Microsoft Defender

Microsoft Defender | Harden System Security

Microsoft Defender Cloud Protection features and abilities

Extends the Cloud Security Scan time to the maximum amount of 60 seconds, by default it is 10 seconds. You need to be aware that this means actions like downloading and opening an unknown file will make Microsoft Defender send samples of it to the Cloud for more advanced analysis and it can take a maximum of 60 seconds from the time you try to open that unknown file to the time when it will be opened (if deemed safe). CSP
- Here is an example of the notification you will see in Windows 11 if that happens.

Configures the Cloud Block/Protection Level to the maximum level of Zero Tolerance and Block At First Sight. No unknown file can run on your system without first being recognized by the Microsoft's Security Graph and other globally omniscient systems. CSP

Configures the Microsoft Defender to send all samples automatically. Increasing protection by participating in the SpyNet / MAPS network. CSP

Sets the SpyNet membership to Advanced, improving Cloud Protection. CSP

Enables file hash computation; designed to allow admins to force the anti-malware solution to "compute file hashes for every executable file that is scanned if it wasn't previously computed" to "improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). CSP

Clears Quarantined items after 1 day instead of the default behavior of keeping them indefinitely. CSP
- Quarantine involves isolating potentially harmful files in a non-executable area of your system to prevent any risk of execution. To further minimize potential threats, quarantined files are automatically removed after 1 day, rather than being retained indefinitely. This precaution helps mitigate the possibility of these files exploiting unforeseen vulnerabilities in the future, ensuring a proactive approach to system security.

Allows Microsoft Defender to download security updates even on a metered connection. CSP

Enables Microsoft Defender to scan mapped network drives during full scan. CSP

Enables Microsoft Defender to scan emails. The engine will parse the mailbox and mail files. CSP

Enables Microsoft Defender to scan Removable Drives. CSP

Enables Microsoft Defender to scan Reparse Points. CSP

Forces Microsoft Defender to scan network files. CSP

Sets the Signature Update Interval to every 3 hours instead of automatically. CSP
- Change logs for security intelligence updates
- Configure and validate Microsoft Defender Antivirus network connections
- Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware
- Microsoft Safety Scanner
- Paste the following PowerShell code to retrieve the latest available online versions of the Platform, Signatures, and Engine for Microsoft Defender
- ```
$X = irm "https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info"
@{Engine = $X.versions.engine; Signatures = $X.versions.signatures.'#text'; Platform = $X.versions.platform} | ft -AutoSize
```

Forces Microsoft Defender to check for new virus and spyware definitions before it runs a scan. CSP

Makes Microsoft Defender run catch-up scans for scheduled quick scans. A computer can miss a scheduled scan, usually because the computer is off at the scheduled time, but now after the computer misses two scheduled quick scans, Microsoft Defender runs a catch-up scan the next time someone logs onto the computer. CSP

Enables Network Protection of Microsoft Defender CSP

Enables scanning of restore points CSP

Makes sure Async Inspection for Network protection of Microsoft Defender is turned on - Network protection now has a performance optimization that allows Block mode to start asynchronously inspecting long connections after they're validated and allowed by SmartScreen, which might provide a potential reduction in the cost that inspection has on bandwidth and can also help with app compatibility problems. CSP

Enables Smart App Control (if it's in Evaluation mode): adds significant protection from new and emerging threats by blocking apps that are malicious or untrusted. Smart App Control also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
- Smart App Control is User-Mode (and enforces Kernel-Mode) App Control for Business, more info in the Wiki. You can see its status in System Information and enable it manually from Microsoft Defender app's GUI. It is very important for Windows and Windows Defender intelligence updates to be always up-to-date in order for Smart App Control to work properly as it relies on live intelligence and definition data from the cloud and other sources to make a Smart decision about programs and files it encounters.
- Smart App Control uses ISG (Intelligent Security Graph). The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources and processed every 24 hours. As a result, the decision from the cloud can change.
- Smart App Control can block a program entirely from running or only some parts of it in which case your app or program will continue working just fine most of the time. It's improved a lot since it was introduced, and it continues doing so. Consider turning it on after clean installing a new OS and fully updating it.
- Smart App Control enforces the Microsoft Recommended Driver Block rules and the Microsoft Recommended Block Rules
- Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.

Enables "Send optional diagnostic data" because it is required for Smart App Control to operate when it's in evaluation mode or turned on, and for communication with Intelligent Security Graph (ISG). This setting will be automatically applied if Smart App Control is already turned on or you choose to turn it on. CSP

Enables Controlled Folder Access. It helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Due to the recent wave of global ransomware attacks, it is important to use this feature to protect your valuables files, specially OneDrive folders. CSP
- If it blocks a program from accessing one of your folders it protects, and you absolutely trust that program, then you can add it to exclusion list using Microsoft Defender GUI or PowerShell. you can also query the list of allowed apps using PowerShell (commands below). with these commands, you can backup your personalized list of allowed apps, that are relevant to your system, and restore them in case you clean install your Windows.
- The root of the OneDrive folders of all the user accounts will be added to the protected folders list of Controlled Folder Access, to provide Ransomware protection for the entire OneDrive folder. CSP
- ```
# Add multiple programs to the exclusion list of Controlled Folder Access
Add-MpPreference -ControlledFolderAccessAllowedApplications 'C:\Program Files\App\app.exe','C:\Program Files\App2\app2.exe'
```
- ```
# Get the list of all allowed apps
(Get-MpPreference).ControlledFolderAccessAllowedApplications
```

Enables Mandatory ASLR, It might cause compatibility issues only for some poorly-made 3rd party programs, specially portable ones. CSP
- Automatically detects and excludes the Git executables of GitHub Desktop and Git (Standalone version) from mandatory ASLR if they are installed on the system. More info here
- You can add Mandatory ASLR override for a trusted program using the PowerShell command below or in the Program Settings section of Exploit Protection in Microsoft Defender app.
  - Set-ProcessMitigation -Name "C:\TrustedApp.exe" -Disable ForceRelocateImages

Applies Exploit Protections/Process Mitigations from this list to the following programs: CSP
- All channels of Microsoft Edge browser
- Quick Assist app
- Some System processes
- Microsoft 365 apps
- More apps and processes will be added to the list over time once they are properly validated to be fully compatible.
- Exploit Protection configurations are also accessible in XML format within this repository. When implementing exploit protections using an XML file, the existing exploit mitigations will seamlessly integrate rather than being overwritten. Should there be pre-existing exploit protections applied to an executable on the system, and the XML file specifies different mitigations for the same executable, these protections will be merged and applied collectively.

Turns on Data Execution Prevention (DEP) for all applications, including 32-bit programs. By default, the output of BCDEdit /enum "{current}" (in PowerShell) for the NX bit is OptIn but the Harden System Security app sets it to AlwaysOn

Check for the latest virus and spyware security intelligence on startup. CSP

Specifies the maximum depth to scan archive files to the maximum possible value of 4,294,967,295 CSP

Defines the maximum size of downloaded files and attachments to be scanned and set it to the maximum possible value of 10,000,000 KB or 10 GB. the default is 20480 KB or ~20MB CSP

Enables the Enhanced Phishing Protection service. CSP

Enables notifying user of malicious and phishing scenarios in Microsoft Defender Enhanced Phishing Protection. CSP

Enables the feature in Enhanced Phishing Protection in Microsoft Defender SmartScreen that warns users if they reuse their work or school password. CSP

Enables warning users if they type their work or school passwords in unsafe apps. CSP

Enables automatic data collection (formerly known as Capture Threat Window) of Enhanced Phishing Protection in Microsoft Defender SmartScreen for security analysis from a suspicious website or app. CSP

Creates scheduled task for fast weekly Microsoft recommended driver block list update.. You won't see this prompt if the task already exists and is enabled or running.

Set Microsoft Defender engine and platform update channel to beta. CSP CSP

Defines the number of days before spyware security intelligence is considered out of date to 2. The default is 7. CSP

Defines the number of days before virus security intelligence is considered out of date to 2. The default is 7. CSP

Sets the default action for Severe and High threat levels to Remove, for Medium and Low threat levels to Quarantine. CSP

Configures real-time protection and Security Intelligence Updates to be enabled during OOBE. CSP

Enables the Intel TDT (Intel® Threat Detection Technology) integration with Microsoft Defender. CSP

Disables Performance Mode - Security risks in relation to Dev Drive CSP

Enables a network protection setting that blocks malicious network traffic instead of displaying a warning. CSP

Configures the Brute-Force Protection to use cloud aggregation to block IP addresses that are over 99% likely malicious CSP

Configures the Brute-Force Protection to detect and block attempts to forcibly sign in and initiate sessions CSP

Sets the internal feature logic to determine blocking time for the Brute-Force Protections CSP

Configures the Remote Encryption Protection to use cloud intel and context, and block when confidence level is above 90%. CSP

Configures the Remote Encryption Protection to detect and block attempts to replace local files with encrypted versions from another device CSP

Sets the internal feature logic to determine blocking time for the Remote Encryption Protection CSP

Extends the brute-force protection coverage in the Microsoft Defender Antivirus to block local network addresses. CSP

Enables ECS Configurations in the Microsoft Defender. They improve product health and security by automatically fixing any possible issues/bugs that may arise, in a timely manner.

Enables Network Protection to be configured into block or audit mode on Windows Server. CSP

Uh oh!

Microsoft Defender

Microsoft Defender | Harden System Security

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!