หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
This article explains how to enable and test the key protection features in Microsoft Defender Antivirus and Microsoft Defender Exploit Guard in current versions of Microsoft Windows and Windows Server. The features covered include real-time protection, cloud-delivered protection, scan settings, network protection, attack surface reduction rules, and controlled folder access. Use the Group Policy settings in this guide to configure these features for evaluation in domain-joined or workgroup environments.
Prerequisites
Supported operating systems
The following operating systems are supported for this evaluation:
- Windows 10 or later
- Windows Server 2016 or later
Use Group Policy to enable Microsoft Defender Antivirus features
Use a Group Policy Central Store to configure Microsoft Defender Antivirus for evaluation.
Download the latest Administrative Template files from Links to download the Administrative Templates files based on the operating system version.
Tip
Check the System Requirements section on the individual download pages:
- Most downloads support Windows clients and Windows servers.
- Get the latest available and applicable download.
Do one of the following procedures to create a Central Store to host the latest .admx and .adml templates:
Domains:
- Create a new OU to block policy inheritance.
- Open the Group policy Management Console (gpmc.msc).
- Go to Group Policy Objects and create a new group policy.
- Right-click on the new group policy and then select Edit.
- Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
Workgroups:
- Open the Group Policy Editor (gpedit.msc).
- Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
For more information about creating and managing a Group Policy Central Store, see Create and manage Central Store - Windows Client.
Evaluate potentially unwanted application protection in Microsoft Defender Antivirus
Root:
| Description | Setting |
|---|---|
| Turn off Microsoft Defender Antivirus | Disabled |
| Configure detection for potentially unwanted applications | Enabled - Block |
Real-time protection (always-on protection, real-time scanning)
Real-time protection:
| Description | Setting |
|---|---|
| Turn off real-time protection | Disabled |
| Configure monitoring for incoming and outgoing file and program activity | Enabled, bi-directional (full on-access) |
| Turn on Behavior Monitoring | Enabled |
| Monitor file and program activity on your computer | Enabled |
Cloud protection features
Standard security intelligence updates can take hours to prepare and deliver; our cloud-delivered protection service can deliver this protection in seconds.
For more information, see Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection.
MAPS:
| Description | Setting |
|---|---|
| Join Microsoft MAPS | Enabled, Advanced MAPS |
| Configure the 'Block at First Sight' feature | Enabled |
| Send file samples when further analysis is required | Enabled, Send all samples |
MpEngine:
| Description | Setting |
|---|---|
| Select cloud protection level | Enabled, High blocking level |
| Configure extended cloud check | Enabled, 50 |
Configure and evaluate scan settings
Configure the following scan settings in Group Policy to enable comprehensive file and script scanning:
| Description | Setting |
|---|---|
| Turn on Heuristics | Enabled |
| Turn on e-mail scanning | Enabled |
| Scan all downloaded files and attachments | Enabled |
| Turn on script scanning | Enabled |
| Scan archive files | Enabled |
| Scan packed executables | Enabled |
| Configure scanning of network files (Scan Network Files) | Enabled |
| Scan removable drives | Enabled |
| Turn on reparse point scanning | Enabled |
Security Intelligence updates
Configure the following settings to manage how security intelligence updates are downloaded and applied:
| Description | Setting |
|---|---|
| Specify the interval to check for security intelligence updates | Enabled, 4 |
| Define the order of sources for downloading security intelligence updates | Enabled, under 'Define the order of sources for downloading security intelligence updates'
|
Disable local administrator AV settings
Disable local administrator AV settings such as exclusions, and enforce the policies from the Microsoft Defender for Endpoint Security Settings Management.
Root:
| Description | Setting |
|---|---|
| Configure local administrator merge behavior for lists | Disabled |
| Control whether or not exclusions are visible to local admins | Enabled |
Configure threat severity default actions
Use the following settings to configure the action that Microsoft Defender Antivirus takes when it detects threats at each severity level. These settings override the default remediation action for detected threats and ensure that all threat levels are quarantined.
Threats:
| Description | Setting | Alert level | Action |
|---|---|---|---|
| Specify threat alert levels at which default action shouldn't be taken when detected | Enabled | ||
| 5 (Severe) | 2 (Quarantine) | ||
| 4 (High) | 2 (Quarantine) | ||
| 2 (Medium) | 2 (Quarantine) | ||
| 1 (Low) | 2 (Quarantine) |
Quarantine:
| Description | Setting |
|---|---|
| Configure removal of items from Quarantine folder | Enabled, 60 |
Client Interface:
| Description | Setting |
|---|---|
| Enable headless UI mode | Disabled |
Configure network protection
Microsoft Defender Exploit Guard\Network Protection:
| Description | Setting |
|---|---|
| Prevent users and apps from accessing dangerous websites | Enabled, Block |
| Allow Network Protection on Windows Server | Enabled |
To enable Network Protection for Windows Servers, for now, please use PowerShell:
| OS | PowerShell command |
|---|---|
| Windows Server 2012 R2 and later | Set-MpPreference -AllowNetworkProtectionOnWinServer $true |
| Windows Server 2016 and Windows Server 2012 R2 unified MDE client | Set-MpPreference -AllowNetworkProtectionOnWinServer $true -AllowNetworkProtectionDownLevel $true |
Configure attack surface reduction rules
In the Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.
