源起

請注意，Microsoft正在偵測複雜的資安威脅攻擊，這是包含受感染的第三方軟體(SolarWinds)。 在12月13日星期日，Microsoft Defender發佈了最新偵測機制，提醒客戶這些惡意檔案的存在，並建議隔離和觀察您的裝置。

從12月16日（星期三）太平洋標準時間下午11：00 /美國東部標準時間上午11:00開始，Microsoft變更惡意程式偵測動作，從偵測告警機制改變成直接進行惡意檔案封鎖。正如最近的威脅分析師報告-Microsoft Defender for Endpoint（windows.com）所分享。即使惡意應用程序仍在進行，依然會隔離惡意檔案。

為了解決這個問題，我們強烈建議您隔離並觀察發出此警報的裝置。若特殊狀況需要使用此裝置，請執行以下動作以排除SolarWinds檔案，避免服務中斷。當您完成調查後，能夠還原這些原本設定。

執行 Microsoft Defender排除SolarWinds檔案的步驟

For manual MDAV via PowerShell InstructionsPATH Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus (or Windows Defender Antivirus) -> Threats -> Specify threat alert levels at which default action should not be taken when detected.
Value name: 2147771206
Value: 6

For SCEP via GPO Instructions:PATH: Computer Configuration -> Administrative Templates -> Windows Components -> Endpoint Protection-> Threats -> 指定當偵測到時不執行預設動作的威脅警報級別。
Value name: 2147771206
Value: 6
備註：若您沒有看到「Endpoint Protection」，請查看： Manage Endpoint Protection using Group Policies - Configuration Manager | Microsoft Docs

For MDAV and SCEP via SCCM Instructions:
PATH:  Assets and Compliance, Endpoint Protection -> Antimalware Policies -> Threat overrides -> Enter Threat name: Trojan:MSIL/Solorigate.BR!dhaPATH:  Assets and Compliance, Endpoint Protection -> Antimalware Policies -> <Select relevant policy> -> Threat overrides -> Enter Threat name: Trojan:MSIL/Solorigate.BR!dh
Override action: Allow

For MDAV via MEM using PowerShell Instructions:
利用以下內容建立Powershell script ：
Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6
Name it: Allow_SolarWinds.ps1
Save it to e.g. c:\temp
Browse to https://endpoint.microsoft.com
Devices -> Windows -> Powershell scripts
Click on “+Add”
Name: Allow SolarWinds temporarily
Description:  Allow SolarWinds temporarily while patching.
Click on “Next”
Script location: Browse to e.g. c:\temp\Allow_SolarWinds.ps1
Run this script using the logged on credentials: No
Enforce script signature check: No
Run script in 64 bit Powershell Host: Yes
Click on Next
Scope tag: < default >
Click on Next

Assignments:
Click on “+Select groups to include”
Select the "Security Group" that has your Windows 10 based systems.
Click on Select
Click on Next

< Review >
Click on Add

Note:  For MEM (Intune) Powershell script troubleshooting, 請查看：C:\ProgramData\Microsoft Intune Management Extension\Logs\IntuneManagementExtension.log
For manual MDAV via PowerShell Instructions:
Launch PowerShell as Admin
Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

For manual SCEP via PowerShell Instructions:
Launch PowerShell as Admin
Import-Module “$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1”
Set-MProtPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

若想取得上述說明的更新內容，請參考https://aka.ms/detect_solorigate。