Why does AppCheck trigger alerts from EDR/AV platforms such as Windows Defender ?

Our scanner is designed to perform in-depth inspections of your systems and networks, which often involves behaviours that mimic those of malicious actors:

• Port scanning (probing many network ports rapidly)
• Service fingerprinting (sending crafted packets to identify services)
• Vulnerability probing (sending known malicious patterns to test system responses)

Modern antivirus software and EDR platforms (including Microsoft Defender), are designed to detect suspicious patterns of activity, not just known malware. As a result, security scanners frequently trigger anti-virus detections or generate event log entries even though no malicious intent is present.

This is normal, and expected for any advanced security scanning activity.

What kind of alerts or events should I expect?

Depending on your environment and security configuration, you might observe*:

• Antivirus detections under the categories of:
  • Virus/Trojan
  • Hacking tools
  • Exploits
  • Behaviour

• Event log entries under categories such as:
  • Windows Defender: Threat detection, exploit attempt detected
  • Azure Security Center / Microsoft Defender for Cloud: Alerts about unusual port activity, lateral movement attempts, or brute force patterns

• SIEM/SOAR platforms may raise alerts about:
  • Network scanning
  • Potential lateral movement
  • Enumeration attempts

• Windows Event Logs
  • Appcheck services started/stopped

*Other alerts may be noted concerning the AppCheck service which are not listed above, this list is not exhaustive.

My alert from my EDR platform is for Malware, does the scan hub contain malware?

No. 

Our scan hubs host legitimate security tooling used to identify vulnerabilities and risks within your environment before malicious actors do. However, it does host security tooling, scripts and files that are often interpreted as malicious by automated antivirus or monitoring systems.

In cloud environments, tooling such as Microsoft Defender for Cloud/Endpoint will be in a position to scan the contents of the scan hub directly. This can often trigger a large number of alerts and detections around malicious tooling, trojans, batch scripts, viruses, etc.

Customers are assured that our scan hubs are:

• Developed and maintained according to security best practices
• Used exclusively under customer authorisation
• Free of malicious files that are used in a destructive or harmful way to customer network/devices

How do I resolve these issues, or prevent the alerts from occurring?

We recommend:

• Adding the scanner’s IP addresses or hostname(s) to your allowlists (firewalls, antivirus exclusions, monitoring systems).
• Whitelisting specific scanner binaries if used locally.
• Documenting scheduled scans internally so SOC (Security Operations Center) and IT teams recognise expected scanning events.
• Communicating with internal security teams/staff with details of the scan window(s) and familiarisation of the details outlined in this FAQ

Whitelisting should be scoped narrowly to the scanning activity only, to avoid introducing broader security risks.

Please note, AppCheck do not maintain documentation on how to achieve this in any given system due to the number of possible solutions our customer base may be using. AppCheck recommend checking this with the specific vendor in question.