Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
MDE Antivirus Configuration Common Mistakes and Best Practice
Published Feb 12 2021 03:33 AM 35.3K Views
Microsoft

           ezgif.com-gif-maker (13).gif

_______________________________________________________                                John Barbare and Tan Tran

 

Dear IT Pros, 

We discuss about Microsoft Defender for Endpoint Antivirus Configuration, Policy and exclusion list in detail to avoid making the common mistakes and to apply the best practice to it.

 

Best Practices for AV Policy Settings:

  • You may wonder what is the best Scan types for your daily scheduled scan on all systems,  the Full Scan is for investigation of virus attack on the system, for the weekly or daily scheduled scan,  it should be good and sufficient with quick scan.
  • Make different Endpoint Configuration Manager AV policies for different device types and deploy the related policies to the corresponding collections, SQL Server Collection, IIS Server Collection, Restricted Workstation Collection, Standard Workstation Collection

         Example of AV Policies for different Servers and Workstation types:

TanTran_0-1613124220311.png

 

  • To prevent Cryptojacking attack occurred when an attacker hijacks a victims computer to freely run mining for Cryptocurrency without owner's permission, make sure you configure Defender AV policy with "detection for Potentially Unwanted Application" (PUA) to block mode.    

           - In Windows version 1910 and earlier, The default setting (not configured) is equivalent

              to disable detection of PUA. In windows 10 version 2004 and later, PUA detection is                                  enable by default.

              Example, GPO setting for PUA

TanTran_0-1613214023898.png

        - Potentially unwanted applications (PUA) are not considered as viruses, malware

          but they might perform actions on endpoints which adversely affect endpoint performance              or use.

 - The policies applied to Windows 10, Windows server 2016, 2019 and policy setting

    could be done by GPO, Endpoint Manager (Intune), Endpoint Configuration

    Manager (SCCM)

  • You should periodically and randomly conduct testing to find out if your company systems passed all the security tests provided by security industry. One example of the system' security test list is here
  • Antivirus Exclusion recommendation from Microsoft Defender Team:

TanTran_1-1613124220318.png

  • Once the malware is already infiltrated to the system without being detected by Antivirus, we need the Cloud Endpoint Detection and Response (EDR) feature to continue detecting the malware based on its activities, lateral movement and its behavior. One of the EDR product is Microsoft Defender for Endpoint (MDE), you could have EDR from other Vendors too.

              - You should have a policy to enable Microsoft Defender for Endpoint (MDE) with

                 EDR in block mode.

              - The EDR Onboarding policies could be created and enforced by MEM (Intune) or

                 by MECM (SCCM)  as per the link here.

              - To Enable EDR block mode, go to the related Cloud EDR service, for example if you

                 use MDE, you could enable it in Settings\Advanced Features as shown here:

                

TanTran_1-1613219510026.png

              - EDR block mode is critical feature to prevent and monitor Ransomware and similar attacks.

 

Common Mistakes:

DisableCpuThrottleOnIdleScans (Feature available on Windows 10 20H2)

This setting indicates whether the CPU will be throttled for scheduled scans while the device is idle.

  • This parameter is enabled by default, thus ensuring that the CPU will not be throttled for scheduled scans performed when the device is idle, regardless of what ScanAvgCPULoadFactor is set to.
  • DisableCpuThrottleOnIdleScans will override the value (5-100% CPU time) set by ScanAvgCPULoadFactor

An Example of CPU throttling controlled by MCM or by MEM:

TanTran_2-1613124220328.png

 

  • In my Lab, the on-demand fullscan also been impacted by non-throttling status too.

         On the test device Windows 10 version 20H2 with the setting DisableCpuThrottleOnIdleScans      turn on:     

          > Set-MpPreference -DisableCpuThrottleOnIdleScans $False

TanTran_3-1613124220329.png

           > Run on-demand full scan, Start-MpScan -ScanType FullScan

TanTran_4-1613124220333.png

 

With the setting to allow CPU without Throttling , my computer did have CPU Spike from 11% before now it grows to more than 70%, 80%, 95% in a short period of 1-2 minutes.

