"Disable Windows Firewall notifications..." detection/remediation steps are incorrect

%3CLINGO-SUB%20id%3D%22lingo-sub-656163%22%20slang%3D%22en-US%22%3E%22Disable%20Windows%20Firewall%20notifications...%22%20detection%2Fremediation%20steps%20are%20incorrect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-656163%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20following%20three%20security%20detections%2Frecommendations%20are%20incorrect%20--%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EDisable%20Windows%20Firewall%20notifications%20when%20programs%20are%20blocked%20for%20Domain%20profile%3C%2FLI%3E%3CLI%3EDisable%20Windows%20Firewall%20notifications%20when%20programs%20are%20blocked%20for%20Private%20profile%3C%2FLI%3E%3CLI%3EDisable%20Windows%20Firewall%20notifications%20when%20programs%20are%20blocked%20for%20Public%20profile%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20stated%20(although%20debatable)%20goal%20is%20to%20disable%20the%20notifications%20so%20as%20not%20to%20confuse%20the%20user%20since%20they%20wouldn't%20be%20able%20to%20address%20it%20properly%20anyway.%26nbsp%3B%20The%20remediation%20options%20indicate%20that%20Windows%20Defender%20ATP%20is%20verifying%20that%20the%26nbsp%3B%3CSPAN%3E%3CSTRONG%3EHKLM%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindowsFirewall%5CDomainProfile%5CDisableNotifications%3C%2FSTRONG%3E%20%3CEM%3EREG_DWORD%3C%2FEM%3E%20value%20is%20set%20to%200.%26nbsp%3B%20Instead%2C%20it%20should%20be%20checking%20to%20make%20sure%20it%20is%20set%20to%201%20since%26nbsp%3B%3CEM%3Ethat%3C%2FEM%3E%20is%20what%20would%20disable%20the%20notifications.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

The following three security detections/recommendations are incorrect --

 

  • Disable Windows Firewall notifications when programs are blocked for Domain profile
  • Disable Windows Firewall notifications when programs are blocked for Private profile
  • Disable Windows Firewall notifications when programs are blocked for Public profile

The stated (although debatable) goal is to disable the notifications so as not to confuse the user since they wouldn't be able to address it properly anyway.  The remediation options indicate that Windows Defender ATP is verifying that the HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications REG_DWORD value is set to 0.  Instead, it should be checking to make sure it is set to 1 since that is what would disable the notifications.

0 Replies