{ "format_version": 3, "policy": { "external_id": "59cb097fe9d08c661178d1da4ddbf7b8", "name": "CIS Microsoft Defender Antivirus Benchmark v1.0.0 - Level 1", "version": "1.0.0", "description": "CIS Level 1 hardening profile for Microsoft Defender Antivirus. Registry-backed settings for cloud protection, real-time protection, exploit guard, attack surface reduction, and tamper protection. Applies to any Windows host with Defender enabled.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "f216b477ec6b53dab87b22b82696b846", "name": "1.4.1 \u2014 Ensure 'Enable EDR in block mode' is set to 'Enabled'", "description": "Ensure 'Enable EDR in block mode' is set to 'Enabled'", "rational": "When Microsoft Defender Antivirus is not the primary antivirus product and is running in \npassive mode, EDR in block mode provides added protection against malicious \nartifacts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Features\\Enable EDR in block mode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer). \n\nPage 19", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features|PassiveRemediation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "9e6e2f34a4cea4c245e337a9526e6b9d", "name": "1.5.1 \u2014 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is ...", "description": "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'", "rational": "The decision on whether to participate in Microsoft MAPS / Microsoft Defender Antivirus \nCloud Protection Service for malicious software reporting should be made centrally in \nan enterprise managed environment, so that all computers within it behave consistently \nin that regard. Configuring this setting to Disabled ensures that the decision remains \ncentrally managed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MAPS\\Configure local setting override \nfor reporting to Microsoft MAPS \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 22", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet|LocalSettingOverrideSpynetReporting", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "e725ef6e6557362de52fcdbef68e724e", "name": "1.5.2 \u2014 Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'", "description": "Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'", "rational": "Enabling the Block at First Sight feature enhances threat protection by using \nnext-generation protection to detect new malware and block it within seconds.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MAPS\\Configure the 'Block at First \nSight' feature \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet|DisableBlockAtFirstSeen", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "ee6dd2d329651934070a8bc860755847", "name": "1.5.3 \u2014 Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced'", "description": "Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced'", "rational": "Cloud protection works with Microsoft Defender Antivirus to provide intelligent, real-time \nthreat detection. Microsoft strongly recommends enabling cloud protection, as several \nadvanced security features in Microsoft Defender for Endpoint rely on it to function \nproperly. To fully take advantage of these protections, including several ASR rules, this \nsetting must be enabled to allow for MAPS...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Advanced: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MAPS\\Join Microsoft MAPS \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet|SpynetReporting", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "ff3a805517dfd3391757ad694f4f7c53", "name": "1.5.4 \u2014 Ensure 'Send file samples when further analysis is required' is set to 'Enabl...", "description": "Ensure 'Send file samples when further analysis is required' is set to 'Enabled: Send safe samples automatically' or higher", "rational": "For the Block at First Sight feature to function properly, the Send file samples when \nfurther analysis is required setting must be configured as prescribed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Send safe samples or Enabled: Send all samples: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MAPS\\Send file samples when further \nanalysis is required \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet|SubmitSamplesConsent", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "9a4c8ec9e89f54e8bcaff41b69d497fb", "name": "1.6.1.1 \u2014 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'", "description": "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR|ExploitGuard_ASR_Rules", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "e29507d540b37fc838eecc77e596d28f", "name": "1.6.1.2 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '56a863a9-875e-4185-98a7- b882c64b5ce5:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect systems. \n\nVulnerable signed drivers can be exploited by local applications that have sufficient \nprivileges to gain access to the kernel. This enables threat actors to disable or \ncircumvent security solutions, eventually leading to system compromise.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n56a863a9-875e-4185-98a7-b882c64b5ce5 with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|56a863a9", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "12fac8354b4467e18e6fd8be1c0da8ab", "name": "1.6.1.3 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '7674ba52-37eb-4a4f-a9a1- f0f9a1619a2c:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nMalware can download and launch payloads and break out of Adobe Reader through \nsocial engineering or exploits. By blocking child processes from being generated by \nAdobe Reader, malware attempting to use Adobe Reader as an attack vector are \nprevented from spreading.