Forum Discussion
Varying results for "Actions on detected malware threats"
edit: we found that below was due to testing against the file generated in BAFS at demo.wd.microsoft.com which is scenario specific.
I am currently doing a PoC on Windows Defender ATP, and we are currently looking closer into how the various options for "Actions on detected malware threats" (Intune EP Profile setting), clean, quarantine and block (the only options we are considering). I am hoping someone with more experience can grant some insight into how these are supposed to work.
Some light details on the setup:
Using Windows 10 1809.
We have all options in SmartScreen enabled (Intune profiles).
We use Get-MpPreference to confirm the setting.
Below the following abbreviation is used.
WDSC = Windows Defender Security Center
WD = Windows Defender
Testing against file from BAFS at demo.wd.microsoft.com.
Expected behavior is in italic.
In all cases: Can execute file if fast enough (ie. Within 1-2 seconds, longer if set to block). This can be done by a non-priv user in Chrome, but a priv. user is required when downloading in Edge (ex. Admin. Cmd prompt). In both cases only able to run it once after which it is blocked.
We would expect, no matter the source, that he file is locked until WD is done scanning, ie. User unable to execute until scan is completed.
Clean: An attempt at cleaning the file is made. No log trace (not in event log nor WDSC timelines) if successfully cleaned or not. No alerts raised in WDSC.
We would expect a log trace (at least local event log), no matter the outcome, and an alert raised in WDSC if not able to clean the file.
Block: If using Edge then SmartScreen blocks the file. No alert raised in WDSC. If downloading using Chrome then the file is not blocked if trying to execute the first time (most of the time). Still no alert raised in WDSC.
If priv. user then able to run once even after scan is done from Edge.
We would expect an alert raised in WDSC when a file is blocked (first time blocked).
Quarantine: Does not always quarantine the file. Sometimes blocks the file and leaves it where it is. Consistently raises alert in WDSC.
We would expect more consistency in the quarantining of files, ie. Always put into quarantine, and not just most of the time.
The lack of alerts makes quarantine the only viable option. Drawback is the poor support for removing the file from quarantine (must be done on the local machine).
Also inconsistent what is blocking the execution. It varies between being SmartScreen and WD that blocks the execution.