Title

Windows Defender AV must be configured to scan removable drives. (Cat II impact)

Discussion

This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives such as USB flash drives when running a full scan. If you enable this setting removable drives will be scanned during any type of scan. If you disable or do not configure this setting removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.

Check Content

Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Scan removable drives" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Scan Criteria: If the value "DisableRemovableDriveScanning" is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Scan removable drives" to "Enabled".

Additional Identifiers

Rule ID: SV-213449r569189_rule

Vulnerability ID: V-213449

Group Title: SRG-APP-000073

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.