Detections
Analytics

DISA Microsoft Defender Antivirus STIG v2r6

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Microsoft Defender Antivirus STIG v2r6

Updated: 3/30/2026

Authority: DISA STIG

Plugin: Windows

Revision: 1.1

Estimated Item Count: 69

File Details

Filename: DISA_STIG_Microsoft_Defender_Antivirus_v2r6.audit

Size: 119 kB

MD5: d2efeec80f7655812ce107dc7342a28f
SHA256: e813e3eba57faa69da3d9e64b8c0c67f69582a9eed92fb971e54761a4fd2b13a

Audit Items

DescriptionCategories
DISA_STIG_Microsoft_Defender_Antivirus_v2r6.audit from DISA Microsoft Defender Antivirus STIG v2r6
WNDF-AV-000001 - Microsoft Defender AV must be configured to block the Potentially Unwanted Application (PUA) feature.
WNDF-AV-000003 - Microsoft Defender AV must be configured to automatically take action on all detected tasks.
WNDF-AV-000004 - Microsoft Defender AV must be configured to run and scan for malware and other potentially unwanted software.
WNDF-AV-000005 - Microsoft Defender AV must be configured to not exclude files for scanning.
WNDF-AV-000006 - Microsoft Defender AV must be configured to not exclude files opened by specified processes.
WNDF-AV-000007 - Microsoft Defender AV must be configured to enable the Automatic Exclusions feature.
WNDF-AV-000008 - Microsoft Defender AV must be configured to disable local setting override for reporting to Microsoft MAPS.
WNDF-AV-000009 - Microsoft Defender AV must be configured to check in real time with MAPS before content is run or accessed.
WNDF-AV-000010 - Microsoft Defender AV must join Microsoft MAPS.
WNDF-AV-000011 - Microsoft Defender AV must be configured to only send safe samples for MAPS telemetry.
WNDF-AV-000012 - Microsoft Defender AV must be configured for protocol recognition for network protection.
WNDF-AV-000013 - Microsoft Defender AV must be configured to not allow local override of monitoring for file and program activity.
WNDF-AV-000014 - Microsoft Defender AV must be configured to not allow override of monitoring for incoming and outgoing file activity.
WNDF-AV-000015 - Microsoft Defender AV must be configured to not allow override of scanning for downloaded files and attachments.
WNDF-AV-000016 - Microsoft Defender AV must be configured to not allow override of behavior monitoring.
WNDF-AV-000017 - Microsoft Defender AV Group Policy settings must take priority over the local preference settings.
WNDF-AV-000018 - Microsoft Defender AV must monitor for incoming and outgoing files.
WNDF-AV-000019 - Microsoft Defender AV must be configured to monitor for file and program activity.
WNDF-AV-000020 - Microsoft Defender AV must be configured to scan all downloaded files and attachments.
WNDF-AV-000021 - Microsoft Defender AV must be configured to always enable real-time protection.
WNDF-AV-000022 - Microsoft Defender AV must be configured to enable behavior monitoring.
WNDF-AV-000023 - Microsoft Defender AV must be configured to process scanning when real-time protection is enabled.
WNDF-AV-000024 - Microsoft Defender AV must be configured to scan archive files.
WNDF-AV-000025 - Microsoft Defender AV must be configured to scan removable drives.
WNDF-AV-000026 - Microsoft Defender AV must be configured to perform a weekly scheduled scan.
WNDF-AV-000027 - Microsoft Defender AV must be configured to turn on e-mail scanning.
WNDF-AV-000028 - Microsoft Defender AV spyware definition age must not exceed 7 days.
WNDF-AV-000029 - Microsoft Defender AV virus definition age must not exceed 7 days.
WNDF-AV-000030 - Microsoft Defender AV must be configured to check for definition updates daily.
WNDF-AV-000031 - Microsoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Severe.
WNDF-AV-000032 - Microsoft Defender AV must be configured to block executable content from email client and webmail.
WNDF-AV-000033 - Microsoft Defender AV must be configured block Office applications from creating child processes.
WNDF-AV-000034 - Microsoft Defender AV must be configured block Office applications from creating executable content.
WNDF-AV-000035 - Microsoft Defender AV must be configured to block Office applications from injecting into other processes.
WNDF-AV-000036 - Microsoft Defender AV must be configured to impede JavaScript and VBScript to launch executables.
WNDF-AV-000037 - Microsoft Defender AV must be configured to block execution of potentially obfuscated scripts.
WNDF-AV-000038 - Microsoft Defender AV must be configured to block Win32 imports from macro code in Office.
WNDF-AV-000039 - Microsoft Defender AV must be configured to prevent user and apps from accessing dangerous websites.
WNDF-AV-000040 - Microsoft Defender AV must be configured for automatic remediation action to be taken for threat alert level High.
WNDF-AV-000041 - Microsoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Medium.
WNDF-AV-000042 - Microsoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Low.
WNDF-AV-000043 - Microsoft Defender AV must block Adobe Reader from creating child processes.
WNDF-AV-000044 - Microsoft Defender AV must block credential stealing from the Windows local security authority subsystem.
WNDF-AV-000045 - Microsoft Defender AV must block untrusted and unsigned processes that run from USB.
WNDF-AV-000046 - Microsoft Defender AV must use advanced protection against ransomware.
WNDF-AV-000047 - Microsoft Defender AV must block process creations originating from PSExec and WMI commands.
WNDF-AV-000048 - Microsoft Defender AV must block persistence through WMI event subscription.
WNDF-AV-000049 - Microsoft Defender AV must block executable files from running unless they meet a prevalence, age, or trusted list criterion.
WNDF-AV-000050 - Microsoft Defender AV must block Office communication application from creating child processes.