Windows Defender – Suspicious command launched from remote location

Last updated on: November 18th, 2021

Background

To inventory Windows operating systems, vScope uses WMI or WinRM (depending on your preferences). This is called a Discovery. Both WMI and WinRM run scripts from the vScope server to fetch information from a remote (target) server. This can cause antiviruses to trigger alerts related to remote scripting. Windows Defender has a default incident, “Suspicious command launched from a remote location”, that can be triggered by vScope’s Discovery.

How to mitigate

If you use Discovery in vScope and find this incident in your Windows Defender, please ensure that the incident includes the vScope server and the credential used for WMI. Then you can safely classify the alert as “False alert” since commands from a remote location are normal behavior for any network discovery. If you do not recognize the server or credential used, this is not related to vScope’s discovery.

If you don’t want to run network discoveries, you can choose to disable your WMI/WinRM credential in Discovery Manager. Please be aware that this will lower the overall data quality in vScope since vScope will now only rely on secondary data sources.