Understanding Recent Microsoft Defender Alerts on Automox Windows Endpoints

Over the past few days, customers have reported Microsoft Defender flagging the contents of a core Automox script as malware. This script is central to the device scanning process. The name of the directory and file are randomly generated, but will be running out of the C:\Program Files (x86)\Automox\ directory.  Defender’s alert identifies the script as containing “SmokeLoader” malware, preventing its execution via the Antimalware Scan Interface (AMSI).

What to know:

• This issue affects only Windows endpoints running Microsoft Defender.

• The Automox agent runs PowerShell scripts as part of its normal operations.

• The alert is a false positive triggered by a recent update to Microsoft Defender’s detection rules.

• Automox has not introduced any changes or bugs that would cause this alert.

• A recent Defender update flagged a script pattern as suspicious, resulting in the false alert.

Microsoft Defender recently updated its detection logic and now mistakenly flags certain Automox PowerShell scripts as malicious. Defender’s AMSI technology intercepts script execution and triggers the alert:

An active 'SmokeLoader' malware in a PowerShell script was prevented from executing via AMSI.

Again, this is a false positive. This Automox script is legitimate, and no changes to the Automox agent code triggered this behavior.

If your environment uses Microsoft Defender on Windows endpoints, follow these recommended mitigation steps:

1. Allowlist Automox agent paths in Defender to prevent detection and blocking of Automox scripts. 

2. Specifically, allowlist the folder: C:\Program Files (x86)\Automox\ 

3. Refer to the Automox best practice guide on Defender allowlisting in the Automox console documentation.

4. Keep monitoring for updates — Automox is working on updates to the Automox Agent to reduce false positives.

NOTE: This does not indicate a real threat or Automox malfunction, and was not brought on by an Automox update.

Automox best practice allowlisting documentation can be found here.

Automox takes endpoint security seriously. This situation highlights the complexities of endpoint protection software interacting with automation tools. Automox continues to work with Microsoft and refine scripts to maintain compatibility with Defender’s evolving detection logic.

If you follow the recommended allowlisting steps, you can expect uninterrupted Automox agent functionality without Defender interference.