Title

Microsoft Defender AV must enable extended cloud check. (Cat II impact)

Discussion

When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the Microsoft Defender Antivirus cloud service. The default period that the file is blocked is 10 seconds. Extending the cloud block timeout period can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.

Check Content

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> MpEngine >> Configure extended cloud check is set to "Enabled" with a Policy Option value of "50"; otherwise, this is a finding. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine Criteria: If the value "MpBafsExtendedTimeout" is REG_DWORD = 50, this is not a finding. If the value is other than 50, this is a finding.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> MpEngine >> Configure extended cloud check to "Enabled" with a Policy Option value of "50". Click "OK". Click "Apply".

Additional Identifiers

Rule ID: SV-278662r1144061_rule

Vulnerability ID: V-278662

Group Title: SRG-APP-000210

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.