_______________________________________________________ John Barbare and Tan Tran
Dear IT Pros,
We discuss about Microsoft Defender for Endpoint Antivirus Configuration, Policy and exclusion list in detail to avoid making the common mistakes and to apply the best practice to it.
Best Practices for AV Policy Settings:
Example of AV Policies for different Servers and Workstation types:
- In Windows version 1910 and earlier, The default setting (not configured) is equivalent
to disable detection of PUA. In windows 10 version 2004 and later, PUA detection is enable by default.
Example, GPO setting for PUA
- Potentially unwanted applications (PUA) are not considered as viruses, malware
but they might perform actions on endpoints which adversely affect endpoint performance or use.
could be done by GPO, Endpoint Manager (Intune), Endpoint Configuration
- You should have a policy to enable Microsoft Defender for Endpoint (MDE) with
EDR in block mode.
- The EDR Onboarding policies could be created and enforced by MEM (Intune) or
by MECM (SCCM) as per the link here.
- To Enable EDR block mode, go to the related Cloud EDR service, for example if you
use MDE, you could enable it in Settings\Advanced Features as shown here:
- EDR block mode is critical feature to prevent and monitor Ransomware and similar attacks.
DisableCpuThrottleOnIdleScans (Feature available on Windows 10 20H2)
This setting indicates whether the CPU will be throttled for scheduled scans while the device is idle.
An Example of CPU throttling controlled by MCM or by MEM:
On the test device Windows 10 version 20H2 with the setting DisableCpuThrottleOnIdleScans turn on:
> Set-MpPreference -DisableCpuThrottleOnIdleScans $False
> Run on-demand full scan, Start-MpScan -ScanType FullScan
With the setting to allow CPU without Throttling , my computer did have CPU Spike from 11% before now it grows to more than 70%, 80%, 95% in a short period of 1-2 minutes.
We just need to disable in the related Registry Key of Windows Defender Scan or by powershell command in the device.
Registry Key for the setting,
Antivirus Exclusion could be helpful or harmful if we set Antivirus to skip the threat in files and process. The common misconception could be named a few.
Grey Area of Exclusion:
Image files: You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
Example of Defender for Endpoint - MDE Exclusion from investigation scans:
> Settings\Automation folder exclusions
> New Folder exclusion
> Add multiple folder exclusions as per our needs:
On Server 2016, 2019, the automatic exclusion helps in prevention of unwanted CPU spike during real-time scanning, it is additional to your custom exclusion list and it is kind of smart scan with exclusion based on server role such as DNS, AD DS, Hyper-V host, File Server, Print Server, Web Server, etc.
The Discussion about Antivirus Configuration best practice could not be ended here, it might be our on-going attention and practice. I will continue updating this article based on your feedback.
Until next time.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.