Title

Windows Defender AV must be configured to only send safe samples for MAPS telemetry. (Cat II impact)

Discussion

This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x3) Send all samples automatically.

Check Content

This is applicable to unclassified systems, for other systems this is NA. Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Send file samples when further analysis is required" is set to "Enabled" and "Send safe samples" selected from the drop down box. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Spynet Criteria: If the value "SubmitSamplesConsent" is REG_DWORD = 1, this is not a finding.

Fix Text

This is applicable to unclassified systems, for other systems this is NA. Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Send file samples when further analysis is required" to "Enabled" and select "Send safe samples" from the drop down box.

Additional Identifiers

Rule ID: SV-213435r569189_rule

Vulnerability ID: V-213435

Group Title: SRG-APP-000210

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.