Community

Articles in this section

See more

Microsoft Endpoint Protection EDR

  • Updated
Follow

Applies to: Veriato Windows Agent 10.0.47385 or later
Article No: 21490635621655
Antivirus

If you use Microsoft Endpoint Protection or Microsoft Defender for Endpoint for EDR (Endpoint Detection & Response), you must provide the agent file/folder and process exclusions before attempting to deploy agents. A complete exclusion set is currently necessary to avoid Microsoft's updated protection.

Microsoft provides antivirus protection for endpoints enrolled in Microsoft InTune. To exclude the Cerebral agent, you will need to create a policy in InTune and apply it to the Windows devices you plan to monitor. If you have not yet created groups in Microsoft Endpoint Manager, follow the instructions at the end of this article before creating the exclusion policies. 

What to do if the agent has already been detected
1. Create a group in Endpoint Manager (if necessary)
2. Create a .CSV exclusions list  
3. Create an exclusion and import your list(s)  

 

What to do if the agent has already been detected

If the agent has been deployed to devices joined to Microsoft Endpoint Manager before you had a chance to set up exclusions, Windows Defender may have already found and blocked or cleaned the agent files. These devices would appear in Endpoint security | Antivirus | Active Malware. Create exclusion policies as instructed below and then re-install the agent.

Endpoint security is detecting Veriato on a device:

defender-endpoint-10.png

1. Create a group in Endpoint Manager (if necessary)

If you haven't created Groups in InTune/Endpoint Manager, follow these instructions or those provided with your product.

  1. Create a New Group.
    From the left sidebar of Microsoft Endpoint Manager Admin Center, select Groups.
    Press New Group.
    defender-group-1.png
  2. Set up a Security group.
    For Group type, select Security.
    Enter a Group name and description. 
    For Membership type, select Assigned.
  3.  Select group members.
    Press the No members selected link and type a device name in the Search input box. Continue to search for and add devices that belong to this group.
    defender-group-2.png
  4. Press Create to create the group.
    You can now assign your Cerebral exclusion policy to the group.

2. Create a .CSV exclusions list and import your list(s)  

Not all files will be detected, but to avoid future detection, use the list below to populate a single .csv file. This list applies to Windows Agent version 10.0.47385 and greater.

image3.png

Paths to Exclude  

For installation

VisionInstaller.exe
C:\Windows\winipbin-install\SPSetupWin.exe
C:\Windows\winipbin-install\Config.txt
C:\Windows\winipbin-install\spsetup.exe
C:\Windows\winipbin-install\SR_TmpRun.ini
C:\Windows\winipbin-install\spsetup.log
C:\Windows\winipbin-install\SPSetup64.exe
C:\Windows\winipbin-install\Admin.exe
C:\Windows\winipbin-install\MSVxRsc.dll
C:\Windows\winipbin-install\SPSetup64.log
C:\Windows\winipbin-install\ra.dll
C:\Windows\winipbin-install\crbundl\crx618031\icons\icon16.png
C:\Windows\winipbin-install\crbundl\crx618031\manifest.json
C:\Windows\winipbin-install\crbundl\crx618031\src\bg\spbackground.js
C:\Windows\winipbin-install\crbundl\crx618031\src\content\spcontent.js
C:\Windows\winipbin-install\crbundl\crx618031\src\content\splocal.js
C:\Windows\winipbin-install\crbundl\crxsource.zip
C:\Windows\winipbin\dosudweb32.dll
C:\Windows\winipbin\support.crx
C:\Windows\winipbin\support.xml

For Windows x86 devices, add the following:

C:\Windows\winipbin-install\UUU4BAA.tmp
C:\Windows\winipbin-install\UUU5551.tmp
C:\Windows\winipbin-install\UUU5530.tmp
C:\Windows\winipbin-install\crbundl\crx89312\icons\icon16.png
C:\Windows\winipbin-install\crbundl\crx89312\manifest.json
C:\Windows\winipbin-install\crbundl\crx89312\src\bg\spbackground.js
C:\Windows\winipbin-install\crbundl\crx89312\src\content\spcontent.js
C:\Windows\winipbin-install\crbundl\crx89312\src\content\splocal.js

Installed files:

C:\Windows\winipbin\bissima.dll
C:\Windows\winipbin\bissimo.dll
C:\Windows\winipbin\cmproxfr.dll
C:\Windows\winipbin\eanipw.dll
C:\Windows\winipbin\hdaocogema.dll
C:\Windows\winipbin\jlyfftin.dll
C:\Windows\winipbin\lrdfcndr.dll
C:\Windows\winipbin\mossimo.dll
C:\Windows\winipbin\mrstch.exe
C:\Windows\winipbin\mxcrsc32.exe
C:\Windows\winipbin\prsthasn.exe
C:\Windows\winipbin\quasima.dll
C:\Windows\winipbin\quasimo.dll
C:\Windows\winipbin\rcxaemap.dll
C:\Windows\winipbin\supportch.crx
C:\Windows\winipbin\supportch.xml
C:\Windows\winipbin\supported.appx
C:\Windows\winipbin\supportf.xpi
C:\Windows\winipbin\svrltmgr.dll
C:\Windows\winipbin\svrltmgr64.dll
C:\Windows\winipbin\svrltwp.dll
C:\Windows\winipbin\svrltwp64.dll
C:\Windows\winipbin\vdorctrl.dll
C:\Windows\winipbin\wdwwsm.dll
C:\Windows\winipbin\wesnthelf.dll
C:\Windows\winipbin\wlcnthr.exe
C:\Windows\winipbin\wzodlg32.dll
C:\Windows\winipbin\wzodlg32_*.dll
C:\Windows\winipbin\yamjrd.dll
 C:\Windows\winipbin\zrgrshwin.dll

Files added during agent updates are appended with a .1 (or use a wildcard):

C:\Windows\winipbin\bissimo.dll.1
C:\Windows\winipbin\cmproxfr.dll.1
C:\Windows\winipbin\eanipw.dll.1
C:\Windows\winipbin\mossimo.dll.1
C:\Windows\winipbin\mrstch.exe.1
C:\Windows\winipbin\mxcrsc32.exe.1
C:\Windows\winipbin\ntbsvr.dll.1
C:\Windows\winipbin\quasima.dll.1
C:\Windows\winipbin\quasimo.dll.1
C:\Windows\winipbin\rcxaemap.dll.1
C:\Windows\winipbin\svrltmgr.dll.1
C:\Windows\winipbin\svrltmgr64.dll.1
C:\Windows\winipbin\svrltwp.dll.1
C:\Windows\winipbin\svrltwp64.dll.1
C:\Windows\winipbin\vdorctrl.dll.1
C:\Windows\winipbin\vdorctrl.sys.1
C:\Windows\winipbin\wzodlg32.dll.1

Processes to Exclude

C:\Windows\winipbin\mrstch.exe
C:\Windows\winipbin\mxcrsc32.exe
C:\Windows\winipbin\wlcnthr.exe
C:\Windows\winipbin-install\Admin.exe
C:\Windows\winipbin-install\SPSetupWin.exe
C:\Windows\winipbin-install\Preinstaller.exe
C:\Windows\winipbin-install\spsetup.exe
C:\Windows\winipbin-install\spsetup64.exe
C:\Windows\winipbin-install\SDFMigrator.exe
C:\Windows\winipbin\SDFMigrator.exe
C:\Windows\winipbin-install\bootstrap.exe
C:\Users\*\Downloads\VisionInstaller.exe
C:\Users\*\Downloads\uninstall64.exe
C:\Windows\SysWOW64\Uninstaller.exe
C:\Windows\winipbin-install\Uninstaller.exe

 

3. Create an exclusion policy 

  1. Log in to the Microsoft Office Home page.
    You will need an Administrator account at https://www.office.com.
  2. Select the Admin Center from the left toolbar.
    This loads the Microsoft 365 Admin Center.
    defender-endpoint-1.png
  3. Select Endpoint Manager
    Press the Show All menu on the sidebar. Under "Admin centers" select Endpoint Manager. A new Windows Endpoint Manager admin center loads.
    defender-endpoint-2.png
  4. Select Endpoint Security.
    The Endpoint Security | Antivirus page loads.
    defender-endpoint-3.png
  5. Under Manage, select Antivirus.
    defender-endpoint-4.png
    In the Summary section on the right pane, find the Antivirus Policies section. You will create a new policy to configure the exclusions for Veriato Client and Server files.
  6. Press + Create Policy to create a policy.
    You are prompted to create a profile for the new policy. 
  7. Set up the policy's profile.
    Select the Windows endpoint Platform for this policy and choose a Profile. The Microsoft Defender Antivirus exclusions profile targets only Microsoft Defender exclusions.

    defender-endpoint-5.png
    The Microsoft Defender Antivirus profile allows you to configure additional features for Microsoft Defender for Endpoint. Use this profile for an EDR.

    defender-endpoint-6.png
  8. Proceed to the Basics section.
    Give your Veriato Windows Agent policy a Name and Description. 
    defender-endpoint-7.png
  9. Choose Configuration options.
    • If you chose the Microsoft Defender Antivirus exclusions profile, you go directly to Excluded Paths and Processes.
    • If you chose the Microsoft Defender Antivirus profile, review and enable options before entering exclusions.  
  1. Select  +Import to import your list of Excluded Paths.  
    Navigate to and select your agent .csv file to populate the Excluded Paths list. (The paths in the illustration below are not correct.)
    defender-endpoint-8.png
  2. For Excluded Processes, select  +Import and import the same list.  
    To prevent detections, select the same Client .csv file to populate the Excluded Processes list. 
    defender-endpoint-9.png
  3. Save your changes. 
    When both lists are loaded, press Review + save, and then press Save and Next.
  4. Add Scope Tags, if applicable.
    If you have no tags to add, choose Default and press Next.
    defender-scope-tags.png
  5. Assign the policy to Groups of endpoint devices.
    Under Assignments, select a Group to assign this policy to. Each Group includes devices enrolled in Intune and already added to an Endpoint Manager group. Once the policy is assigned to the Group where Veriato Agents will be installed, you should be ready to deploy.
Powered by Zendesk