M365 Defender flags MMAExtensionHeartbeatService and GCService as potential risk

Occasional Contributor

This feedback is provided for improvement of Azure Monitor experience in customers using the M365 Defender Security Recommendations feature.

M365 Defender produces a vulnerability recommendation of Change service executable path to a common protected location for the default setup of MMA on Windows computers. Both the "GCService" (Azure Policy Guest Configuration) and the "MMAExtensionHeartbeatService" (Microsoft Monitoring Agent Azure VM Extension Heartbeat) are located in C:\Packages. The remediation option is "Move your service executable to a common protected path like 'C:\Windows', 'C:\Program Files', 'C:\Program Files(x86)', or 'C:\ProgramData'." 

Of course, you can 'Create Exception' with "Third party control" justification that would clear the vulnerability finding, however this exposes the computer to all threats of this type, it is not granular to only permit the allowed exceptions. Recommend either add C:\Packages to the common protected paths list or allow for granular application of exceptions to this policy.

1 Reply
I second this feedback. In addition to the "GCService" and "MMAExtensionHeartbeatService" that John mentioned, I'm also seeing this recommendation for "vmGuestHealthAgent" and "HybridWorkerService" as well. Both of these additions also reside in "C:\Packages." Does the security recommendation *actually* intend that I change the executable path for Microsoft services??