Community

Defender for Endpoint Alert?

it infinity, User (Posts: 3)

Dec 11, 2025 10:48:10 am EST

see uploaded images

"A new process was suspiciously created with a
duplicated access token for the SYSTEM account.
This activity, often referred to as _token
impersonation_, is used to elevate privileges for
existing processes or start processes with elevated
privileges"

Attached Files

Conrad Sallian, Support (Posts: 3184)

Dec 11, 2025 11:51:41 am EST

Hello,

Remote Utilities Host runs as a Windows SYSTEM service. When the Host needs to “enter” a different Windows session, Windows uses the standard token duplication mechanism to create a session-appropriate process under the SYSTEM account.

This isn’t privilege escalation — the Host already runs with SYSTEM privileges as a service. Microsoft Defender sometimes flags this pattern generically because it can also appear in malware, but in this context it is part of normal, documented Windows functionality for remote-access and RMM tools.

Hope that helps.

it infinity, User (Posts: 3)

Dec 12, 2025 2:24:52 am EST

Support level: Free or trial

Thank you for the feedback.
What is the recommended method to prevent an antivirus scanner from deleting the agent file and moving it to quarantine?

Conrad Sallian, Support (Posts: 3184)

Dec 12, 2025 4:00:26 am EST

Hello,

You can simply add the folder from which you run the Agent (after downloading it) to your antivirus exceptions.

If you're using the Host (the persistent module), make sure to whitelist the following folder:
C:\Program Files (x86)\Remote Utilities - Host\

Submit a reply

^* Website time zone: America/New_York (UTC -5)