Levelling up Windows Defender

Enhancing detection and blocking capabilities with the default Windows anti-virus.

Introduction

Windows Defender is commonplace in smaller organisations without AV centralisation, or those that may not wish to purchase enterprise AV subscriptions. However, what is not commonplace is moving beyond the default configuration to provide enhanced protection for endpoints.

Microsoft provides a variety of configuration options via Group Policy, InTune, PowerShell or SCCM which enhance Defender’s detection capabilities; pushing Defender to the forefront of modern threat detection. This article serves to summarise information provided through Microsoft’s latest security baseline for Windows 10 and Windows Server 2016, along with collating information from other security professionals and official Microsoft documentation in an easily digestible format.

We will cover delivering cloud protection, enhancing cloud-based protection, blocking potentially unwanted programs, and will take a look at Defender’s attack surface reduction rules. This post will cover Group Policy-based deployment, as well as the available PowerShell commandlets, though as mentioned above, InTune and SCCM deployments are available.

Enable and enhance cloud-based protection

Windows Defender’s cloud-based protection “uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates“. This ensures that endpoints take advantage of stronger protection in addition to standard real-time protection.

Group Policy

As with all enhancements discussed herein, Group Policy can be configured to enable/enhance cloud protection. This is achieved through the following path – Computer configuration -> Administrative templates -> Windows Components -> Windows Defender Antivirus -> MAPS.

The “Join Microsoft MAPS” setting should be configured as Enabled with either Basic or Advanced membership (the distinction does not matter on Windows 10 systems). The “Send file samples when further analysis is required” setting should be set to either Send safe samples or Send all samples, depending on your individual requirements.

In summary, the MAPS settings should be configured like so –

These settings can also be defined on local instances, via SCCM or through Microsoft InTune as described in the documentation available at this link.

PowerShell

Cloud-based protection can be enabled through PowerShell on either a standalone machine, or potentially on many machines through remoting or otherwise. Thankfully, Microsoft has made Defender’s PowerShell commandlets incredibly easy to use, with only two commands required to enable cloud-based protection –

Note: These commands must all be ran as an Administrator.

Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent AlwaysPrompt

Once enabled, you can confirm whether or not MAPS is enabled on a device by extracting the MAPSReporting setting from the malware protection preferences like so –

$(Get-MpPreference).MAPSReporting

A result of 0 indicates that MAPS reporting is not enabled, and either 1 or 2 means that cloud-based protection should be enabled.

Enhancing cloud-based protection

So now we’ve enabled cloud-based protection along with sample submission, but what else can we configure? Well, we can also enable real-time cloud-based detection for suspicious activities, define the cloud protection blocking level and cloud-based scanning for suspicious files.

Group Policy

Real-time cloud-based detection can be enabled through Computer configuration -> Administrative templates -> Windows Components -> Windows Defender Antivirus -> MAPS, by setting the “Configure the ‘Block at First Sight’ feature” setting to Enabled. This requires the following prerequisites –

  • MAPS -> “Join Microsoft MAPS” set to Enabled
  • MAPS -> “Send file samples when further analysis is required” set to Send safe samples or Send all samples
  • Real-time Protection -> “Scan all downloaded files and attachments” must be enabled
  • Real-time Protection -> Do not enable “Turn off real-time protection”

The other two settings are configurable through Computer configuration -> Administrative templates -> Windows Components -> Windows Defender Antivirus -> MpEngine. The current Microsoft security baseline does not recommend adjusting the cloud protection level, and the Microsoft docs warn against setting a higher protection level as it may lead to increased false positives. If desired, you can adjust this setting to either High, High+ or Zero Tolerance (with the risk of false positives naturally increasing at each step change).

As described in the “Configure extended cloud check” help section, the default cloud check timeout is 10 seconds. This can be increased to allow for extended checking – for example, adjusting the setting to 50 seconds will result in an addition 50 seconds of checks alongside the default 10 seconds, i.e. 60 seconds in total.

PowerShell

Note: These commands must all be ran as an Administrator.

Microsoft’s docs on Set-MpPreference seem a little outdated, so at first glance, it does not appear to be possible to adjust either the extended cloud check duration through PowerShell commandlets. But by reviewing the output of Get-MpPreference, extended cloud check and adjusting the cloud protection level is possible like so –

Set-MpPreference -CloudBlockLevel High

High can be substituted with either HighPlus or ZeroTolerance to match the potential options mentioned above.