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|7674ba52", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "afe5b9898316a131b328de8cfaab495a", "name": "1.6.1.4 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to 'd4f940ab-401b-4efc-aadc- ad5f3c50688a:2' or higher", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nCreating malicious child processes is a common malware strategy. Malware that \nabuses Office as a vector often runs VBA macros and exploit code to download and \nattempt to run more payloads. However, some legitimate line-of-business applications \nmight also generate...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nd4f940ab-401b-4efc-aadc-ad5f3c50688a with a value of 2 or 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is includ...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|d4f940ab", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "ad4cb22d4d5e5fa5baaa48d543632ffd", "name": "1.6.1.5 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '9e6c4e1f-7d60-472f-ba1a- a39ef669e4b2:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nLSASS authenticates users who sign in on a Windows computer. Microsoft Defender \nCredential Guard in Windows normally prevents attempts to extract credentials from \nLSASS. Some organizations can't enable Credential Guard on all of their computers \nbecause of compatib...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|9e6c4e1f", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "8525c6b6d561b39c36388003a1cb5aaa", "name": "1.6.1.6 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to 'be9ba2d9-53ea-4cdc-84e5- 9b1eeee46550:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nbe9ba2d9-53ea-4cdc-84e5-9b1eeee46550 with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|be9ba2d9", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "07e028fead9292394db5963c4f87e5d2", "name": "1.6.1.7 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '01443614-cd74-433a-b99e- 2ecdc07bfc25:2' or higher", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nLaunching untrusted or unknown executable files can be risky, as it might not be initially \nclear if the files are malicious. \n\nOrganizations may find implementing Block to be too strict, however in Audit mode \nthere is still valuable information that can be logged f...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n01443614-cd74-433a-b99e-2ecdc07bfc25 with a value of 2 or 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is includ...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|01443614", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "6f1bae703208ebab9c8ee6af490cf84c", "name": "1.6.1.8 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '5beb7efe-fd9a-4556-801d- 275e5ffc04cc:2' or higher", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nScript obfuscation is a common technique that both malware authors and legitimate \napplications use to hide intellectual property or decrease script loading times. Malware \nauthors also use obfuscation to make malicious code harder to read, which hampers \nclose scrut...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n5beb7efe-fd9a-4556-801d-275e5ffc04cc with a value of 2 or 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is includ...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|5beb7efe", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "def025a5af3e73a342375a0a1bb4771d", "name": "1.6.1.9 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to 'd3e037e1-3eb8-44c8-a917- 57927947596d:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nMalware written in JavaScript or VBScript often acts as a downloader to fetch and \nlaunch other malware from the Internet. Although not common, line-of-business \napplications sometimes use scripts to download and launch installers.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nd3e037e1-3eb8-44c8-a917-57927947596d with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|d3e037e1", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "06afe63a798fd5fef24967330677ce14", "name": "1.6.1.10 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '3b576869-a4ec-4529-8536- b80a7769e899:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nMalware that abuses Office as a vector might attempt to save malicious components to \ndisk that would survive a computer reboot and persist on the system. This rule defends \nagainst this persistence technique by blocking access (open/execute) to the code \nwritten to...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n3b576869-a4ec-4529-8536-b80a7769e899 with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|3b576869", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "2c4d7db23dbf66895d5c41b6306e8769", "name": "1.6.1.11 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '75668c1f-73b5-4cf0-bb93- 3ecf5cb7cc84:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nAttackers might attempt to use Office apps to migrate malicious code into other \nprocesses through code injection, so the code can masquerade as a clean process. \nThere are no known legitimate business purposes for using code injection.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|75668c1f", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "dcfc20b709d9f58739a826ad00ade519", "name": "1.6.1.12 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '26190899-1602-49e8-8b27- eb1d0a1ce869:2' or higher", "rational": "This ASR rule protects against social engineering attacks and prevents exploiting code \nfrom abusing vulnerabilities in Outlook. It also protects against Outlook rules and forms \nexploits that attackers can use when a user's credentials are compromised.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n26190899-1602-49e8-8b27-eb1d0a1ce869 with a value of 2 or 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is includ...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|26190899", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "6753a70f92231f5c342b8f42e3e3648b", "name": "1.6.1.13 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to 'e6db77e5-3df2-4cf1-b95a- 636979351e5b:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nFileless threats employ various tactics to stay hidden, to avoid being seen in the file \nsystem, and to gain periodic execution control. Some threats can abuse the WMI \nrepository and event model to stay hidden.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \ne6db77e5-3df2-4cf1-b95a-636979351e5b with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|e6db77e5", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "838bff986ef565191feeb36646fb91fb", "name": "1.6.1.14 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '33ddedf1-c6e0-47cb-833e- de6133960387:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nWhen a system is in Safe Mode, many security controls are disabled or operate with \nreduced functionality, which can allow attackers to execute tampering commands or \nencrypt files. This rule mitigates that risk by blocking commonly abused commands, \nsuch as 'bcdedit...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n33ddedf1-c6e0-47cb-833e-de6133960387 with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|33ddedf1", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "46a3c240f8b807e0f2afbb4b102f5c4e", "name": "1.6.1.15 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to 'b2b3f03d-6a65-4f7b-a9c7- 1c7ef74a9ba4:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nb2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|b2b3f03d", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "b5e51f950a5d029ee28b4778f51e6421", "name": "1.6.1.16 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to '92e97fa1-2edf-4476-bdd6- 9dd0b4dddc7b:1'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nMalware can abuse VBA macro calls with various methods, such as calling Win32 APIs \nto launch malicious shellcode without writing anything directly to disk. Most \norganizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, \neven if the...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b with a value of 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|92e97fa1", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "690e75377a004e8e5ff8925867504741", "name": "1.6.1.17 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to 'c1db55ab-c21a-4637-bb3f- a12568109d35:2' or higher", "rational": "This ASR rule can help an organization enhance its protection against ransomware by \nusing both cloud and local heuristics. \n\nPage 77", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nc1db55ab-c21a-4637-bb3f-a12568109d35 with a value of 2 or 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set \nthe state for each ASR rule \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is includ...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|c1db55ab", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "75423972b10564c433cd3d6b16fc8d6f", "name": "1.6.3.1 \u2014 Ensure 'Prevent users and apps from accessing dangerous websites' is set to '...", "description": "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'", "rational": "This setting can help prevent employees from using any application to access \ndangerous domains that may host phishing scams, exploit-hosting sites, and other \nmalicious content on the Internet.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network \nProtection\\Prevent users and apps from accessing dangerous websites \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\windows Defender\\Windows Defender Exploit Guard\\Network Protection|EnableNetworkProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "f1a6f1256eb701a01a2a764b996b384a", "name": "1.7.1 \u2014 Ensure 'Enable file hash computation feature' is set to 'Enabled'", "description": "Ensure 'Enable file hash computation feature' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to monitor for suspicious and known malicious activity. \nFile hashes are a reliable way of detecting changes to files, and can speed up the scan \nprocess by skipping files that have not changed since they were last scanned and \ndetermined to be safe. A changed file hash can...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MpEngine\\Enable file hash computation \nfeature \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine|EnableFileHashComputation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "3f2b129815e720831d9bc48e527cccea", "name": "1.7.2 \u2014 Ensure 'Select cloud protection level' is set to Enabled: Moderate blocking l...", "description": "Ensure 'Select cloud protection level' is set to Enabled: Moderate blocking level' or higher", "rational": "Attackers routinely deploy new malware variants that can change faster than signature \nupdates. Enabling cloud protection can close this gap with its ability to detect and block \nnew, unknown, and fast-moving threats.