Depending on the endpoint detection and response (EDR) or extended detection and response (XDR) software in an environment, DeepSurface scans may be inadvertantly prevented from scanning hosts due to a false positive. While DeepSurface takes extensive steps to protect our software build chain, including signing the DeepSurface agents with code signing certificates, most EDR/XDR products simply ignore signatures and use basic heuristics to flag unknown software.
For example, on a Windows host, EDR may prevent the WMI protocol from creating a DeepSurface scheduled task needed to scan the host. An example message from the EDR solution Sophos may look something like this:
'"C:\Windows\system32\schtasks.exe" /create /tn DeepSurface_agentless_scan_qvlsxm72 /xml \\127.0.0.1\ADMIN$\TEMP\DeepSurface_vqfbrrkx2u\ds37-xdiboxns_task.kchl/f'
A simple solution is to configure the EDR rules to allow for commands run from the C:\Windows\TEMP\DeepSurface_*
directory to run on that host, and any other affected hosts. Note that temporary directories used vary slightly by operating system (see above for details).
Here is another example where Microsoft Defender for Endpoint flags a DeepSurface scan as a suspicious scheduled task:
schtasks.exe modified task DeepSurface_agentless_scan_73fk13lq to execute powershell.exe
The false alert can be re-classified or suppressed by following Microsoft's guide on addressing false positives in Microsoft Defender for Endpoint. In this example it makes sense to suppress the alert and allow DeepSurface_agentless_scan_*
to execute powershell.exe
.