Microsoft Defender | Harden System Security¶
-
Extends the Cloud Security Scan time to the maximum amount of 60 seconds, by default it is 10 seconds. You need to be aware that this means actions like downloading and opening an unknown file will make Microsoft Defender send samples of it to the Cloud for more advanced analysis and it can take a maximum of 60 seconds from the time you try to open that unknown file to the time when it will be opened (if deemed safe). 
CSP -
Here is an example of the notification you will see in Windows 11 if that happens.
- Configures the Cloud Block/Protection Level to the maximum level of Zero Tolerance and Block At First Sight. No unknown file can run on your system without first being recognized by the Microsoft's Security Graph and other globally omniscient systems. CSP
- Configures the Microsoft Defender to send all samples automatically. Increasing protection by participating in the SpyNet / MAPS network. CSP
- Sets the SpyNet membership to Advanced, improving Cloud Protection. CSP
- Enables file hash computation; designed to allow admins to force the anti-malware solution to "compute file hashes for every executable file that is scanned if it wasn't previously computed" to "improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). CSP
-
Clears Quarantined items after 1 day instead of the default behavior of keeping them indefinitely. CSP
-
Quarantine involves isolating potentially harmful files in a non-executable area of your system to prevent any risk of execution. To further minimize potential threats, quarantined files are automatically removed after 1 day, rather than being retained indefinitely. This precaution helps mitigate the possibility of these files exploiting unforeseen vulnerabilities in the future, ensuring a proactive approach to system security.
- Allows Microsoft Defender to download security updates even on a metered connection. CSP
- Enables Microsoft Defender to scan mapped network drives during full scan. CSP
- Enables Microsoft Defender to scan emails. The engine will parse the mailbox and mail files. CSP
- Enables Microsoft Defender to scan Removable Drives. CSP
- Enables Microsoft Defender to scan Reparse Points. CSP
- Forces Microsoft Defender to scan network files. CSP
-
Sets the Signature Update Interval to every 3 hours instead of automatically. CSP
-
Configure and validate Microsoft Defender Antivirus network connections
-
Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware
-
Paste the following PowerShell code to retrieve the latest available online versions of the Platform, Signatures, and Engine for Microsoft Defender -
- Forces Microsoft Defender to check for new virus and spyware definitions before it runs a scan. CSP
- Makes Microsoft Defender run catch-up scans for scheduled quick scans. A computer can miss a scheduled scan, usually because the computer is off at the scheduled time, but now after the computer misses two scheduled quick scans, Microsoft Defender runs a catch-up scan the next time someone logs onto the computer. CSP
Enables scanning of restore points CSP
- Makes sure Async Inspection for Network protection of Microsoft Defender is turned on - Network protection now has a performance optimization that allows Block mode to start asynchronously inspecting long connections after they're validated and allowed by SmartScreen, which might provide a potential reduction in the cost that inspection has on bandwidth and can also help with app compatibility problems. CSP
-
Enables Smart App Control (if it's in Evaluation mode): adds significant protection from new and emerging threats by blocking apps that are malicious or untrusted. Smart App Control also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.-
Smart App Control is User-Mode (and enforces Kernel-Mode) App Control for Business, more info in the Wiki. You can see its status in System Information and enable it manually from Microsoft Defender app's GUI. It is very important for Windows and Windows Defender intelligence updates to be always up-to-date in order for Smart App Control to work properly as it relies on live intelligence and definition data from the cloud and other sources to make a Smart decision about programs and files it encounters.
-
Smart App Control uses ISG (Intelligent Security Graph). The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources and processed every 24 hours. As a result, the decision from the cloud can change.
-
Smart App Control can block a program entirely from running or only some parts of it in which case your app or program will continue working just fine most of the time. It's improved a lot since it was introduced, and it continues doing so. Consider turning it on after clean installing a new OS and fully updating it.
-
Smart App Control enforces the Microsoft Recommended Driver Block rules and the Microsoft Recommended Block Rules
-
Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
-
- Enables "Send optional diagnostic data" because it is required for Smart App Control to operate when it's in evaluation mode or turned on, and for communication with Intelligent Security Graph (ISG). This setting will be automatically applied if Smart App Control is already turned on or you choose to turn it on. CSP
-
Enables Controlled Folder Access. It helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Due to the recent wave of global ransomware attacks, it is important to use this feature to protect your valuables files, specially OneDrive folders. CSP
-
If it blocks a program from accessing one of your folders it protects, and you absolutely trust that program, then you can add it to exclusion list using Microsoft Defender GUI or PowerShell. you can also query the list of allowed apps using PowerShell (commands below). with these commands, you can backup your personalized list of allowed apps, that are relevant to your system, and restore them in case you clean install your Windows.
