Option to block adding exclusions by (local) administrator on (managed) endpoint

Occasional Visitor

Lately we've seen on blogposts that hackers add exclusions to a compromised system to circumvent Endpoint protection and to further penetrate networks and-or other systems.

 

With Microsoft Defender a local administrator can add exclusions without any issues on a managed endpoint.  Even the registry option "HideExclusionsFromLocalAdmins" isn't an option considering exclusions can still be added using the Add-MpPreference command within PowerShell. Nor is there an alert in the Security Dashboard raised when a local administrator adds an exclusion.

 

The only workaround is to use Advanced Hunting (which is only part of P2) - with an hourly schedule to raise alerts - or to use external monitoring and alerting based upon event id 5007 using the source Windows Defender.

 

Most managed endpoint protection solutions from other vendors have an option to block this using policies, Microsoft Defender for Endpoint/Business/Cloud doesn't have a setting to block this even though this is considered a standard option on most managed protection solutions from other vendors and we request this feature to be added and to be configured using Intune, GPO, etc.

 

0 Replies