You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Windows 10 or newer and Windows Server 2016 or newer you can use next-generation protection features offered by Microsoft Defender Antivirus(MDAV) and Microsoft Defender Exploit Guard (Microsoft Defender EG).
32
32
33
-
This topic explains how to enable and test the key protection features in Microsoft Defender AV and Microsoft Defender EG, and provides you with guidance and links to more information.
33
+
This article explains how to enable and test the key protection features in Microsoft Defender AV and Microsoft Defender EG, and provides you with guidance and links to more information.
34
34
35
35
We recommend you use [this evaluation PowerShell script](https://aka.ms/wdeppscript) to configure these features, but you can individually enable each feature with the cmdlets described in the rest of this document.
36
36
37
-
See the following product documentation libraries for more information about our EPP products:
37
+
For more information about our EPP products, see the following product documentation libraries:
@@ -49,9 +49,8 @@ This guide provides the [Microsoft Defender Antivirus cmdlets](/powershell/modul
49
49
50
50
To use these cmdlets:
51
51
52
-
> 1\. Open an elevated instance of PowerShell (choose to Run as administrator).
53
-
>
54
-
> 2\. Enter the command listed in this guide and press Enter.
52
+
1. Open an elevated instance of PowerShell (choose to Run as administrator).
53
+
1. Enter the command listed in this guide and press **Enter**.
55
54
56
55
You can check the status of all settings before you begin, or during your evaluation, by using the [Get-MpPreference PowerShell cmdlet](/powershell/module/defender/get-mppreference?view=windowsserver2022-ps&preserve-view=true).
57
56
@@ -72,32 +71,32 @@ More details are available in [Use next-gen technologies in Microsoft Defender A
72
71
|Always Use the cloud to block new malware within seconds|Set-MpPreference -DisableBlockAtFirstSeen 0|
73
72
|Scan all downloaded files and attachments|Set-MpPreference -DisableIOAVProtection 0|
74
73
|Set cloud block level to 'High'|Set-MpPreference -CloudBlockLevel High|
75
-
|High Set cloud block timeout to 1 minute|Set-MpPreference -CloudExtendedTimeout 50|
74
+
|High Set cloud block time-out to 1 minute|Set-MpPreference -CloudExtendedTimeout 50|
76
75
77
76
## Always-on protection (real-time scanning)
78
77
79
78
Microsoft Defender AV scans files as soon as they're seen by Windows, and will monitor running processes for known or suspected malicious behaviors. If the antivirus engine discovers malicious modification, it will immediately block the process or file from running.
80
79
81
-
See [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) for more details on these options.
80
+
For more details on these options, see [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md).
82
81
83
82
| Description | PowerShell Command |
84
83
|---|---|
85
84
|Constantly monitor files and processes for known malware modifications | Set-MpPreference -DisableRealtimeMonitoring 0 |
86
85
|Constantly monitor for known malware behaviors – even in 'clean' files and running programs | Set-MpPreference -DisableBehaviorMonitoring 0 |
87
-
|Scan scripts as soon as they are seen or run | Set-MpPreference -DisableScriptScanning 0 |
88
-
|Scan removable drives as soon as they are inserted or mounted | Set-MpPreference -DisableRemovableDriveScanning 0 |
86
+
|Scan scripts as soon as they're seen or run | Set-MpPreference -DisableScriptScanning 0 |
87
+
|Scan removable drives as soon as they're inserted or mounted | Set-MpPreference -DisableRemovableDriveScanning 0 |
89
88
90
89
## Potentially Unwanted Application protection
91
90
92
-
[Potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) are files and apps that are not traditionally classified as malicious. These include third-party installers for common software, ad-injection, and certain types of toolbars in your browser.
91
+
[Potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) are files and apps that aren't traditionally classified as malicious. These include non-Microsoft installers for common software, ad-injection, and certain types of toolbars in your browser.
93
92
94
93
| Description | PowerShell Command |
95
94
|---|---|
96
95
|Prevent grayware, adware, and other potentially unwanted apps from installing|Set-MpPreference -PUAProtection Enabled|
97
96
98
97
## Email and archive scanning
99
98
100
-
You can set Microsoft Defender Antivirus to automatically scan certain types of email files and archive files (such as .zip files) when they are seen by Windows. More information about this feature can be found under the [Manage email scans in Microsoft Defender](configure-advanced-scan-types-microsoft-defender-antivirus.md) article.
99
+
You can set Microsoft Defender Antivirus to automatically scan certain types of email files and archive files (such as .zip files) when they're seen by Windows. More information about this feature can be found under the [Managed email scans in Microsoft Defender](configure-advanced-scan-types-microsoft-defender-antivirus.md) article.
101
100
102
101
103
102
| Description | PowerShell Command |
@@ -124,9 +123,29 @@ Microsoft Defender Exploit Guard provides features that help protect devices fro
124
123
|Apply a standard set of mitigations with [Exploit protection](exploit-protection.md)|Invoke-WebRequest </br> https://demo.wd.microsoft.com/Content/ProcessMitigation.xml -OutFile ProcessMitigation.xml </br >Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml|
Some rules may block behavior you find acceptable in your organization. In these cases, change the rule from Enabled to Audit to prevent unwanted blocks.
126
+
Some rules might block behavior you find acceptable in your organization. In these cases, change the rule from Enabled to Audit to prevent unwanted blocks.
128
127
129
-
## One-click Microsoft Defender Offline Scan
128
+
#### Enable Tamper Protection
129
+
130
+
In the Microsoft XDR portal (security.microsoft.com), go to **Settings** > **Endpoints** > **Advanced features** > **Tamper Protection** > **On**.
131
+
132
+
For more information, see [How do I configure or manage tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection).
133
+
134
+
#### Check the Cloud Protection network connectivity
135
+
136
+
It's important to check that the Cloud Protection network connectivity is working during your pen testing.
137
+
138
+
CMD (Run as admin)
139
+
140
+
141
+
```
142
+
cd "C:\Program Files\Windows Defender"
143
+
MpCmdRun.exe -ValidateMapsConnection
144
+
```
145
+
146
+
For more information, see [Use the cmdline tool to validate cloud-delivered protection](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus).
147
+
148
+
## One-select Microsoft Defender Offline Scan
130
149
131
150
Microsoft Defender Offline Scan is a specialized tool that comes with Windows 10 or newer, and allows you to boot a machine into a dedicated environment outside of the normal operating system. It's especially useful for potent malware, such as rootkits.
0 commit comments