Windows Defender Advanced Threat Protection and ThreatLocker
Windows Defender Advanced Threat Protection (ATP) runs files in a sandbox environment to ensure they are not malicious.
- First, Windows Defender ATP creates a VDI sandbox environment in Azure.
- Windows Defender ATP then executes the file it is investigating in this sandbox.
- Once completed, Windows Defender ATP deletes the sandbox.
When Windows Defender ATP investigates the ThreatLocker Stub or MSI installer in this way, ThreatLocker is installed on the VDI in Azure. Thereby, the VDI will unintentionally be added as a computer under the organization whose installer file is being investigated. After installation, when Windows Defender ATP deletes the VDI, it will have been deleted without uninstalling the ThreatLocker Agent. The sandbox computer will remain listed as a computer in the organization although it no longer exists.
These sandbox machines that have been created and deleted by Windows Defender ATP will share the following characteristics:
- They will show as offline.
- They will show having checked in for about 2 minutes after installation time.
- They will have generic names that can be repeated over time. (e.g. ANAUSTI, DAZHILONG)
- The will have an IP address that points to Microsoft Azure (e.g. 18.104.22.168)
- The Make and Model of the sandbox as viewed from the 'Edit' window on the Computers Page will be nonsensical, showing a word and a 4-digit number for the Make and Model. (e.g. GIGABYTE 3021)
If you find these sandbox computers listed in your organization, you can safely delete them from the list. They should not reappear unless Windows Defender ATP scans the ThreatLocker Stub or MSI installers again. No charges will be accrued for computers that don't check in for 7 days.
To prevent the reoccurrence of these sandbox computer entries, delete the ThreatLocker Stub or MSI after installation so they can not be scanned again by Windows Defender ATP.
If you need further assistance, please reach out to the Cyber Heroes.