Many Adaptive Protection / Behavioral Analysis detections are being received.
search cancel

Many Adaptive Protection / Behavioral Analysis detections are being received.


Article ID: 252356


Updated On:


Endpoint Security Complete


"Suspicious Threat Detected" emails are inundating email inboxes with notification emails, typically related to behavioral analysis for valid Windows scripts. The activities being flagged look normal.


Release : 14.3 RU5


This is working as designed.


These alerts are generated from the Adaptive Protection policy. These will show up as ACM detections, such as ACM.Rd32-InjSvc!g1, ACM.Curl-Lnch!g1, ACM.Ps-InjSvc!g1, or many others. This policy monitors a series of known "Living off the Land" methods of attack. The policies themselves are not detecting malicious code execution, only the known methods. Many OS processes and applications will use these same methods as part of normal operation. The purpose of Adaptive Protection is to be aware of unusual executions and be able to take action on them. If a known method is being exploited in the environment, you can change that method to block until the threat can be neutralized.

To limit the number of received emails, change the alert settings to send only 1 daily email. This is done by selecting the Incidents and Alerts tab to the left of the console, selecting the Alert Rules tab, selecting "Suspicious Threat Detected" from the list of Alerts, and changing the frequency of alerts, as shown: