evild3ad
commented
6 months ago It is better to disable Microsoft Defender AntiVirus temporarily or better exclude the MemProcFS-Analyzer directory from scanning. Microsoft Defender AntiVirus would slow down the analysis process and probably conflict with the ClamAV scan.
In my environment I manually disable tamper protection for the duration of memory analysis, so that MemProcFS-Analyzer.ps1 can disable Microsoft Defender AntiVirus temporarily (includes also AMSI). Works the best for me.
I expect it is a generic detection which I cannot avoid.
During the script procedure, Microsoft Defender detected: backdoor:ASP/webshell.X. Everytime I ran the procedure, I got the same detection but the detection disappeared almost instantly after. I was wondering what was generating this alert??