Overview

This article shows you how to deal with Microsoft Defender alerts that sometimes affect the Checkmk Windows agent and Robotmk client. So far, all reported findings we analyzed were false alarms. These false alarms can block the agent, interrupt monitoring, or get in the way of Robotmk jobs. By gathering the right diagnostics and setting up smart exclusions, you can keep Defender happy while making sure Checkmk keeps running smoothly.

Problem

In some environments, Microsoft Defender flags Checkmk or Robotmk binaries as suspicious or malicious. The most common reasons are:

• The binaries are unsigned or not code-signed.

• Robotmk spawns short-lived browser processes that antivirus engines mistakenly identify as threats.

• Defender blocks or quarantines the Checkmk agent, leading to monitoring gaps or agent failures.

When this happens, monitoring stops reporting correctly until exclusions are added or the detection is resolved.

Diagnostic steps before exclusions

Before adding exclusions, gather information to confirm the detection is a false positive and to prepare for escalation if needed:

• Check code signing
  Use signed binaries whenever possible. If you encounter unsigned binaries, verify why they are unsigned (for example, a custom build or older version).
  
  

• Review typical false alarms
  Defender’s behavioral and heuristic scanners often cause these detections.

  Example detection names include:

  • BScope.Trojan.Alien

  • Win32/SuspServiceBin
    These usually indicate false positives rather than real malware.
    
    

• Cross-check with VirusTotal
  Upload the flagged file to VirusTotal and compare results.
  If most scanners report the file as clean and only Defender flags it (especially as “Behavior” or “Heuristic”), it is very likely a false positive.
  
  

• Collect Defender diagnostics
  Microsoft provides a supported way to collect a diagnostic bundle for Defender. This is especially important if the issue needs to be escalated to Microsoft.
  
  

• Collect event logs
  Extract Defender’s operational logs to identify what exactly was blocked:

  powershell

  Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -MaxEvents 1000 | Sort-Object TimeCreated -Descending

  .

• Report unproblematic files to Microsoft
  If the file is confirmed safe, submit it to Microsoft for reclassification. If you do not have the rights to do this, contact your IT or security administrator.

Workarounds and temporary exclusions

When monitoring is disrupted, you can quickly exclude flagged Checkmk binaries or folders to restore functionality. This is not a substitute for long-term fixes but ensures that monitoring remains operational.

You can find a detailed listing of relevant directories and files in our official documentation.

Common Checkmk paths to exclude

• C:\Program Files (x86)\checkmk\

• C:\ProgramData\checkmk\

Robotmk-related exclusions

• C:\ProgramData\robocorp\ht\*

• C:\robotmk\*

Adding exclusions in PowerShell

Run as administrator:

powershell

Verify with:

powershell

Best practices

• Prefer narrow exclusions
  Exclude only the specific agent or Robotmk process instead of broad folders whenever possible.
  
  

• Monitor after exclusions
  Re-run your monitoring and check Defender’s logs again to confirm that exclusions are working and that no unrelated threats are being ignored.
  
  

• Remove outdated exclusions
  Use Remove-MpPreference to keep your exclusion list lean and secure.

Related articles