Check: WNDF-AV-000064
Microsoft Defender Antivirus STIG:
WNDF-AV-000064
(in version v2 r6)
Title
Microsoft Defender AV must enable script scanning. (Cat II impact)
Discussion
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as autostart extensibility points, or ASEPs), and other changes to the file system or file structure.
Check Content
Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> Turn on script scanning is set to "Enabled"; otherwise, this is a finding. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection Criteria: If the value "DisableScriptScanning" is REG_DWORD = 0, this is not a finding. If the value is 1, this is a finding.
Fix Text
Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> Turn on script scanning to "Enabled". Click "OK". Click "Apply".
Additional Identifiers
Rule ID: SV-278668r1144063_rule
Vulnerability ID: V-278668
Group Title: SRG-APP-000278
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001242 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. |
Controls
| Number | Title |
|---|---|
| No controls are assigned to this check |