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Moderate blocking level, High blocking level, High+ blocking \nlevel, or Zero tolerance blocking level: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MpEngine\\Select cloud protection \nlevel \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n2...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine|MpCloudBlockLevel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "61ef7c214854803ef00241929806fb2f", "name": "1.10.1 \u2014 Ensure 'Configure monitoring for incoming and outgoing file and program activ...", "description": "Ensure 'Configure monitoring for incoming and outgoing file and program activity' is set to 'Enabled: bi-directional (full on access)'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to monitor in real-time for suspicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: bi-directional (full on access): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Configure \nmonitoring for incoming and outgoing file and program activity \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrat...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|RealtimeScanDirection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "ebf4d01cba234d87f8c322fdb35a7bed", "name": "1.10.2 \u2014 Ensure 'Configure real-time protection and Security Intelligence Updates duri...", "description": "Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'", "rational": "Critical Windows zero-day patch updates should be applied during OOBE to help \nmitigate against malicious attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Configure real-\ntime protection and Security Intelligence Updates during OOBE \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|OobeEnableRtpAndSigUpdate", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "9e95141f2aab269c589b37e0677d0f74", "name": "1.10.3 \u2014 Ensure 'Monitor file and program activity on your computer' is set to 'Enabled'", "description": "Ensure 'Monitor file and program activity on your computer' is set to 'Enabled'", "rational": "Attackers routinely deploy new malware variants that can change faster than signature \nupdates. Enabling this setting ensures that file and program activity are continually \nmonitored.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Monitor file and \nprogram activity on your computer \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 97", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableOnAccessProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "72b95539c3e3627c7519aae8223e5f6a", "name": "1.10.4 \u2014 Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'", "description": "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Scan all \ndownloaded files and attachments \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 99", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableIOAVProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "4f13ade62b7990effce5da0c4ecd0026", "name": "1.10.5 \u2014 Ensure 'Turn off real-time protection' is set to 'Disabled'", "description": "Ensure 'Turn off real-time protection' is set to 'Disabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn off real-\ntime protection \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 101", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableRealtimeMonitoring", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "e906d2457d013eb340da04922d38a2d0", "name": "1.10.6 \u2014 Ensure 'Turn on behavior monitoring' is set to 'Enabled'", "description": "Ensure 'Turn on behavior monitoring' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on behavior \nmonitoring \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 103", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableBehaviorMonitoring", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "3613e9f51a0699b537f1cbe17474aaa9", "name": "1.10.7 \u2014 Ensure 'Turn on process scanning whenever real-time protection is enabled' is...", "description": "Ensure 'Turn on process scanning whenever real-time protection is enabled' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on process \nscanning whenever real-time protection is enabled \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableScanOnRealtimeEnable", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "e1123a41c8007e6ab7d519f325566c01", "name": "1.10.8 \u2014 Ensure 'Turn on script scanning' is set to 'Enabled'", "description": "Ensure 'Turn on script scanning' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on script \nscanning \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer). \n\nPage 107", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableScriptScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "914dc694020fe35f7a797e9b163f77c7", "name": "1.11.1.1.2 \u2014 Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audi...", "description": "Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher", "rational": "This feature assists with mitigating brute force attempts by detecting and blocking \nunauthorized sign-ins and sessions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Audit or Enabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Remediation\\Behavioral Network \nBlocks\\Brute-Force Protection\\Configure Remote Encryption Protection Mode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administ...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Remediation\\Behavioral Network Blocks\\Brute Force Protection|BruteForceProtectionConfiguredState", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "263fff8a3a4a6a0bc361d11ec24ef508", "name": "1.11.1.2.2 \u2014 Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audi...", "description": "Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher", "rational": "This feature assists with detecting and blocks malicious remote encryption behavior, \nsuch as when a threat actor attempts to remotely encrypt files on a victim machine \nusing compromised credentials, network channels, or lateral movement techniques.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Audit or Enabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Remediation\\Behavioral Network \nBlocks\\Remote Encryption Protection\\Configure Remote Encryption Protection \nMode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 A...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Remediation\\Behavioral Network Blocks\\Remote Encryption Protection|RemoteEncryptionProtectionConfiguredState", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "92b71f83487a94df88346ebd67fd2ab2", "name": "1.12.2 \u2014 Ensure 'Configure whether to report Dynamic Signature dropped events' is set ...", "description": "Ensure 'Configure whether to report Dynamic Signature dropped events' is set to 'Enabled'", "rational": "Microsoft Defender Antivirus logs Dynamic Signature dropped events when it blocks or \nremoves a file using a dynamically delivered signature, but the signature is not fully \nprocessed or applied and is subsequently discarded. This may indicate an issue with \nsignature updates or with the system\u2019s ability to properly receive or handle dynamic \nsignatures.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Reporting\\Configure whether to report \nDynamic Signature dropped events \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting|EnableDynamicSignatureDroppedEventReporting", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "389660d1975c078fd522a07ec172c6fc", "name": "1.13.1 \u2014 Ensure 'Check for the latest virus and spyware security intelligence before r...", "description": "Ensure 'Check for the latest virus and spyware security intelligence before running a scheduled scan' is set to 'Enabled'", "rational": "A malware scan is only as effective as the threat definitions it uses. Running a scan with \noutdated intelligence significantly reduces detection accuracy and can create a false \nsense of security.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Check for the latest virus and \nspyware security intelligence before running a scheduled scan \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|CheckForSignaturesBeforeRunningScan", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "5731fbd27ee8484be0373aee1d93e03d", "name": "1.13.2 \u2014 Ensure 'Scan archive files' is set to 'Enabled'", "description": "Ensure 'Scan archive files' is set to 'Enabled'", "rational": "Archive files such as .zip, .rar, .7z, and .iso are a common and effective way threat \nactors hide malware, bypass basic defenses, and to delay detection.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan archive files \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisableArchiveScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "3f5af1ebc57a2809aa5180ab3e1aaad7", "name": "1.13.3 \u2014 Ensure 'Scan excluded files and directories during quick scans' is set to 'En...", "description": "Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'", "rational": "The Real-time Protection feature excludes some files and directories for contextual \nreasons. This setting ensures that these are scanned during a Quick Scan.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan excluded files and \ndirectories during quick scans \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|QuickScanIncludeExclusions", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "a6549d9716b983257c5b47deb1e63ce0", "name": "1.13.4 \u2014 Ensure 'Scan packed executables' is set to 'Enabled'", "description": "Ensure 'Scan packed executables' is set to 'Enabled'", "rational": "Packing executables is a way to compress and create smaller files and can make it \ndifficult to access and analyze the code associated with the executable. This is a \ncommon method to obfuscate malicious executables by bad actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan packed executables \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 and \nServer 2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisablePackedExeScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "3d2ed71b9aeed1e6d8a3a8b7df6d6845", "name": "1.13.5 \u2014 Ensure 'Scan removable drives' is set to 'Enabled'", "description": "Ensure 'Scan removable drives' is set to 'Enabled'", "rational": "It is important to ensure that any present removable drives are always included in any \ntype of scan, as removable drives are more likely to contain malicious software brought \ninto the managed environment from an external, unmanaged computer.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan removable drives \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisableRemovableDriveScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "0657c204bfc76f27ada7f4d147eda66a", "name": "1.13.6 \u2014 Ensure 'Specify the day of the week to run a scheduled scan' is set to 'Enabl...", "description": "Ensure 'Specify the day of the week to run a scheduled scan' is set to 'Enabled: 0' or higher, but not '8'", "rational": "Performing a scheduled scan at least once a week is a consistent way to verify that \ncritical parts of the system remain clean.