Check: WNDF-AV-000023
Microsoft Defender Antivirus STIG:
WNDF-AV-000023
(in version v2 r4)
Title
Microsoft Defender AV must be configured to process scanning when real-time protection is enabled. (Cat II impact)
Discussion
This policy setting allows the configuration of process scanning when real-time protection is turned on. This helps to catch malware, which could start when real-time protection is turned off. If this setting is enabled or not configured, a process scan will be initiated when real-time protection is turned on. If this setting is disabled, a process scan will not be initiated when real-time protection is turned on.
Check Content
Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> "Turn on process scanning whenever real-time protection is enabled" is set to "Enabled" or "Not Configured". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection Criteria: If the value "DisableScanOnRealtimeEnable" is REG_DWORD = 0, this is not a finding. If the value does not exist, this is not a finding. If the value is 1, this is a finding.
Fix Text
Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> "Turn on process scanning whenever real-time protection is enabled" to "Enabled" or "Not Configured".
Additional Identifiers
Rule ID: SV-213447r823065_rule
Vulnerability ID: V-213447
Group Title: SRG-APP-000278
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001242 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. |
Controls
| Number | Title |
|---|---|
| SI-3 |
Malicious Code Protection |