TanTran_5-1613124220338.png

 

We just need to disable in the related Registry Key of Windows Defender Scan or by powershell command in the device.

TanTran_6-1613124220343.png

 

Registry Key for the setting,

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan:

TanTran_7-1613124220369.png

Antivirus Exclusion mistakes

Antivirus Exclusion could be helpful or harmful if we set Antivirus to skip the threat in files and process. The common misconception could be named a few.

  1. Exclude process which is the frontline interfaced to threat like MS Word, MS Outlook , Java Engine or Acrobat Reader.
  2. Exclude Cabinet, compress file .zip, .tar, .cab, .7ip from AV Scan, they could contain threat source.
  3. Exclude the User Profile temp folder, System temp folder where the malicious file may locate as its base:
    • C:\Users<UserProfileName>\AppData\Local\Temp\
    • C:\Users<UserProfileName>\AppData\LocalLow\Temp\
    • C:\Users<UserProfileName>\AppData\Roaming\Temp\
    • %Windir%\Prefetch
    • %Windir%\System32\Spool
    • C:\Windows\System32\CatRoot2
    • %Windir%\Temp
  1. The use of environment variables as a wildcard in exclusion lists is limited to system variables only, do not use user environment variables when adding Microsoft Defender Antivirus folder and process exclusions.
  2. Adding an exclusion for a process means that any file opened by that process will be excluded from real-time scanning. These files will still be scanned by any on-demand or scheduled scans, unless a file or folder exclusion has also been created that exempts them.

Grey Area of Exclusion:

Image files: You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.

Missing MDE (Microsoft Defender for Endpoint) exclusion

  • If you need to apply exclusion for threat detected by Defender for Endpoint Cloud Service, use the related exclusion.
  • Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including endpoint detection and response (EDR), attack surface reduction (ASR) rules, and controlled folder access.
  • To exclude files broadly, add them to the Microsoft Defender for Endpoint custom indicators.

TanTran_0-1613127061798.png

 

  •   To exclude files, folders in MDE

TanTran_1-1613127131161.png

 

Example of Defender for Endpoint - MDE Exclusion from investigation scans:

   > Settings\Automation folder exclusions

   > New Folder exclusion

  

TanTran_2-1613127214983.png

     

        > Add multiple folder exclusions as per our needs:

 

TanTran_3-1613127277628.png

 

Default Exclusion on Newer Server Version (2016 and 2019)

Automatic exclusion available on 2016 and 2019 servers

On Server 2016, 2019, the automatic exclusion helps in prevention of unwanted CPU spike during real-time scanning, it is additional to your custom exclusion list and it is kind of smart scan with exclusion based on server role such as DNS, AD DS, Hyper-V host, File Server, Print Server, Web Server, etc.

  • Your Custom exclusions take precedence over automatic exclusions.
  • Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
  • Custom and duplicate exclusions do not conflict with automatic exclusions.
  • Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer and apply the appropriate automatic exclusions.

The Discussion about Antivirus Configuration best practice could not be ended here, it might be our on-going attention and practice. I will continue updating this article based on your feedback.

Until next time.

 

 

Reference:

- Common mistakes to avoid when defining exclusions - Windows security | Microsoft Docs

- Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 - Windows securit...

- Configure and validate exclusions based on extension, name, or location - Windows security | Micro...

- Manage automation folder exclusions - Windows security | Microsoft Docs

- Coin miners - Windows security | Microsoft Docs

- Block potentially unwanted applications with Microsoft Defender Antivirus - Windows security | Mic...

Endpoint detection and response in block mode - Windows security | Microsoft Docs

Manage Microsoft Defender for Endpoint using Group Policy Objects - Windows security | Microsoft Doc...

Deploy, manage, and report on Microsoft Defender Antivirus - Windows security | Microsoft Docs

Manage antivirus settings with endpoint security policies in Microsoft Intune | Microsoft Docs

- Exclude Process applied to real-time scan only

 

 

 

7 Comments
Version history
Last update:
‎May 13 2021 11:31 PM
Updated by: