Feb 26 2022
- last edited on
Apr 08 2022
This feedback is provided for improvement of Azure Monitor experience in customers using the M365 Defender Security Recommendations feature.
M365 Defender produces a vulnerability recommendation of Change service executable path to a common protected location for the default setup of MMA on Windows computers. Both the "GCService" (Azure Policy Guest Configuration) and the "MMAExtensionHeartbeatService" (Microsoft Monitoring Agent Azure VM Extension Heartbeat) are located in C:\Packages. The remediation option is "Move your service executable to a common protected path like 'C:\Windows', 'C:\Program Files', 'C:\Program Files(x86)', or 'C:\ProgramData'."
Of course, you can 'Create Exception' with "Third party control" justification that would clear the vulnerability finding, however this exposes the computer to all threats of this type, it is not granular to only permit the allowed exceptions. Recommend either add C:\Packages to the common protected paths list or allow for granular application of exceptions to this policy.