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 0 or higher, but not 8: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Specify the day of the week to \nrun a scheduled scan \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 and \nServer 2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|ScheduleDay", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "63f980d9455fe8f3fb546f736a99033e", "name": "1.13.7 \u2014 Ensure 'Specify the scan type to use for a scheduled scan' is set to 'Enabled...", "description": "Ensure 'Specify the scan type to use for a scheduled scan' is set to 'Enabled: Quick Scan (default)' or higher", "rational": "Preforming antivirus scans helps protect systems, data, and users from a wide range of \nsecurity threats.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Specify the scan type to use for \na scheduled scan \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates. \n\nPage 137", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|ScanParameters", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "b801058cb2a5bd69c8353528499360e5", "name": "1.13.8 \u2014 Ensure 'Specify the time for a daily quick scan' is set to 'Enabled: 1' or hi...", "description": "Ensure 'Specify the time for a daily quick scan' is set to 'Enabled: 1' or higher", "rational": "Preforming a daily quick scan is a consistent, low-impact way to verify that critical parts \nof the system remain clean.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1 or higher: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Specify the time for a daily \nquick scan \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 and \nServer 2012 R2 Administrative Templates (or newer). \n\nPage 139", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|ScheduleQuickScanTime", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "c91a7a5a3a6c4d4da3471550b6b6bfed", "name": "1.13.9 \u2014 Ensure 'Specify the time of day to run a scheduled scan' is set to 'Enabled: ...", "description": "Ensure 'Specify the time of day to run a scheduled scan' is set to 'Enabled: 1' or higher", "rational": "Preforming a daily quick scan is a consistent, low-impact way to verify that critical parts \nof the system remain clean.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1 or higher: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Specify the time of day to run a \nscheduled scan \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 and \nServer 2012 R2 Administrative Templates (or newer). \n\nPage 141", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|ScheduleTime", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "e1470b2ea6507824420096d52bdc6c95", "name": "1.13.10 \u2014 Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabl...", "description": "Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'", "rational": "Antivirus scans should be performed on a regular basis so that malicious software can \nbe detected and remediated before malicious activity occurs.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 7 days: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Trigger a quick scan after X \ndays without any scans \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DaysUntilAggressiveCatchupQuickScan", "selement": "CONTENT", "condition": "EQUALS", "sinput": "7" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "c849988dfb5a8475c09c1d8fb3d895c1", "name": "1.13.11 \u2014 Ensure 'Turn on e-mail scanning' is set to 'Enabled'", "description": "Ensure 'Turn on e-mail scanning' is set to 'Enabled'", "rational": "All emails should be scanned by an antivirus solution such as Microsoft Defender \nAntivirus, as email attachments are a commonly used attack vector to infiltrate \ncomputers with malicious software.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Turn on e-mail scanning \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 145", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisableEmailScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "6a6aea7910f621761c2087df5198ad85", "name": "1.14.1 \u2014 Ensure 'Specify the interval to check for security intelligence updates' is s...", "description": "Ensure 'Specify the interval to check for security intelligence updates' is set to 'Enabled: 4' or fewer, but not '0'", "rational": "A malware scan is only as effective as the threat definitions it uses. Running a scan with \noutdated intelligence significantly reduces detection accuracy and can create a false \nsense of security.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 4 or fewer, but not 0: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Security Intelligence Updates\\Specify \nthe interval to check for security intelligence updates \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 and \nServer 2012 R2 Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates|SignatureUpdateInterval", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "8f2f79f5ec73f540d80794f9ce57cc09", "name": "1.15.1 \u2014 Ensure 'Specify threat alert levels at which default action should not be tak...", "description": "Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled'", "rational": "By default, Defender uses the action embedded in each threat\u2019s malware signature \n(clean, quarantine, remove, etc.). Configuring this setting ensures the same action is \nalways taken, regardless of how Microsoft classifies a specific threat.