Microsoft Windows Defender Antivirus STIG: WNDF-AV-000011

Check: WNDF-AV-000011 (in versions v2 r2 through v1 r2)

Title

Windows Defender AV must be configured to only send safe samples for MAPS telemetry. (Cat II impact)

Discussion

This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x3) Send all samples automatically.

Check Content

This is applicable to unclassified systems, for other systems this is NA. Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Send file samples when further analysis is required" is set to "Enabled" and "Send safe samples" selected from the drop down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Spynet Criteria: If the value "SubmitSamplesConsent" is REG_DWORD = 1, this is not a finding.

Fix Text

This is applicable to unclassified systems, for other systems this is NA. Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Send file samples when further analysis is required" to "Enabled" and select "Send safe samples" from the drop down box.

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001170

The information system prevents the automatic execution of mobile code in organization-defined software applications.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-18 (4)

Prevent Automatic Execution