
Summary
This detection rule focuses on monitoring the deletion of a Windows registry key associated with adding the 'Scan with Defender' option to the context menu of files and folders. Attackers may seek to delete this key as a method of defense evasion, potentially making it harder for users to scan files for malware using Windows Defender. The rule specifically looks for deletions in the registry path related to the shell extensions for context menu handlers, particularly the 'EPP' (Endpoint Protection) handler. As Windows Defender is a key component in user-level malware protection, its alteration can be a red flag for suspicious activity. The detection rule is categorized under registry deletion, indicating its focus on tracking changes to the Windows registry that can impact endpoint security. Given that this behavior is uncommon in legitimate scenarios, it raises the threat level to medium, though false positives are considered unlikely since such actions typically diminish a system's defenses against threats.
Categories
- Windows
- Endpoint
- Infrastructure
Data Sources
- Windows Registry
Created: 2025-07-11