Anytime you suspect a possible
false positive or you want a second opinion, submit it to one of the online services that analyzes suspicious files. There are also number of web resources (URL Link Scanners) which can be used to check suspicious/unfamiliar
sites or get second opinions.

• Comprehensive List of URL analyzers & services