-
The root of the OneDrive folders of all the user accounts will be added to the protected folders list of Controlled Folder Access, to provide Ransomware protection for the entire OneDrive folder. CSP
-
-
# Add multiple programs to the exclusion list of Controlled Folder Access
Add-MpPreference -ControlledFolderAccessAllowedApplications 'C:\Program Files\App\app.exe','C:\Program Files\App2\app2.exe'
-
-
Enables Mandatory ASLR, It might cause compatibility issues only for some poorly-made 3rd party programs, specially portable ones. CSP
-
Automatically detects and excludes the Git executables of GitHub Desktop and Git (Standalone version) from mandatory ASLR if they are installed on the system. More info here
-
You can add Mandatory ASLR override for a trusted program using the PowerShell command below or in the Program Settings section of Exploit Protection in Microsoft Defender app.
Set-ProcessMitigation -Name "C:\TrustedApp.exe" -Disable ForceRelocateImages
-
-
Applies Exploit Protections/Process Mitigations from this list to the following programs: CSP
-
All channels of Microsoft Edge browser
-
Quick Assist app
-
Some System processes
-
Microsoft 365 apps
-
More apps and processes will be added to the list over time once they are properly validated to be fully compatible.
-
Exploit Protection configurations are also accessible in XML format within this repository. When implementing exploit protections using an XML file, the existing exploit mitigations will seamlessly integrate rather than being overwritten. Should there be pre-existing exploit protections applied to an executable on the system, and the XML file specifies different mitigations for the same executable, these protections will be merged and applied collectively.
-
- Turns on Data Execution Prevention (DEP) for all applications, including 32-bit programs. By default, the output of
BCDEdit /enum "{current}"(in PowerShell) for the NX bit isOptInbut the Harden System Security app sets it toAlwaysOn
- Check for the latest virus and spyware security intelligence on startup. CSP
- Specifies the maximum depth to scan archive files to the maximum possible value of
4,294,967,295 CSP
- Defines the maximum size of downloaded files and attachments to be scanned and set it to the maximum possible value of
10,000,000 KBor10 GB. the default is20480 KBor~20MB CSP
- Enables the Enhanced Phishing Protection service. CSP
- Enables notifying user of malicious and phishing scenarios in Microsoft Defender Enhanced Phishing Protection. CSP
- Enables the feature in Enhanced Phishing Protection in Microsoft Defender SmartScreen that warns users if they reuse their work or school password. CSP
- Enables warning users if they type their work or school passwords in unsafe apps. CSP
- Enables automatic data collection (formerly known as Capture Threat Window) of Enhanced Phishing Protection in Microsoft Defender SmartScreen for security analysis from a suspicious website or app. CSP
- Creates scheduled task for fast weekly Microsoft recommended driver block list update.. You won't see this prompt if the task already exists and is enabled or running.
- Set Microsoft Defender engine and platform update channel to beta. CSP CSP
- Defines the number of days before spyware security intelligence is considered out of date to 2. The default is 7. CSP
- Defines the number of days before virus security intelligence is considered out of date to 2. The default is 7. CSP
- Sets the default action for Severe and High threat levels to Remove, for Medium and Low threat levels to Quarantine. CSP
- Configures real-time protection and Security Intelligence Updates to be enabled during OOBE. CSP
- Enables the Intel TDT (IntelĀ® Threat Detection Technology) integration with Microsoft Defender. CSP
- Enables a network protection setting that blocks malicious network traffic instead of displaying a warning. CSP
- Configures the Brute-Force Protection to use cloud aggregation to block IP addresses that are over 99% likely malicious CSP
- Configures the Brute-Force Protection to detect and block attempts to forcibly sign in and initiate sessions CSP
- Sets the internal feature logic to determine blocking time for the Brute-Force Protections CSP
- Configures the Remote Encryption Protection to use cloud intel and context, and block when confidence level is above 90%. CSP
- Configures the Remote Encryption Protection to detect and block attempts to replace local files with encrypted versions from another device CSP
- Sets the internal feature logic to determine blocking time for the Remote Encryption Protection CSP
- Extends the brute-force protection coverage in the Microsoft Defender Antivirus to block local network addresses. CSP
- Enables ECS Configurations in the Microsoft Defender. They improve product health and security by automatically fixing any possible issues/bugs that may arise, in a timely manner.
- Enables Network Protection to be configured into block or audit mode on Windows Server. CSP