Defender for Endpoint "EDR in Block Mode" useful when using Windows Defender as primary AV

Steel Contributor

Hi, we're currently looking for pros / cons for enabling the "EDR in Block Mode" Feature. All of our clients are using only the Windows Defender as the primary Antivirus solution.

 

We already found these"great" articles and quotes:

 

1. "EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device)."

quote source 

Got it, it is PRIMARILIY recommended. Is it useful to enable this while using only Defender AV as primary, as well?

 

2. "There is little benefit to enabling EDR in block mode when Microsoft Defender Antivirus is the primary antivirus solution on devices."

quote source 

Ok, but WHAT is the little benefit? Little benefits are okay, too. :>

 

3. "Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?"

quote source 

Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ) | Microsoft Lea...

 

Any idea is highly appreciated!

 

Regards,

Patrick

9 Replies

In addition: In this Youtube video (timestamp included)  from MS they clearly say "Therefore, EDR in block mode is only beneficial when using a third-party Antivirus solution and microsoft defender antivirus is in passive mode.

@PatrickF11 we ran into this situation recently when it would have been beneficial to have EDR Block Mode On. We have Defender and Crowdstrike and a change was made that forced Crowdstrike as primary resulting in Defender basically shutting down. After this happened, all our devices stopped responding to ASR rules. If we were to have had EDR Block Mode On, our machines would still have been able to respond to ASR rules.

@ThomasGillespie Thanks for your reply.

So you mean it would be good to activate, so that in case Defender AV gets into passive mode (for whatever reason), we've got a little bit extra protection. Okay got it.

 

But is there any benefit, when there is absolutely no change that there is a 3rd Party AV solution in place? :>

Absolutely. If your real time protection turned off and and you do have EDR on, Microsoft can still do some remediation. If your real time protection mode goes off and you are in a passive state, there is no clean up done and the device is no longer protected by ASR rules.
I also ran the question through Chatgpt for a better explanation.

Enabling EDR (Endpoint Detection and Response) Block Mode in Microsoft Defender offers several benefits:

1. Enhanced threat prevention: EDR Block Mode provides real-time blocking capabilities to prevent known and suspicious threats from executing on your system. It complements traditional antivirus and anti-malware solutions by adding an extra layer of proactive defense.

2. Rapid response to emerging threats: By leveraging cloud-based threat intelligence and machine learning, EDR Block Mode can quickly identify and block new and evolving threats. This helps prevent the spread of malware and other malicious activities before they can cause harm.

3. Improved incident response: EDR Block Mode enables security teams to respond swiftly to potential security incidents. It provides detailed insights and telemetry data, allowing analysts to investigate and remediate threats effectively.

4. Increased visibility and control: With EDR Block Mode, you gain greater visibility into endpoint activities and can proactively manage security events. It offers rich telemetry data, allowing you to monitor and analyze system behavior, identify patterns, and detect anomalies.

5. Centralized management and reporting: EDR Block Mode can be managed centrally through Microsoft Defender Security Center or other security management tools. This provides a unified view of security events, simplifying the monitoring and reporting processes.

It's worth noting that while EDR Block Mode is a powerful security feature, it should be used alongside other security measures to ensure comprehensive protection for your systems and data.

@ThomasGillespie Thanks for your thoughts.

Got it. But let me ask a last "critical question" ;)

 

Is there any benefit, when Defender is the primary AV AND Realtime-protection is on?

(I already know, that i'm going to activate the EDR in block mode, just in case someone turns of realtime protection or 3rd Party AV kicks Defender into passive mode. Just to have this one asked. ;)

If defender is turned off it will turn off real time protection so you have a device with no AV. With EDR, your device has some form of coverage

I already understood this and i understood the benefits in this case.
But: As i mentioned: The only thing i want to know in addition: Are there any benefits as long as Defender IS the primary AV and Realtime protection IS on (Assumed no one switches it off)

(Yes i will enable EDR in Block mode anyway, because in real-world it could happen that AV gets disabled, but just assumed ...)

From my experience and from what I know about the MS documentation about MDE, there is no benefit to turn the block mode on in your scenario. The 'little' or 'minimal' benefit is not explained anywhere but one could assume it's more about the potential rather than actual benefits.