Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management (Endpoint security policies)

In Windows 10 or later, and in Windows Server 2016 or later, you can use next-generation protection features offered by Microsoft Defender Antivirus (MDAV) and Microsoft Defender Exploit Guard (Microsoft Defender EG).

This article describes configuration options in Windows 10 or later, and in Windows Server 2016 or later, that guide you to activate and test the key protection features in MDAV and Microsoft Defender EG; and provides you with guidance and with links to more information.

If you have any questions about a detection that MDAV makes, or you discover a missed detection, you can submit a file to us at our sample submission help site.

Use Microsoft Defender Endpoint Security Settings Management (Endpoint security policies) to enable the features

This section describes the Microsoft Defender for Endpoint Security Settings Management (Endpoint security policies) that configure the features you should use to evaluate our protection.

MDAV indicates a detection through standard Windows notifications. You can also review detections in the MDAV app. To do this, see Review Microsoft Defender Antivirus scan results.

The Windows event log also records detection and engine events. See the Microsoft Defender Antivirus events article for a list of event IDs and their corresponding actions. For information on the list of event IDs and their corresponding actions, see Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus.

To configure the options that you must use to test the protection features, perform the following steps:

  1. Sign in to Microsoft Defender XDR.
  2. Go to Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy.
  3. Select Windows 10, Windows 11, and Windows Server from the Select Platform drop-down list.
  4. Select Microsoft Defender Antivirus from the Select Template drop-down list.
  5. Select Create policy. The Create a new policy page appears.
  6. On the Basics page, enter a name and description for the profile in the Name and Description fields, respectively.
  7. Select Next.
  8. On the Configuration settings page, expand the groups of settings.
  9. From these groups of settings, select those settings that you want to manage with this profile.
  10. Set the policies for the chosen groups of settings by configuring the settings as described in the following tables:

Real-time Protection (Always-on protection, real-time scanning)

Description Settings
Allow Realtime Monitoring Allowed
Real Time Scan Direction Monitor all files (bi-directional)
Allow Behavior Monitoring Allowed
Allow On Access Protection Allowed
PUA Protection PUA Protection on

Cloud protection features

Description Setting
Allow Cloud Protection Allowed
Cloud Block Level High
Cloud Extended Timeout Configured, 50
Submit Samples Consent Send all samples automatically

Standard security intelligence updates can take hours to prepare and deliver; our cloud-delivered protection service can deliver this protection in seconds. For more information, see Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection.

Scans

Description Setting
Allow Email Scanning Allowed
Allow scanning of all downloaded files and attachments Allowed
Allow Script Scanning Allowed
Allow Archive Scanning Allowed
Allow Scanning Network Files Allowed
Allow Full Scan Removable Drive Scanning Allowed

Network Protection

Description Setting
Enable Network Protection Enabled (block mode)
Allow Network Protection Down Level Network protection will be enabled downlevel.
Allow Datagram Processing On Win Server Datagram processing on Windows Server is enabled.
Disable DNS over TCP parsing DNS over TCP parsing is enabled.
Disable HTTP parsing HTTP parsing is enabled.
Disable SSH parsing SSH parsing is enabled.
Disable TLS parsing TLS parsing is enabled.
Enable DNS Sinkhole DNS Sinkhole is enabled.

Security Intelligence updates

Description Setting
Signature Update Interval Configured, 4

Description: Signature Update Fallback Order Setting: Select the checkbox for Signature Update Fallback

InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC, where 'InternalDefinitionUpdateServer' is WSUS with Microsoft Defender Antivirus updates allowed; 'MicrosoftUpdateServer' = Microsoft Update (formerly Windows Update); and MMPC = https://www.microsoft.com/en-us/wdsi/definitions.

Local administrator AV

Disable local administrator AV settings such as exclusions, and set the policies from the Microsoft Defender for Endpoint Security Settings Management as described in the following table:

Description Setting
Disable Local Admin Merge Disable Local Admin Merge

Threat severity default action

Description Setting
Remediation action for High severity threats Quarantine
Remediation action for Severe threats Quarantine
Remediation action for Low severity threats Quarantine
Remediation action for Moderate severity threats Quarantine
Description Setting
Days to Retain Cleaned Configured, 60
Allow User UI Access Allowed. Let users access UI.
  1. When you're done configuring settings, select Next.
  2. On the Assignments tab, select Device Group or User Group or All devices or All Users.
  3. Select Next.
  4. On the Review + create tab, review your policy settings, and then select Save.

Attack Surface Reduction rules

To enable Attack Surface Reduction (ASR) rules using the endpoint security policies, perform the following steps:

  1. Sign in to Microsoft Defender XDR.

  2. Go to Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy.

  3. Select Windows 10, Windows 11, and Windows Server from the Select Platform drop-down list.

  4. Select Attack Surface Reduction Rules from the Select Template drop-down list.

  5. Select Create policy.

  6. On the Basics page, enter a name and description for the profile; then, choose Next.

  7. On the Configuration settings page, expand the groups of settings and configure those settings you want to manage with this profile.

  8. Set the policies based on the following recommended settings:

    Description Setting
    Block executable content from email client and webmail Block
    Block Adobe Reader from creating child processes Block
    Block execution of potentially obfuscated scripts Block
    Block abuse of exploited vulnerable signed drivers (Device) Block
    Block Win32 API calls from Office macros Block
    Block executable files from running unless they meet a prevalence, age, or trusted list criterion Block
    Block Office communication application from creating child processes Block
    Block all Office applications from creating child processes Block
    [PREVIEW] Block use of copied or impersonated system tools Block
    Block JavaScript or VBScript from launching downloaded executable content Block
    Block credential stealing from the Windows local security authority subsystem Block
    Block Webshell creation for Servers Block
    Block Office applications from creating executable content Block
    Block untrusted and unsigned processes that run from USB Block
    Block Office applications from injecting code into other processes Block
    Block persistence through WMI event subscription Block
    Use advanced protection against ransomware Block
    Block process creations originating from PSExec and WMI commands Block
    NOTE: If you have Configuration Manager (formerly SCCM), or other management tools, that use WMI, you might need to set this to Audit instead of Block.
    [PREVIEW] Block rebooting machine in Safe Mode Block
    Enable Controlled Folder Access Enabled

Tip

Any of the rules may block behavior you find acceptable in your organization. In these cases, add the per-rule exclusions named “Attack Surface Reduction Only Exclusions”. And, change the rule from Enabled to Audit to prevent unwanted blocks.

  1. Select Next.
  2. On the Assignments tab, select Device Group or User Group or All devices or All Users.
  3. Select Next.
  4. On the Review + create tab, review your policy settings, and then select Save.

Check the platform update version

The latest "Platform Update" version Production channel (GA) is available in Microsoft Update Catalog.

To check which "Platform Update" version you have installed, run the following command in PowerShell using the privileges of an administrator:

get-mpComputerStatus | ft AMProductVersion

Check the Security Intelligence Update version

The latest “Security Intelligence Update” version is available in Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence.

To check which “Security Intelligence Update” version you have installed, run the following command in PowerShell using the privileges of an administrator:

get-mpComputerStatus | ft AntivirusSignatureVersion

Check the Engine Update version

The latest scan “engine update” version is available in Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence.

To check which “Engine Update” version you have installed, run the following command in PowerShell using the privileges of an administrator:

get-mpComputerStatus | ft AMEngineVersion

If you're finding that your settings aren't taking effect, you might have a conflict. For information on how to resolve conflicts, see Troubleshoot Microsoft Defender Antivirus settings.

For False Negatives (FNs) submissions

To information on how to make False Negatives (FNs) submissions, see: