Defender for Endpoint Alerts with v2.0.0 - Headless ConHost Process Executed/Suspicious Conhost Child Process

[bbaird-psb]

Hi all,

We have been happy users of 1.X for about 6 months now. We have it pushed to all of our Windows 10 & 11 systems, and it is working well. Thank you to everyone that has contributed to this project!

I started testing 2.0.0 a few weeks ago and Microsoft Defender for Endpoint keeps generating alerts like this:

• Suspicious Conhost Child Process on HOSTXXX
• Headless ConHost Process Executed on HOSTXXX

These are the commands that usually trigger it with winget-notify.ps1, although I saw it triggered once by winget-upgrade.ps1:

• conhost.exe --headless powershell.exe -NoProfile -ExecutionPolicy Bypass -File winget-notify.ps1
• powershell.exe -NoProfile -ExecutionPolicy Bypass -File winget-notify.ps1

If I revert back to 1.21.7, we don't get the alerts at all.

I'm curious if anyone else is seeing this with Defender or other AV/EDR, if anyone has any suggestions on how to handle, or if the changes that are triggering this were made on purpose? We can probably put these files on an allow list, but I always prefer not to do that whenever possible.

Thanks!

[AndrewDemski-ad-gmail-com]

It is not about the code itself, but how it is launched. The method will stay like that for some time.
microsoft.com/Suppress an alert and create a new suppression rule