Defender for Endpoint - Enable EDR in Block mode

Question

Defender for Endpoint - Enable EDR in Block mode

George Zerphey 181

So there is a question around the watercooler here about if we should recommend turning on Defender EDR in block mode. In case you need a reference of what I'm talking about its under Settings -> Endpoints and looks like this:

My instinct is to say yes as its general best practice to enable EDR blocking and enforcement in any EDR system. When we look at Microsoft guidance there seems to be some vague comments around if we have Defender antivirus enabled. Those can be found here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide

The paragraph in question is this:

Will EDR in block mode affect a user's antivirus protection?
EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except that EDR in block mode also blocks and remediates malicious artifacts or behaviors that are detected.

So at the end of the day I'm looking for a more pointed recommendation from Microsoft. My concern is if Defender for Endpoint isn't in block mode what will it do with non-antivirus related alerts, such as indicators of compromise loaded into Defender, and what is the harm in enabling it even if the Anti-virus system is in active mode.

I dont want to add more overhead to the system or potentially cause a conflict in the system, but I want to make sure that all aspects are covered from an anti-virus and non-anti-virus perspective.

Thanks,

2 answers

Your answer

Answer 1

Andrew Blumhardt 10,051 Microsoft Employee

I agree, the explanations around this feature could be more clearly stared in the docs and tool descriptions.

My understanding is that the primary goal of this feature is to add some level of cloud-based/post-breach response when MDAV is in passive mode (when a 3rd party AV is primary). Similar to the Automated Investigation & Response that is only available when MDAV is active.

I tell customers that this is highly recommended in both passive and active mode. Though the clear value is while in passive mode. I am not aware of any obvious benefit or disadvantage if disabled when MDAV is active (over AIR).

George Zerphey 181 Reputation points

2023-01-04T15:37:32.097+00:00

So I agree with you in principle and appreciate your answer, but I'm looking for something a bit more concrete. If the EDR is not in block mode will it still be able to take non-AV actions? A good example here is blocking an IOC loaded in Defender.

Does it offload the blocking of that to the AV system when AV is active?
Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2023-01-04T16:36:51.907+00:00

In passive mode there is no blocking unless you use EDR+Block.

In active mode the post-breach blocking is provided by AIR. I don't think it matters if EDR+Block is enabled in this case.

See the following Q&A for more information:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode
George Zerphey 181 Reputation points

2023-01-04T16:39:32.647+00:00

I'm sorry if i'm being pedantic but its that "in a post-breach" scenario thing. I'm not referring to a breach scenario, but an active prevention scenario. Can Defender still take action on IOCs while EDR block is off if the Anti-virus is in active mode? Thats the root of my question.
Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2023-01-04T16:54:07.713+00:00

Definitely. Think of this in layers:

Layer 1 is hardening through Attack Surface Reduction.
Layer 2 is MDAV on the local system. In active mode it can block malicious files. Newtork protection, web protection, and web content filtering can also block access to malicious/unwanted IP and domains. You can also add your own indicators. (no relation to EDR+Block or AIR).
Layer 3 is cloud-based file detonation. If MDAV cannot verify a file, it uploads to the cloud for analysis if allowed. If malicious the signatures are checked against all devices.
Layer 4 is post-breach or post-AV. That is where EDR+Blog or Auto Investigation blocks activities that MDAV previously allowed.

Answer 2

Hi Andrew, I've been doing some tests with George. I hope you don't mind me showing my observations here.

I'm not saying anything new here, but some people might appreciate an example of how to test what you're talking about:

Block Mode - Disabled - In security.microsoft.com > settings > endpoints > Advanced Features (no harm in enabling this, but this is 'POST-BREACH' behaviorial blocking)
Network Protection - Enabled (using powershell command: Set-MpPreference -EnableNetworkProtection Enabled
Blocked Indicators - www.amazon.com - In security.microsoft.com > settings > endpoints > indicators - I added www.amazon.com as a blocked indicator.

The above settings will block all configured 'indicators' from an endpoint, regardless of what browser they use.

ASR Rules - Microsoft AV must be in active mode for ASR rules to block. You can use powershell or Intune or GPO to enable ASR rules.
enable-attack-surface-reduction

Another important point: Microsoft Cloud Protection should be enabled (which it should be by default):

You can verify with this command:
Get-MpPreference
(MAPSReporting should be set to 2 - quarantine)
Reference: enable-cloud-protection-microsoft-defender-antivirus

Share via

Defender for Endpoint - Enable EDR in Block mode

2 answers

Your answer