2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Decoding Microsoft Defender’s hidden settings

hand_reaches_to_activate_controls_with_gear_icons_process_development_update_fix_automate_by_putilich_gettyimages-1220461550_2400x1600-100854509-large.jpgDecoding Microsoft Defenderâs hidden settings>
Computer World – Susan Bradley
Though many Windows 10 users opt for third-party antivirus protection, those who use Microsoft Defender may not be getting all of the protection they could. Hereâs how to check your settings and what to change. Defender involves more than just checking bad files and downloads. It offers a variety of settings most users donât check on a regular basis â or even know about. Some are exposed in the GUI. Others rely on third-party developers to deliver additional guidance and understanding. One such option is the ConfigureDefender tool on the GitHub download site. (ConfigureDefender exposes all of the settings you can use via PowerShell or the registry.)

As you scroll through the tool, youâll notice a section that covers control for Microsoftâs Attack Surface Reduction (ASR) rules. Youâll also note that many of them are disabled. These are among the most overlooked settings in Microsoft Defender. While you will need an Enterprise license to fully expose monitoring across your network, even standalone computers and small businesses can take advantage of these settings and protections. As noted in a recent document, Microsoft Defender Attack Surface Reduction recommendations, there are several settings that should be safe for most environments.

The recommended settings to enable include: Block untrusted and unsigned processes that run from USB. Block Adobe Reader from creating child processes. Block executable content from email client and webmail. Block JavaScript or VBScript from launching downloaded executable content. Block credential stealing from the Windows local security authority subsystem (lsass.exe). Block Office applications from creating executable content. Next, there are settings that should be reviewed for your environment to ensure they donât interfere with your business or computing needs. These settings are: Block Office applications from injecting code into other processes. Block Win32 API calls from Office Macros. Block all Office applications from creating child processes. Block execution of potentially obfuscated scripts. In particular, in an environment that includes Outlook and Teams a great number of events were registered if the setting of âBlock all office applications from creating child processesâ was turned on. Again, you can try these and see if you are affected.

If you have not looked at the additional settings in Microsoft Defender, download the zip file from github, unzip it and run ConfigureDefender.exe to see how these settings might affect your computing. You might be surprised to find you can add a bit more protection with no impact to your computing experience.
Link: https://www.computerworld.com/article/3604651/decoding-windows-defender-s-hidden-settings.html#tk.rss_all

Categories:

Tags: