Microsoft Windows Defender Antivirus STIG: WNDF-AV-000004

Check: WNDF-AV-000004 (in version v2 r2)

Title

Windows Defender AV must be configured to run and scan for malware and other potentially unwanted software. (Cat I impact)

Discussion

This policy setting turns off Windows Defender Antivirus. If you enable this policy setting Windows Defender Antivirus does not run and computers are not scanned for malware or other potentially unwanted software. When the setting is Disabled and a third-party antivirus solution is installed, the two applications can both simultaneously try to protect the system. The two AV solutions both attempt to quarantine the same threat and will fight for access to delete the file. Users will see conflicts and the system may lock up until the two solutions finish processing. When the setting is Not Configured and a third-party antivirus solution is installed, both applications co-exist on the system without conflicts. Defender Antivirus will automatically disable itself and will enable if the third-party solution stops functioning. When the setting is Not Configured and Defender Antivirus is the only AV solution, Defender AV will run (default state) and receive definition updates. An administrator account is needed to turn off the service. A standard user cannot disable the service.

Check Content

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus >> "Turn off Windows Defender Antivirus" is set to “Not Configured”. For Windows 10: Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender Criteria: If the value "DisableAntiSpyware" does not exist, this is not a finding.

Fix Text

For Windows 10: Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus set "Turn off Windows Defender Antivirus" to "Not Configured".

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001242

The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection