Microsoft Defender Exploit Guard audit events for Vision Pro

Block credential stealing from the Windows local security authority subsystem

There are three processes that generate 1121/1122 messages in Defender events:

   Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

   For more information please contact your IT administrator.

   ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2

   User: NT AUTHORITY\SYSTEM

   Path: C:\Windows\System32\lsass.exe

   Process Name:

  • C:\Program Files (x86)\Netop\Vision\XL\MeSuAx.exe
  • C:\Program Files (x86)\Netop\Vision\XL\MeCfgVrf.exe
  • C:\Program Files (x86)\Netop\Vision\XL\mesuwts.exe   

None of the above applications are trying to steal credentials. Instead, they are procedures that verify if different Vision applications are running, by searching in the active processes page. For enumerating processes, there are two methods used in these applications: EnumProcesses(...) and WTSEnumerateProcesses(...), both of them generating the exception messages from above:

"In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat."

For more information about the Microsoft Defender security messages and audit events, refer to the following Microsoft article

Posted - Tue, Mar 23, 2021 11:07 AM.
Online URL: https://kb.netop.com/article/microsoft-defender-exploit-guard-audit-events-for-vision-pro-537.html