An error occurred:

Check: WNDF-AV-000018

Microsoft Defender Antivirus STIG: WNDF-AV-000018 (in version v2 r4)

Title

Microsoft Defender AV must monitor for incoming and outgoing files. (Cat II impact)

Discussion

This policy setting allows the configuration of monitoring for incoming and outgoing files without having to turn off monitoring entirely. It is recommended for use on servers that have a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. The options for this setting are mutually exclusive: 0 = Scan incoming and outgoing files (default) 1 = Scan incoming files only 2 = Scan outgoing files only Any other value, or if the value does not exist, resolves to the default (0). If this setting is enabled, the specified type of monitoring will be enabled. If this setting is disabled or not configured, monitoring for incoming and outgoing files will be enabled.

Check Content

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> "Configure monitoring for incoming and outgoing file and program activity" is set to "Disabled" or "Not Configured". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection Criteria: If the value "RealtimeScanDirection" is REG_DWORD = 0, this is not a finding. If the value does not exist, this is not a finding. If the value is 1 or 2, this is a finding.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time Protection >> "Configure monitoring for incoming and outgoing file and program activity" to "Disabled" or "Not Configured".

Additional Identifiers

Rule ID: SV-213442r823056_rule

Vulnerability ID: V-213442

Group Title: SRG-APP-000278

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001242

The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection