An error occurred:

Check: WNDF-AV-000009

Microsoft Defender Antivirus STIG: WNDF-AV-000009 (in version v2 r4)

Title

Microsoft Defender AV must be configured to check in real time with MAPS before content is run or accessed. (Cat II impact)

Discussion

This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. Enabled - The Block at First Sight setting is turned on. Disabled - The Block at First Sight setting is turned off. This feature requires these Group Policy settings to be set as follows: MAPS >> The "Join Microsoft MAPS" must be enabled or the "Block at First Sight" feature will not function. MAPS >> The "Send file samples when further analysis is required" should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. Real-time Protection >> The "Scan all downloaded files and attachments" policy must be enabled or the "Block at First Sight" feature will not function. Real-time Protection >> Do not enable the "Turn off real-time protection" policy or the "Block at First Sight" feature will not function.

Check Content

This is applicable to unclassified systems. For other systems this is NA. Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> MAPS >> "Configure the 'Block at First Sight' feature" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Spynet Criteria: If the value "DisableBlockAtFirstSeen" is REG_DWORD = 0, this is not a finding.

Fix Text

This is applicable to unclassified systems. For other systems this is NA. Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> MAPS >> "Configure the 'Block at First Sight' feature" to "Enabled".

Additional Identifiers

Rule ID: SV-213433r823038_rule

Vulnerability ID: V-213433

Group Title: SRG-APP-000278

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001242

The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection