Hi Team, We’ve observed the following script being executed on several servers: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8795.12576079.0.12576079-309b4e8361ee7020fd7fd8bf26c7c6d27dbe6a99\e42f96b8-39ab-482c-86c3-db42380f8e06.ps1 C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8795.12776012.0.12776012-ea4638610e3d754942a7d3936a46012d82c88e4f\e42f96b8-39ab-482c-86c3-db42380f8e06.ps1 Can anyone please confirm if this is a legitimate Microsoft Defender for Endpoint (ATP) diagnostic or investigation script? Also, is there any official documentation or article that explains its purpose and usage? We’re considering whitelisting it to reduce false positives but need validation first. Regards, Hitesh Sungar

Legitimacy and Documentation of PowerShell Script in Windows Defender ATP Data Collection Path

Hitesh Sungar 0

Hi Team,

We’ve observed the following script being executed on several servers:

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8795.12576079.0.12576079-309b4e8361ee7020fd7fd8bf26c7c6d27dbe6a99\e42f96b8-39ab-482c-86c3-db42380f8e06.ps1
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8795.12776012.0.12776012-ea4638610e3d754942a7d3936a46012d82c88e4f\e42f96b8-39ab-482c-86c3-db42380f8e06.ps1

Can anyone please confirm if this is a legitimate Microsoft Defender for Endpoint (ATP) diagnostic or investigation script? Also, is there any official documentation or article that explains its purpose and usage?

We’re considering whitelisting it to reduce false positives but need validation first.

Regards,

Hitesh Sungar

Share via

Legitimacy and Documentation of PowerShell Script in Windows Defender ATP Data Collection Path

Your answer