We are often getting incidents from Microsoft Defender about malicious activity detected on user devices, For example, lately we had an incident that said there was a defense evasion, however, at the crux of the issue is that the user simply had MacAfee installed and y'all know how 2 antiviruses can hate each other, which also meant defender was disabled on the user machine. We uninstalled MacAfee and that took care of the problem.
we are trying to improve the incident occurence by implementing some sort of policy that restricts certain software allowed to install.
The problem with that is many developers would probably face issues and they could complain that the software they want is getting blocked. From personal experience, i would agree, i cant tell you how annoying it is to have out get approval for something as simple as notepad++ or SSMS, etc..
So we are considering for now just having a sort of alert system against any discovered applications. so that if such an app gets installed and discovered by endpoint, it alerts us and we can approve it right away.
Can that be done in endpoint? We are basically just trying to look for reasonable solutions to counter the frequent incident problem
