WNDF-AV-000018 - Microsoft Defender AV must monitor for incoming and outgoing files.


This policy setting allows the configuration of monitoring for incoming and outgoing files without having to turn off monitoring entirely. It is recommended for use on servers that have a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes.

The options for this setting are mutually exclusive:
0 = Scan incoming and outgoing files (default)
1 = Scan incoming files only
2 = Scan outgoing files only

Any other value, or if the value does not exist, resolves to the default (0). If this setting is enabled, the specified type of monitoring will be enabled. If this setting is disabled or not configured, monitoring for incoming and outgoing files will be enabled.


Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> 'Configure monitoring for incoming and outgoing file and program activity' to 'Disabled' or 'Not Configured'.

See Also


Item Details


References: 800-53|SI-3c.1., CAT|II, CCI|CCI-001242, Rule-ID|SV-213442r823056_rule, STIG-ID|WNDF-AV-000018, STIG-Legacy|SV-89901, STIG-Legacy|V-75221, Vuln-ID|V-213442

Plugin: Windows

Control ID: 441e505a40dac599512ae5156fed44da938a131d893597b3aa44a52f414dbe4e