Double-click Configure Attack Surface Reduction rules, select Enabled, and then select Show to configure each rule with the values in the following table.
* If you use Microsoft Configuration Manager (formerly known as Microsoft Endpoint Configuration Manager and Microsoft System Center Configuration Manager) or other management tools that use WMI, use the value 2 (Audit). The Configuration Manager client relies heavily on WMI.
Tip
Some rules might block behavior you find acceptable in your organization. In these cases, change the rule from 1 (Block) to 2 (Audit) to prevent unwanted blocks.
Configure Controlled Folder Access
Controlled Folder Access helps protect valuable data from malicious apps and threats such as ransomware. To enable Controlled Folder Access, navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction.
| Description | Setting |
|---|---|
| Configure Controlled Folder Access | Enabled, Block |
Assign the policies to the OU where the test machines are located.
Enable Tamper Protection
In the Microsoft Defender portal at https://security.microsoft.com, go to Settings > Endpoints > Advanced features > Tamper Protection > On.
For more information, see How do I configure or manage tamper protection?.
Check the Cloud Protection network connectivity
Verify that Microsoft Defender Antivirus cloud protection network connectivity is working before you test detections or protections.
To test connectivity to Microsoft Defender cloud protection services, change to the latest platform folder and run the MAPS validation command. In an elevated Command Prompt (a Command Prompt window you opened by selecting Run as administrator), run the following commands:
Tip
The first command changes the directory to the latest version of <antimalware platform version> in %ProgramData%\Microsoft\Windows Defender\Platform\<antimalware platform version>. If that path doesn't exist, it goes to %ProgramFiles%\Windows Defender.
(set "_done=" & if exist "%ProgramData%\Microsoft\Windows Defender\Platform\" (for /f "delims=" %d in ('dir "%ProgramData%\Microsoft\Windows Defender\Platform" /ad /b /o:-n 2^>nul') do if not defined _done (cd /d "%ProgramData%\Microsoft\Windows Defender\Platform\%d" & set _done=1)) else (cd /d "%ProgramFiles%\Windows Defender")) >nul 2>&1
MpCmdRun.exe -ValidateMapsConnection
For more information, see Configure and manage Microsoft Defender Antivirus with the MpCmdRun command-line tool.
Check the Platform Update version
The latest 'Platform Update' version Production channel (GA) is available here:
To verify the Microsoft Defender Antivirus platform version installed on the device, run the following command in an elevated PowerShell session (a PowerShell window you opened by selecting Run as administrator):
Get-MpComputerStatus | Format-Table AMProductVersion
Check the Security Intelligence Update version
The latest 'Security Intelligence Update' version is available here:
To confirm that the latest security intelligence update is installed, check the antivirus signature version by running the following command in an elevated PowerShell session:
Get-MpComputerStatus | Format-Table AntivirusSignatureVersion
Check the Engine Update version
The latest scan 'engine update' version is available here:
To determine which Microsoft Defender Antivirus engine version is running on the device, run the following command in an elevated PowerShell session:
Get-MpComputerStatus | Format-Table AMEngineVersion
If your settings don't take effect, you might have a conflict. To resolve conflicts, see Troubleshoot Microsoft Defender Antivirus settings.
Submit files for false negative analysis
If you have any questions about a detection that Microsoft Defender AV makes, or you discover a missed detection, you can submit a file to us.
If you have Microsoft Defender, Microsoft Defender for Endpoint P2/P1, or Microsoft Defender for Business: refer Submit files in Microsoft Defender for Endpoint.
If you have Microsoft Defender Antivirus, see Submit files for analysis.
Microsoft Defender AV indicates a detection through standard Windows notifications. You can also review detections in the Microsoft Defender AV app.
The Windows event log also records detection and engine events. See the Microsoft Defender Antivirus events article for a list of event IDs and their corresponding actions.
If your settings aren't applied properly, find out if there are conflicting policies that are enabled in your environment. For more information, see Troubleshoot Microsoft Defender Antivirus settings.
If you need to open a Microsoft support case: Contact Microsoft Defender for Endpoint support.