Microsoft Defender Endpoint Application Control

Peter Lane 1 Reputation point
2021-10-19T12:40:45.38+00:00

Hi all,

I would like to find out if MDE application control is capable of the following (Im not expecting all to be answered):-

  • Monitoring of process launch attempts
  • Can processes be block
  • Can processes be defined by fingerprint/hash
  • Process exclusion based on argument regex string
  • File read/create/delete/write attempt monitoring
  • Is DLL Load monitoring possible
  • Can processes be monitored whilst allowing further rules to be analyzed (continue processing other rules)
  • Can log events including severity
  • Can notify user of policy actions
  • Can processes be monitored based on wildcard expressions

Any help is much appreciated, thank you.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,747 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 565 Reputation points Microsoft Employee
    2024-02-01T11:01:26.68+00:00

    Yes, Microsoft Defender Endpoint Application Control (MDE AC) can do all of the above. Here are the answers to your questions:

    1. Monitoring of process launch attempts: Yes, MDE AC can monitor process launch attempts.
    2. Can processes be blocked: Yes, processes can be blocked by MDE AC.
    3. Can processes be defined by fingerprint/hash: Yes, processes can be defined by fingerprint/hash using MDE AC.
    4. Process exclusion based on argument regex string: Yes, MDE AC can exclude processes based on argument regex string.
    5. File read/create/delete/write attempt monitoring: Yes, MDE AC can monitor file read/create/delete/write attempts.
    6. Is DLL Load monitoring possible: Yes, DLL Load monitoring is possible with MDE AC.
    7. Can processes be monitored whilst allowing further rules to be analyzed (continue processing other rules): Yes, MDE AC can monitor processes while allowing further rules to be analyzed.
    8. Can log events including severity: Yes, MDE AC can log events including severity.
    9. Can notify user of policy actions: Yes, MDE AC can notify users of policy actions.
    10. Can processes be monitored based on wildcard expressions: Yes, MDE AC can monitor processes based on wildcard expressions.

    For more information and code samples, please refer to the Microsoft Defender for Endpoint documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.

    0 comments