This article provides some configurations you can use with Microsoft Defender for Endpoint and Red Canary. This article is an adaptation of a presentation. You can view the slides, which contain additional details and images, by clicking the image below.
As part of Microsoft's suite of integrated threat protection products, Defender for Endpoint is a key component of many users' security plans. The following sections will help you configure Defender for Endpoint to protect against most threats.
- Validate your EDR deployment.
- Ensure Microsoft Defender Antivirus is running in active mode.
- Configure Next Generation Protection (NGAV).
- Enable tamper protection.
Red Canary configuration suggestions can be applied to Defender for Endpoint using several different management solutions, depending on your architecture. For example, Endpoint Manager (Intune), Group Policy, etc. You only need to apply these configurations in your primary configuration management solution.
For a guided walkthrough of these sections, review this video:
Validate your EDR deployment
In this section, you'll generate a test alert in order to ensure your Defender for Endpoint deployment is fully operational.
- On an endpoint that has Defender installed, create the folder
C:\test-MDATP-test
. - Open PowerShell with elevated permissions, and then execute the following command:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'MDATP-test\\invoice.exe'
- Check the Defender for Endpoint dashboard for your test alert.
Ensure Microsoft Defender Antivirus is running in active mode
In order for Defender for Endpoint policies to function, Defender Antivirus must be the active antivirus solution on the system.
To check whether Defender Antivirus is running in active mode, open PowerShell and run Get-MPComputerStatus
| Select AMRunningMode
. The output should look like this:
> Get-MPComputerStatus | Select AMRunningMode
AMRunningMode
-------------
Normal
For more information about why Defender Antivirus might switch to passive mode, see Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions.
Configure Next Generation Protection (NGAV)
In this section, you'll configure the core NGAV features by using either the Local Group Policy Editor or Endpoint Manager. The core NGAV features are cloud-delivered protection, which uses Microsoft Advanced Protection Services (MAPS) to assess binary threats in real time, and real-time protection, which includes always on, real-time monitoring, and heuristics to identify threats.
Option 1: Configure NGAV using Group Policy
- Open the Local Group Policy Editor.
- Click Computer Configuration, Administrative Templates, Windows Components, then select Microsoft Defender Antivirus.
- Enable Allow antimalware service to start up with normal priority.
- Click Real-time Protection, and configure your settings to match the following:
Setting State Turn off real-time protection Disabled Turn on behavior monitoring Enabled Scan all downloaded files and attachments Enabled Monitor file and program activity on your computer Enabled Turn on raw volume write notifications Enabled Turn on process scanning whenever real-time protection is enabled Enabled Define the maximum size of downloaded files and attachments Enabled Configure local setting override for turn on behavior monitoring Disabled Configure local setting override for scanning all downloaded files and attachments Disabled Configure local setting override for monitoring file and program activity on your computer Disabled Configure local setting override to turn on real-time protection Disabled Configure local setting override for monitoring for incoming and outgoing file activity Disabled Configure monitoring for incoming and outgoing file and program activity Disabled - Click MAPS.
- Click Join Microsoft MAPS, select Enabled, select Basic MAPS, and then click Ok.
- Click Send file samples when further analysis is required, select Enabled, select Send all samples, and then click Ok.
Option 2: Configure NGAV using Endpoint Manager
- Log in to https://endpoint.microsoft.com/.
- Click Endpoint Security, Antivirus, and then click Create Policy.
- Under Platform, select Windows 10 and later.
- Under Profile, select Windows Defender Antivirus.
- Click Create, enter a name and description, and then click Next.
- Under Cloud protection, configure the following settings:
Setting State Turn on cloud-delivered protection Yes Cloud-delivered protection level High plus - Under Real-time protection, configure the following settings:
Setting State Turn on real-time protection Yes Enable on access protection Yes Monitoring for incoming and outgoing files Monitor all files Turn on behavior monitoring Yes Turn on intrusion protection Yes Enable network protection Enable Scan all downloaded files and attachments Yes Scan scripts that are used in Microsoft browsers Yes, if using Microsoft browsers Scan network files No Scan emails Yes - Click Next three times, and then click Create.
Enable tamper protection
Tamper protection prevents malicious software from taking actions like disabling antivirus and removing security updates. In this section, you'll enable tamper protection using either the Microsoft 365 Defender portal or Endpoint Manager.
Tip: Red Canary recommends that you enable tamper protection using the 365 Defender portal. If you use Windows Server 2016 or Windows versions 1709, 1803, or 1809, you might need to use PowerShell to determine the tamper protection status.
Option 1: Enable tamper protection using 365 Defender
- Log in to https://security.microsoft.com/.
- Click Settings, Endpoints, then select Advanced features.
- Turn on Tamper protection.
- Click Save preferences.
Option 2: Enable tamper protection using Endpoint Manager
- Log in to https://endpoint.microsoft.com/.
- Click Devices, Configuration profiles, and then click Create profile.
- Under Platform, select Windows 10 or later.
- Under Profile type, select Endpoint protection.
- Click Create, enter a name and description, and then click Next.
- Select Microsoft Defender Security Center.
- From the Tamper Protection dropdown, select Enabled.
- Click Next three times, and then click Create.
Comments
1 comment
Extremely helpful - job well done. Really enjoyed the video and found it more engaging that just looking through the slide deck. I appreciate the "Turn this setting on" direct approach rather than all the wishy washy "you may find this to be of benefit blah blah" RC is my trusted advisor = give it to me straight. And JC and ZF rock it.
Please sign in to leave a comment.