When you ask someone what antivirus software they use, you can almost hear religious claims about their products. In fact, the choice of antivirus often involves trust or distrust of the operating system. Some Windows users want to protect their computers with third-party products. But for people like me these days, it's more important that the antivirus vendor handles Windows updates properly and doesn't cause problems, rather than the antivirus software itself.
Among these, many still use Microsoft Defender. The defender has existed in operating systems in several forms since Windows XP. Recently, Defender had a zero-day problem that was automatically fixed. As a result, I have asked many people to check the installed version of Defender. To check, click Start> Settings> Update & Security> Windows Security> Open Voin, look for the gear-shaped 'Settings' icon and select 'About'.
Here you can find 4 lines of information. The first is the Antimalware Client Version number, and the second is the engine version. The third is the antivirus version number, and the last is the antispyware version number.
What does this mean if Defender's engine version, antivirus version, and antispyware version are 0.0.0.0? This could mean you have a third-party antivirus installed. Defender is over as a third-party vaccine takes over. Some people thought that the 'on-demand' antivirus vendor they were using only provided scan-only tools, and Defender was still the main antivirus tool, but if the third-party scanning tool is listed as a real-time antivirus, the software running on the system is not done.
The defender doesn't just check for bad files and downloads. It offers a variety of settings that most users don't check regularly or don't know about. Some are displayed in the GUI. Other products rely on third-party developers to provide additional guidance and understanding. One of these options is the ConfigureDefender tool on the GitHub download site, which displays all settings available via PowerShell or the registry).
As stated on the Configurator site, different versions of Windows 10 have different Defender tools. All Windows 10 versions include Real-time Monitoring, Behavior Monitoring, scanning all downloaded files and attachments, reporting level (MAPS member level), average CPU load during scanning, automatic sample submission, user It includes scanning for apps installed without consent (called PUA protection), default cloud protection level (default), and default cloud scanning timeout.
New features were added for each version of Windows. In the 1607 version of Windows 10, the 'Immediate Blocking' setting was introduced, and in version 1703, a more granular layer of cloud protection level and cloud inspection timeout was added. Starting in 1709, Attack Surface Reduction (ASR), cloud protection levels (including Windows Pro and Enterprise extension levels), controlled folder access, and network protection were supported.
As you scroll through the tools, you'll see a section dealing with controls over Microsoft's attack surface reduction rules. Many features are disabled by default and are among the most overlooked settings in Microsoft Defender. Enterprise licenses are required to fully display monitoring across the network, but standalone computers and small businesses can also take advantage of these settings and protections. As stated in a recent article, Microsoft Defender Attack Surface Reduction Recommendation, there are several settings that improve security in most environments. The recommended settings to enable are:
- Blocks untrusted or unsigned processes running on USB.
- Block Adobe Reader from spawning child processes.
- Block executable content in email clients and webmail.
- Block JavaScript or VBScript from launching downloaded executable content.
- Blocks credential theft in Windows local security authority subsystem (lsass.exe).
- Block Office applications from creating executable content.
By 'activating' these settings, i.e. blocking tasks, there is usually little effect on standalone computers. You can use the tool to set values and review their impact on the system. You probably won't even realize that these settings are enhancing your protection. Next, there are settings that need to be reviewed according to the environment so as not to damage business or computing requirements.
- Blocks office applications from injecting code into other processes.
- Block Win32API calls from Office macros.
- Block all office applications from creating subprocesses.
- Block execution of potentially obfuscated scripts.
In particular, in an environment that includes Outlook and Teams, many events are registered if the “Block subprocessor creation in all office applications” setting is turned on. Again, after activating these settings, you should check if they are actually affected. The settings to be aware of are as follows.
- Block executables from running unless they meet the criteria for penetration, distribution year, or trusted list.
- Use advanced protection against ransomware.
- Blocks process creation from PSExec and WMI commands.
- Block all office communication applications from creating subprocesses.
You should review these settings to ensure that they do not interfere with your Line of Business (LOB) apps and business processes. For example, 'Enable advanced protection against ransomware' sounds like a setting everyone wants, but in companies where the team developed software for internal use, the developer workflow was problematic (this setting is specifically If the file is similar to ransomware, this security rule blocks execution).
According to the recommendation, the setting 'Block process creation from PSExec and WMI commands' was particularly problematic. Not only do many events occur in the audit log, but the Configuration Manager client requires WMI commands to function properly, so it is not compatible with Microsoft Endpoint Configuration Manager.
If Microsoft Defender can't find additional settings, download the zip file from GitHub, unzip it, and run ConfigureDefender.exe to see how these settings affect your computing. You will be surprised to learn that you can add more protection without affecting your computing experience.
0 Comments