Preventing Malware with Microsoft Defender for Endpoint

Posted on September 28, 2022by with No comments


Introduction

In my previous post I looked at some barebones configuration to get started with MDE, now let’s look at locking down your environment.

MDE includes many settings to minimise the overall attack surface of your Windows devices, one of these features is the ability to apply Attack Surface Reduction (ASR) rules. In a nutshell they prevent malware infection by blocking certain software behaviours, like:

  • Scripts and executables attempting to download or run files
  • Running suspicious scripts
  • Behaviours outside of the normal day-to-day operation

Microsoft provide Security Baselines for Windows and Defender which include ASR rules, but the default setting for these can be a little on the overzealous side and from experience can impede end users’ ability to work, so tuning these to suit your environment is important.

Before implementing a block rule across your Windows estate, ensure you’ve run the rule in audit mode to verify normal end user operations won’t be impacted. Microsoft’s recommendation is as follows:


If issues are discovered during the testing phase, instead of completely disabling a rule it may be possible to simply exclude an executable from ASR rules. This obviously comes with risk, but worth exploring if the need arises. More information on this can be found here

Configuration

The settings below are the result of implementing ASR rules into various environments and discovering which ones are too intrusive. These may work for most environments, but make sure to test, test, test.

  • Block untrusted and unsigned processes that run from USB Block
  • Block Adobe Reader from creating child processes Block
  • Block executable content from email client and webmail Block
  • Block JavaScript or VBScript from launching downloaded executable content Block
  • Block persistence through WMI event subscription Block
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe) Block
  • Block Office applications from creating executable content Block
  • Block Office applications from injecting code into other processes Audit
  • Block Win32 API calls from Office macros Audit
  • Block all Office applications from creating child processes Audit
  • Block execution of potentially obfuscated scripts Audit
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion Audit
  • Use advanced protection against ransomware Audit
  • Block process creations originating from PSExec and WMI commands Audit
  • Block Office communication applications from creating child processes Audit
  • Use advanced protection against ransomware Audit

 The Window security baseline contains ASR rules which will need to be edited prior to deploying, this can be easily done when creating a new Security Baseline profile

 

In my next post, I’ll be looking at further settings to lock down your Windows environment.



0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About Me

My photo
Senior Consultant at CDW UK specialising in Microsoft workspace and cloud technologies.