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Threats\\Specify threat alert levels \nat which default action should not be taken when detected \n\nNote: This Group Policy section is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates. \n\nPage 151", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Threats|Threats_ThreatSeverityDefaultAction", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "7a8936e16f7c005d50e518981ac149b9", "name": "1.15.2 \u2014 Ensure 'Specify threat alert levels at which default action should not be tak...", "description": "Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: Medium: 2 or 3'", "rational": "By default, Defender uses the action embedded in each threat\u2019s malware signature \n(clean, quarantine, remove, etc.). Configuring this setting ensures the same action is \nalways taken, regardless of how Microsoft classifies a specific threat.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled with (value name) 2 and (value) 2 or Enabled with (value name) 2 and (value) \n3: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Threats\\Specify threat alert levels \nat which default action should not be taken when detected \n\nNote: This Group Policy section is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction|2", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "25ee9ce53dd388108f3449b54d2d99cb", "name": "1.15.3 \u2014 Ensure 'Specify threat alert levels at which default action should not be tak...", "description": "Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: High: 2 or 3'", "rational": "By default, Defender uses the action embedded in each threat\u2019s malware signature \n(clean, quarantine, remove, etc.). Configuring this setting ensures the same action is \nalways taken, regardless of how Microsoft classifies a specific threat.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled with (value name) 4 and (value) 2 or Enabled with (value name) 4 and (value) \n3: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Threats\\Specify threat alert levels \nat which default action should not be taken when detected \n\nNote: This Group Policy section is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction|4", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "6e33fb2d4eddc233829d3c522445a287", "name": "1.15.4 \u2014 Ensure 'Specify threat alert levels at which default action should not be tak...", "description": "Ensure 'Specify threat alert levels at which default action should not be taken when detected' is set to 'Enabled: Severe: 2 or 3'", "rational": "By default, Defender uses the action embedded in each threat\u2019s malware signature \n(clean, quarantine, remove, etc.). Configuring this setting ensures the same action is \nalways taken, regardless of how Microsoft classifies a specific threat.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled with (value name) 5 and (value) 2 or Enabled with (value name) 5 and (value) \n3: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Threats\\Specify threat alert levels \nat which default action should not be taken when detected \n\nNote: This Group Policy section is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction|5", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "9f34fc063346133e01808cea1e5fb61d", "name": "1.16 \u2014 Ensure 'Configure detection for potentially unwanted applications' is set to ...", "description": "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'", "rational": "Potentially unwanted applications can increase the risk of your network being infected \nwith malware, cause malware infections to be harder to identify, and can waste IT \nresources in cleaning up the applications. They should be blocked from installation.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Configure detection for potentially \nunwanted applications \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1809 & Server 2019 Administrative Templates (or newer). \n\nPage 159", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender|PUAProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "b1e4f4dcf8d245c73d8981ca4e42587b", "name": "1.17 \u2014 Ensure 'Control whether exclusions are visible to local users' is set to 'Ena...", "description": "Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'", "rational": "Only administrators should be able to view and manage Microsoft Defender Antivirus \nexclusions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Control whether exclusions are \nvisible to local users \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer). \n\nPage 161", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender|HideExclusionsFromLocalUsers", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] }, { "external_id": "1ca73a7385c48ed4a192fa5af2124295", "name": "1.18 \u2014 Ensure 'Turn off routine remediation' is set to 'Disabled'", "description": "Ensure 'Turn off routine remediation' is set to 'Disabled'", "rational": "If this setting is enabled, Microsoft Defender prompts the user to take action on detected \nthreats. Allowing users to choose threat remediation actions is not considered a best \npractice, as it can lead to inconsistent or unsafe responses.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Turn off routine remediation \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates. \n\nPage 163", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender|DisableRoutinelyTakingAction", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows" } ] } ] }