Block at First Sight can be enabled via the Set-MpPreference commandlet like so –

Set-MpPreference -DisableBlockAtFirstSeen $False

Finally, the cloud-based extended check can be adjusted through the CloudExtendedCheck property –

Set-MpPreference -CloudExtendedTimeout 50

Troubleshooting cloud-based protection

With all these settings enabled, it’s important that we confirm we’re actually receiving the requested protection. Thankfully, Microsoft has well-documented information around confirming and troubleshooting connectivity issues.

Once you’ve deployed the Group Policy changes and allowed them to refresh on a test PC, launch Command Prompt as an administrator (must be an elevated prompt or else you’ll receive a 80070005 error).

From Command Prompt, run the following – "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -validatemapsconnection. You should receive a successful response like so –

If you do receive an error when running the above command, check out Microsoft’s docs page on troubleshooting cloud-based protection – it includes required URLs, and a sample file which should be detected if cloud-based settings are enabled.

Blocking potentially unwanted programs

Group Policy

For whatever reason, Windows Defender doesn’t enable PUP protection by default – a feature offered by most other anti-virus applications. This feature can be enabled through Group Policy via the following path – Computer configuration -> Administrative templates -> Windows Components -> Windows Defender Antivirus through the setting “Configure detection for potentially unwanted applications“.

This setting can be set to either Audit or Block. Block will naturally block potentially unwanted programs, whereas Audit will log an event to the event log under event ID 1160 through Application and Services Logs\Microsoft\Windows\Windows Defender\Operational.

This setting can also be set up through InTune, and is enabled by default through SCCM.

PowerShell

Note: These commands must all be ran as an Administrator.

Potentially Unwanted Programs can be blocked through PowerShell through the following commandlet –

Set-MpPreference -PUAProtection 1

Again, you can easily verify whether or not this setting is enabled by checking the result from Get-MpPreference for the PUAProtection property

$(Get-MpPreference).PUAProtection

Attack surface reductions

Group Policy

Microsoft offers several attack surface reduction rules to prevent common malware behaviours. Unfortunately, these are not the most user-friendly in their naming convention as they use GUIDs (though a mapping from GUID to a friendly description is available here). It is not exactly clear if all of these reduction rules will continue to remain available to users without Defender ATP, however I will include them below anyway.

Attack surface reduction rules can be enabled via Computer configuration -> Administrative templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction.

Microsoft’s security baseline recommends the following GUIDs set to Block (I have included friendly description mappings from the link above) –

GUIDFriendly description
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 Block executable content from email client and webmail
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe)
d4f940ab-401b-4efc-aadc-ad5f3c50688a Block all Office applications from creating child processes
d3e037e1-3eb8-44c8-a917-57927947596d Block JavaScript or VBScript from launching downloaded executable content
5beb7efe-fd9a-4556-801d-275e5ffc04cc Block execution of potentially obfuscated scripts
3b576869-a4ec-4529-8536-b80a7769e899 Block Office applications from creating executable content
26190899-1602-49e8-8b27-eb1d0a1ce869 Block Office communication application from creating child processes
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macro
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c Block Adobe Reader from creating child processes
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Block Office applications from injecting code into other processes

PowerShell

Note: These commands must all be ran as an Administrator.

Again, we can use the Set-MpPreference commandlet to add attack surface reduction rules. This can be achieved like so –

Set-MpPreference -AttackSurfaceReductionRules_Ids RULE_GUID(S) -AttackSurfaceReductionRules_Actions Enabled

As with Group Policy, the action can either be enabled (i.e. the friendly description for the given rule will be enforced), or AuditMode, which will generate an event.

Therefore, to make adding the above rules easier, I have included the above command with each GUID to assist with copying and pasting (hopefully on a test machine!)

Set-MpPreference -AttackSurfaceReductionRules_Idsbe9ba2d9-53ea-4cdc-84e5-9b1eeee46550,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,d4f940ab-401b-4efc-aadc-ad5f3c50688a,d3e037e1-3eb8-44c8-a917-57927947596d, 5beb7efe-fd9a-4556-801d-275e5ffc04cc,3b576869-a4ec-4529-8536-b80a7769e899,26190899-1602-49e8-8b27-eb1d0a1ce869,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 -AttackSurfaceReductionRules_Actions Enabled

Summary

Hopefully this article has given you some further insight into what Windows Defender can offer your environment. Personally, I never really considered Windows Defender to be much of a contender in the anti-virus market, but uncovering all of this information has really changed my mind.

I must include a massive shoutout to SwiftOnSecurity on Twitter – they gave me the inspiration to look more into Defender and its defence capabilities, and of course a shoutout to the Microsoft Security team for their dedication to their products and their receptiveness to community feedback.