One of the most helpful security features in the Spring 2019 release (1903) of Windows 10 Enterprise is the ability for a Security Operations Engineer to enter an infected machine remotely and remove the malware which might otherwise make the machine inoperable. The capability within Microsoft Defender ATP is called Live Response and contains malware quickly.
There are many reasons why Defender ATP might find a device compromised. In such cases, it’ll point out the name of the file that is causing the issue. When a machine is found to be infected, navigating to the machine in the ATP portal, and clicking the Live Response icon
will pull up a command console (c:\) on the remote computer. Note the requirement for the engineer to specifically be enabled to access Live Response via Defender’s RBAC settings.
At the command prompt of the remote PC, the Administrator can see what they’re able to do by typing help.
Based on the info in the Defender ATP portal, the admin will know the name of the infecting file. Once inside the Live Response cmd prompt, the admin can search the hard drive for the file using findfile filename (no quotes). In the example here, the offending file is called minidump.zip, which is shown below in Explorer.
Executing Findfile in Live Response produces the matching file path.
Note, when trying to find the file using wildcard (*), no results are found. The entire filename must be entered.
Since Findfile returns the complete path of the target file, so the next step is to remediate (delete) the offending file. You can copy/paste the file path into the remediate file command.
remediate file “Filepath/name” -auto command eliminates the file from the PC. Note the need to have the quotes here. The admin gets confirmation that the file is removed by there being no errors in the return message
The file no longer appears in the folder where it’d been before.
And to ensure the file is completely eliminated, see that the file doesn’t even appear in the Recycled Bin.
For compliance and a trail of events, it’s important for management to know that all actions taken by the admin are logged.
And if for some strange reason it’s necessary, the admin can undo the deletion, by using the undo file <filename> which returns the file to its original location. If the file needs to be analyzed by MSFT, it can then be uploaded through the Deep Analysis option back on the file window.
This is a quick way to remediate a malware situation. Consider the alternative… a SOC Engineer reaches out to the desktop support team who remotes into the machine via GoToAssist/Skype/helpdesk remote control software, and manually navigates to the file to remove it. That is if the OS and applications are working well enough that a remote-control app can actually be initiated. If not, time to take a walk to the user’s cubicle.
This is another example of Microsoft’s vision to protect, detect, and respond. No environment is safe from malware, but Defender ATP’s Live Response feature allows SOC personnel to contain the issue by quickly treating patient 1, reducing the risk of infection of patient 2, 3, and beyond