Transcription
Windows Defender Antivirus &Windows Defender Exploit GuardProtection evaluation guide
Windows Defender Antivirus evaluation guideThis document is for informational purposes only. MICROSOFT MAKESNO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THEINFORMATION IN THIS DOCUMENT.This document is provided “as-is.” Information and views expressed inthis document, including URL and other Internet website references,may change without notice. You bear the risk of using it.Copyright 2018 Microsoft Corporation. All rights reserved.Please refer to Microsoft Trademark s (https://aka.ms/MSTrademarks) fora list of trademarked products.The names of actual companies and products mentioned herein may bethe trademarks of their respective ownersPage 2 of 10
Windows Defender Antivirus evaluation guideEvaluate Windows DefenderAntivirus and WindowsDefenderExploit Guard in Windows 10In Windows 10 you can use next-generation protection features offered by WindowsDefender Antivirus (Windows Defender AV) and Windows Defender Exploit Guard(Windows Defender EG).This topic explains how to enable and test the key protection features in WindowsDefender AV and Windows Defender EG, and provides you with guidance and links tomore information.We recommend you use this evaluation PowerShell script to configure these features,but you can individually enable each feature with the cmdlets described in the rest ofthis document.See the following product documentation libraries for more information about our EPPproducts: Windows Defender Antivirus Windows Defender Exploit GuardPage 3 of 10
This topic describes configuration options in Windows 10, version 1803.Some options may also be available in earlier versions of Windows 10, andmay have slightly different names or titles.Page 4 of 10
Windows Defender Antivirus evaluation guideIf you have any questions about a detection that Windows Defender AV makes, or youdiscover a missed detection, you can submit a file to us at our sample submission helpsite.Use PowerShell to enable the featuresThis guide provides the Windows Defender cmdlets that configure the features youshould use to evaluate our protection.To use these cmdlets:1.Open an elevated instance of PowerShell (choose to Run as administrator).2.Enter the command listed in this guide and press Enter.You can check the status of all settings before you begin, or during your evaluation, byusing the Get-MpPreference PowerShell cmdlet.Windows Defender AV will indicate a detection through standard Windows notifications.You can also review detections in the Windows Defender AV app.The Windows event log also records detection and engine events. See the WindowsDefender Antivirus events topic for a list of event IDs and their corresponding actions.Cloud protection featuresStandard definition updates can take hours to prepare and deliver; our cloud-delieveredprotection service can deliver this protection in seconds.More details are available in Use next-gen technologies in Windows Defender Antivirusthrough cloud-delivered protection.Enable the Windows Defender Cloud for near-instant protection andincreased protection:Set-MpPreference -MAPSReporting AdvancedPage 5 of 10
Windows Defender Antivirus evaluation guideAutomatically submit samples to increase group protection:Set-MpPreference -SubmitSamplesConsent AlwaysUse the cloud to block new malware within secondsSet-MpPreference -DisableBlockAtFirstSeen 0Scan all downloaded files and attachments1Set-MpPreference -DisableIOAVProtection 0Set cloud block level to 'High'Set-MpPreference -CloudBlockLevel HighSet cloud block timeout to 1 minuteSet-MpPreference -CloudExtendedTimeout 50Always-on protection (real-time scanning)Windows Defender AV scans files as soon as they are seen by Windows, and willmonitor running processes for known or suspected malicious behaviors. If the antivirusengine discovers malicious modification, it will immediately block the process or filefrom running.See Configure behavioral, heuristic, and real-time protection for more details on theseoptions.Constantly monitor files and processes for known malware modificationsSet-MpPreference -DisableRealtimeMonitoring 01Note, this setting is not honored in Mozilla FirefoxPage 6 of 10
