An error occurred:

Check: WNDF-AV-000004

Microsoft Defender Antivirus STIG: WNDF-AV-000004 (in version v2 r4)

Title

Microsoft Defender AV must be configured to run and scan for malware and other potentially unwanted software. (Cat I impact)

Discussion

This policy setting turns off Microsoft Defender Antivirus. If this policy setting is enabled, Microsoft Defender Antivirus does not run and computers are not scanned for malware or other potentially unwanted software. When the setting is disabled and a third-party antivirus solution is installed, the two applications can both simultaneously try to protect the system. The two AV solutions both attempt to quarantine the same threat and will fight for access to delete the file. Users will see conflicts and the system may lock up until the two solutions finish processing. When the setting is not configured and a third-party antivirus solution is installed, both applications coexist on the system without conflicts. Defender Antivirus will automatically disable itself and will enable if the third-party solution stops functioning. When the setting is not configured and Defender Antivirus is the only AV solution, Defender AV will run (default state) and receive definition updates. An administrator account is needed to turn off the service. A standard user cannot disable the service.

Check Content

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> "Turn off Windows Defender Antivirus" is set to “Not Configured”. For Windows 10: Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender Criteria: If the value "DisableAntiSpyware" does not exist, this is not a finding.

Fix Text

For Windows 10: Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus "Turn off Microsoft Defender Antivirus" to "Not Configured".

Additional Identifiers

Rule ID: SV-213428r823028_rule

Vulnerability ID: V-213428

Group Title: SRG-APP-000278

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001242

The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection