GCIH, GCFE | Sr. Security Consultant | Digital Forensics, Incident Response & SOC | @CuratedIntel Contributing DFIR Member
Jun 10, 2022 • 4 tweets • 2 min read
Ever wondered what happens when #MicrosoftDefender quarantines a PUP, but then you go in the notification, and select to "Allow" the application in the future? Well, a Registry value with the name of ThreatId (detected threat) is set in the Registry with a Data of 6 for Ignore.
It seems that this Regkey is regularly cleaned however, since the application gets flagged every few days and I need to restart the process.