Detections
Analytics
WNDF-AV-000046 - Microsoft Defender AV must use advanced protection against ransomware.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
This policy setting provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware.This rule doesn't block files that have one or more of the following characteristics:
- The file is found to be unharmful in the Microsoft cloud.
- The file is a valid signed file.
- The file is prevalent enough to not be considered as ransomware.
- The rule tends to err on the side of caution to prevent ransomware.
Solution
Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Microsoft Defender Exploit Guard >> Attack Surface Reduction >> Configure Attack Surface Reduction rules to 'Enabled'.Under the policy option 'Set the state for each ASR rule:', then click 'Show'.
Enter GUID 'c1db55ab-c21a-4637-bb3f-a12568109d35' in the 'Value Name' column.
Enter '1' in the 'Value' column.
Click 'OK'.
Click 'Apply'.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Defender_Antivirus_V2R7_STIG.zip
Item Details
Audit Name: DISA Microsoft Defender Antivirus STIG v2r7
References: CAT|II, CCI|CCI-001170, Rule-ID|SV-278650r1144036_rule, STIG-ID|WNDF-AV-000046, Vuln-ID|V-278650
Plugin: Windows
Control ID: e38fc466d4fb6ad9f386339773e710dba30aa71905362fe9692d4102a2389d49