I've noticed the file 'c:windowssystem32rasmsense.exe' appearing for all users on my RDS (terminal server). My allowlisting software has flagged it and stopped it from running. When I searched the hash online, it seems to be related to PowerShell. This file just started showing up this week, and there's been no recent updates or new software installations on the server. I've checked the server thoroughly, but I can't find this executable anywhere. Interestingly, my allowlisting software indicates some access from users in the USA and India, and we have a few users logging in from India. Has anyone experienced this issue before?
2 Answers
I wouldn’t worry too much, it sounds like a common issue with new Microsoft processes like this one. If it’s being blocked, your system is working correctly. Just keep monitoring your logs for any unusual activity!”
True, and if you're really concerned, you might want to reach out to Microsoft support for clarification.
I checked on VirusTotal, and it seems like there isn’t a file in that path, which is strange. It might be generated during logins, and your allowlisting software is just stopping it. Monitoring that folder while logging in from another session could help catch it if it shows up. Definitely keep an eye on it!
Yeah, I read that it's part of the new Microsoft Sense EDR process, so it could be legit. But it does make sense that it could be flagged because it handles network tasks.
Exactly, it's a legitimate Microsoft process. Sometimes they get flagged due to the nature of what they do.
Yeah, especially if you have users connecting from those regions. Just make sure everything else is secure.