Microsoft Defender for Endpoint ASR Rule Flagging SyncroLive.Agent.Runner.exe

Hi all,

Has anyone come across Microsoft Defender for Endpoint and using ASR rules whereby its picking up the SyncroLive.Agent.Runner.exe service for this rule:
Rule: Block abuse of in-the-wild exploited vulnerable signed driver?

I have included a screenshot below.

We would prefer not to exclude this software if it in fact abusing the rule, however has anyone else seen this and what was the fix?

Im guessing one of the fixes will be for Syncro \ RepairTech to update the OpenHardwareMonidorLib.sys file in the software package.

Does anyone have any other thoughts?

Cheers.

3 Likes

I have had the same issue with both the SyncroLive.Agent.Renner.exe and the Choco.exe file. It is definitely concerning because it did not flag those 2 files in the past. Curious if there is any explanation from Syncro on this because if there is any validity to their 2 main files being a threat…needs to be addressed ASAP.
Choco 2 Screenshot 2024-03-07 224211

Seeing the same issue when the ASR rule is enabled

Hello. This is what I was told when I reached out to Syncro on this issue. Hope this helps, according to Syncro nothing to worry about. I assume the error comes because of the depth of functionality Syncro operates with.

From Syncro:
These happen every once in a while with all RMM agents.
Going to pass this on so we can reach out to them.