ATP identified "[email protected]"

Good morning,

our customer’s ATP (Advanced Threat Protection) identified the function “[email protected]”. What is this function doing?

He want to isolate this function.

Thank you

It’s a core function used by our virtual file system engine. The NtQueryDirectoryFile routine returns various kinds of information about files in the directory specified by a given file handle. There is no special reason why an antivirus would not allow applications to use that Windows API.
Did you code sign your EXE file?

It is not normal antivirus, it is ATP (Advanced Threat Protection). The name of this ATP is “MITRE ATT&CK”.
Yes, I coded sign my EXE file (Dual SHA1-SHA256) and my certificate is valid.

This problem is not urgent anymore but maybe helpful for you.

Thank you

1 Like