Hey everyone, I've been trying to install an RMM agent, but I'm getting hit with a Malware warning from Windows Defender, specifically a Trojan:Win32/Kepavll!rfn warning. Has anyone else faced this issue? I also found that one of my servers disconnected from the RMM after a recent Defender update, which makes me think that Defender might be throwing false positives and disrupting agent installations. I shared an image of the warning here: [link to image](https://imgur.com/G4fnSDf). I also noticed it's flagged on VirusTotal, so I'm wondering if there's a common fix for this?
4 Answers
We had a similar situation with an AutoDesk code-signed file that set off Defender and triggered several VirusTotal alerts. We took precautionary measures by isolating the user's computer, and later Microsoft determined it wasn't a threat. It's always good to be cautious in these situations.
You can also file a report with Microsoft about this being a false detection. They have a submission page specifically for this: [link to submission](https://www.microsoft.com/wdsi/filesubmission).
For anyone who might be new to this process, here’s what I did:
1. I informed the software vendor about the issue, and they reached out to Microsoft.
2. I submitted the false positive report to Microsoft as well.
3. I created an exclusion rule in Active Directory to keep the application safe from being removed in the future.
If I had access to Defender for Endpoint, I would have added a Certification Exclusion for the RMM app, but unfortunately, my version doesn't support that.
It sounds like a false positive to me, especially since you only have two detections on VirusTotal. I'd recommend reporting it to your RMM vendor so they can confirm and address it if necessary.
Thanks for the advice! I'm waiting to hear back from them.
I actually just found that site earlier, thanks for the tip!