Windows Defender Antivirus evaluation guideConstantly monitor for known malware behaviors – even in ‘clean’ files andrunning programsSet-MpPreference -DisableBehaviorMonitoring 0Scan scripts as soon as they are seen or runSet-MpPreference -DisableScriptScanning 0Scan removable drives as soon as they are inserted or mountedSet-MpPreference -DisableRemovableDriveScanning 0Potentially Unwanted Application protectionPotentially unwanted applications are files and apps that are not traditionally classifiedas malicious. These include third-party installers for common software, ad-injection andcertain types of toolbars in your browser.Prevent grayware, adware, and other potentially unwanted apps frominstallingSet-MpPreference -PUAProtection EnabledEmail and archive scanningYou can set Windows Defender Antivirus to automatically scan certain types of emailfiles and archive files (such as .zip files) when they are seen by Windows. Moreinformation about this feature can be found under the Manage email scans in WindowsDefender topic.Scan email files and archivesSet-MpPreference -DisableArchiveScanning 0Set-MpPreference -DisableEmailScanning 0Page 7 of 10
Windows Defender Antivirus evaluation guideManage product and protection updatesTypically, you receive Windows Defender AV updates from Windows update once perday. However, you can increase the frequency of those updates by setting the followingoptions, and ensuring that your updates are managed either in System CenterConfiguration Manager, with Group Policy, or in Intune.Update signatures every daySet-MpPreference -SignatureUpdateInterval 8Check to update signatures before running a scheduled scanSet-MpPreference -CheckForSignaturesBeforeRunningScan 1Advanced threat and exploit mitigation and preventionControlled folder accessWindows Defender Exploit Guard provides features that help protect devices fromknown malicious behaviors and attacks on vulnerable technologies.Prevent malicious and suspicious apps (such as ransomware) from makingchanges to protected folders with Controlled folder accessSet-MpPreference -EnableControlledFolderAccess EnabledBlock connections to known bad IP addresses and other networkconnections with Network protectionSet-MpPreference -EnableNetworkProtection EnabledApply a standard set of mitigations with Exploit ft.com/Content/ProcessMitigation.xml -OutFileProcessMitigation.xmlSet-ProcessMitigation -PolicyFilePath ProcessMitigation.xmlPage 8 of 10
Windows Defender Antivirus evaluation guideBlock known malicious attack vectors with Attack surface reductionAdd-MpPreference -AttackSurfaceReductionRules Ids3ECF5CB7CC84 -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules IdsB80A7769E899 -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules IdsAD5F3C50688A -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules Ids57927947596D -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules Ids275E5FFC04CC -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules Ids9B1EEEE46550 -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules Ids9DD0B4DDDC7B -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules Ids993A6D77406C -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules Ids1C7EF74A9BA4 -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules IdsA12568109D35 -AttackSurfaceReductionRules ActionsAdd-MpPreference -AttackSurfaceReductionRules Ids2ECDC07BFC25 -AttackSurfaceReductionRules nabled01443614-CD74-433A-B99EEnabledSome rules may block behavior you find acceptable in your organization. In these cases,change the rule from Enabled to Audit to prevent unwanted blocks. For moreinformation about audit mode, see Use audit mode to evaluate Windows DefenderExploit Guard features.One-click Windows Defender OfflineWindows Defender Offline is a specialized tool that comes with Windows 10, and allowsyou to boot a machine into a dedicated environment outside of the normal operatingsystem. It’s especially useful for potent malware, such as rootkits.See Windows Defender Offline in Windows 10 for more information on how this featureworks.Ensure notifications allow you to boot the PC into a specialized malwareremoval environmentSet-MpPreference -UILockdown 0Page 9 of 10
Windows Defender Antivirus evaluation guideResourcesThis section lists a number of resources that can assist you with evaluating WindowsDefender Antivirus. Windows Defender in Windows 10 library Windows Defender for Windows Server 2016 library Windows 10 security library Windows 10 security overview Microsoft Malware Protection Center website – threat research and response Microsoft Malware Protection Center blog – threat research Ransomware protection in Windows 10 – whitepaper (PDF download) Microsoft Secure website Microsoft Secure blogPage 10 of 10
Windows Defender AV will indicate a detection through standard Windows notifications. You can also review detections in the Windows Defender AV app. The Windows event log also records detection and engine events. See the Windows Defender Antivirus events topic for a list of event IDs and their corresponding actions. Cloud protection features
