)
)
Over the past few days, customers have reported Microsoft Defender flagging the contents of a core Automox script as malware. This script is central to the device scanning process. The name of the directory and file are randomly generated, but will be running out of the C:\Program Files (x86)\Automox\ directory. Defender’s alert identifies the script as containing “SmokeLoader” malware, preventing its execution via the Antimalware Scan Interface (AMSI).
What to know:
This issue affects only Windows endpoints running Microsoft Defender.
The Automox agent runs PowerShell scripts as part of its normal operations.
The alert is a false positive triggered by a recent update to Microsoft Defender’s detection rules.
Automox has not introduced any changes or bugs that would cause this alert.
A recent Defender update flagged a script pattern as suspicious, resulting in the false alert.
Why is Microsoft Defender flagging Automox scripts?
Microsoft Defender recently updated its detection logic and now mistakenly flags certain Automox PowerShell scripts as malicious. Defender’s AMSI technology intercepts script execution and triggers the alert:
An active 'SmokeLoader' malware in a PowerShell script was prevented from executing via AMSI.
Again, this is a false positive. This Automox script is legitimate, and no changes to the Automox agent code triggered this behavior.
What should you do?
If your environment uses Microsoft Defender on Windows endpoints, follow these recommended mitigation steps:
Allowlist Automox agent paths in Defender to prevent detection and blocking of Automox scripts.
Specifically, allowlist the folder: C:\Program Files (x86)\Automox\
Refer to the Automox best practice guide on Defender allowlisting in the Automox console documentation.
Keep monitoring for updates — Automox is working on updates to the Automox Agent to reduce false positives.
NOTE: This does not indicate a real threat or Automox malfunction, and was not brought on by an Automox update.
Automox best practice allowlisting documentation can be found here.
Automox commitment to your security and operations
Automox takes endpoint security seriously. This situation highlights the complexities of endpoint protection software interacting with automation tools. Automox continues to work with Microsoft and refine scripts to maintain compatibility with Defender’s evolving detection logic.
If you follow the recommended allowlisting steps, you can expect uninterrupted Automox agent functionality without Defender interference.
Sources
Patch Management Best Practices - Ensure your patching workflow accounts for antivirus exclusions and compatibility testing
Top Ways to Manage Third-Party Patching - Keep Defender and other security tools updated alongside third-party applications
Remediating Unmanaged Devices with Automox - Discover and manage endpoints that may be missing proper agent configuration
Frequently asked questions
Microsoft Defender's Antimalware Scan Interface (AMSI) sometimes flags legitimate PowerShell scripts as malicious when signature updates include overly broad detection patterns. The Automox agent executes PowerShell scripts for patching and remediation, which can trigger false positive alerts like the SmokeLoader detection.
No. This is a false positive caused by Defender's heuristic detection matching patterns in legitimate Automox scripts. Automox scripts are signed and verified. The alert does not indicate that your endpoints are compromised.
Add the Automox installation directory to Microsoft Defender's exclusion list. The specific paths to exclude are documented in the Automox agent requirements. This prevents Defender from scanning legitimate Automox operations while maintaining protection against actual threats.
No. Excluding the Automox directory from Defender scanning only prevents false positives on known-good Automox scripts. Defender continues to protect all other files, processes, and network activity on the endpoint.
Proactively add Automox's installation directories to your antivirus exclusion list as part of your deployment process. This is a best practice for any endpoint management agent and is documented in Automox's agent requirements.
)
)
)
)