May 22 2020 11:51 AM
Just wanted to share some information on how to fine tune Defender to block ransomware.
We used an open source Ransomware simulator from Github against three configurations of Defender:
RESULTS
Defender (Free) blocked 39% of ransomware activities
MDATP with defaults blocked 50% of ransomware activities
MDATP with Hardened Configuration blocked the ransomware executable at first site.
The MDATP hardened configuration consisted of 7 components:
- Attack Surface Reduction Rules
- Block at First Site
- Tamper Protection
- Automatic Sample Sharing
- SmartScreen
- Network Protection
- Automatic Investigation and Remediation
To help the community, I documented the exact steps to enable these configurations on my blog site here:
https://www.thecloudtechnologist.com/mdatp-best-practices/
Stay safe!
-Joe
Jun 02 2020 08:40 PM
@Joe Stocker just checking as at the bottom of your article it's stated that
(ASR is not available in the free edition of Defender)
So while that is true - my understanding is that you can run ASR on any Windows 10 Enterprise - it's just that you don't get the advanced tools until you have the E5 license:
To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in Microsoft Defender Advanced Threat Protection, as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
Jun 03 2020 04:05 PM
Jun 07 2020 09:11 PM
@Joe Stocker Thanks for the gift as it's sometimes difficult to navigate on our own
I was just calling out that for some who might not be able to stretch to E5 that they can still use some parts of this protection if they are prepared to do some of the manual/scripting, etc...