Detections
Analytics
WNDF-AV-000033 - Microsoft Defender AV must be configured block Office applications from creating child processes.
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.Solution
Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Windows Defender Exploit Guard >> Attack Surface Reduction >> 'Configure Attack Surface Reduction rules' to 'Enabled'.Click 'Show...'. Set the Value name to 'D4F940AB-401B-4EFC-AADC-AD5F3C50688A' and the Value to '1'.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Defender_Antivirus_V2R7_STIG.zip
Item Details
Audit Name: DISA Microsoft Defender Antivirus STIG v2r7
References: CAT|II, CCI|CCI-001170, Rule-ID|SV-213457r961092_rule, STIG-ID|WNDF-AV-000033, STIG-Legacy|SV-92663, STIG-Legacy|V-77967, Vuln-ID|V-213457
Plugin: Windows
Control ID: 0883b14ac595dbeb418d7477a76678e22a30e56f75899e177451da54687369f5