Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat..
To help reduce the impact of this threat, you can:
1. Validate the alert, collect artifacts, and determine scope
- Inspect the file or driver for suspicious characteristics
- Which process created and installed the driver?
- Is it expected on this device or in the organization?
- Is the driver in its common location?
If it is not a valid tool used by a network administrator or other expected user, remove the tool and isolate the device from the network.
- Review the device timeline for suspicious activities that might have occurred before and after the time of the alert.
- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.
- Submit relevant files for deep analysis and review resulting detailed behavioral information.
- If alert characteristics and device behavioral evidence constitute a true positive, consider some of the initial mitigation actions below. Then, contact your incident response team for potential forensic analysis and remediation. If you don't have one, contact Microsoft support.
2. Initiate containment & mitigation
- Record all relevant artifacts to be used in mitigation rules and as new threat intelligence.
- Contact the user to check if the observed behavior was intended.
- Update AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.
- Ensure that the device has the latest security updates. In particular, ensure that you have installed the latest version of the driver and accompanying software.