Security
Reader small image

You're reading from  Mastering Microsoft 365 Defender

Product typeBook
Published inJul 2023
PublisherPackt
ISBN-139781803241708
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Authors (2):
Ru Campbell
Ru Campbell
author image
Ru Campbell

Ruairidh (Ru) Campbell is a Microsoft Security MVP and leads Microsoft consultancy at Threatscape. At Threatscape, Ru develops, delivers, and manages offerings and professional services for cybersecurity, compliance, identity, and management. In the cybersecurity community, Ru runs the Microsoft 365 Security & Compliance user group and his blog (campbell.scot), regularly speaks at other user groups and conferences, and contributes to well-known industry publications such as Practical 365. Ru holds 14 Microsoft certifications and a B.Sc. (Distinction) in computer networking from the University of the West of Scotland. Away from cybersecurity, he is a petrolhead who enjoys heavy metal and hiking around Scotland with his wife.
Read more about Ru Campbell

Viktor Hedberg
Viktor Hedberg
author image
Viktor Hedberg

Viktor Hedberg is a Microsoft Security MVP and senior consultant at Truesec. At Truesec, Viktor works with proactive security measures within the Microsoft sphere of technologies, by delivering workshops on best practices and by his deep technical expertise in these areas. In the cybersecurity community, Viktor runs his blogs at Truesec (Experts – viktor-hedberg). Alongside this, he is one of the hosts of the Swedish Windows Security user group, as well as a co-host of the Swedish podcast The Nerd Herd. He is a frequent speaker at both conferences and user groups around the world, focusing on matters of Microsoft Security. Viktor holds numerous Microsoft certifications, as well as being a Microsoft Certified Trainer. Away from cybersecurity, Viktor is a family man, spending most of his time with his wife and three kids, as well as enjoying football, both as a practitioner and as a fan. Heavy metal has been part of his life since his early teens.
Read more about Viktor Hedberg

View More author details
Right arrow

Advanced Microsoft Defender Antivirus for Windows

Our dive into MDAV continues in this chapter. In the previous chapter, you learned about some of its basic features, such as scanning and exclusion management. In this chapter, we take a closer look under the hood at the capabilities that really make MDAV powerful.

You will learn about the following:

  • How cloud-delivered protection improves MDAV’s layered approach to endpoint security
  • How this manifests itself in features such as block at first sight (BAFS)
  • The protection MDAV can provide against gray-area applications
  • The different running modes for MDAV
  • Tamper protection, important defense in your fight against unauthorized manipulation of MDAV, even by local administrators
  • Ongoing management of MDAV – troubleshooting and reporting

To kick off our deep dive into MDAV’s additional features, we’ll start with one that sits at the heart of them all: cloud-delivered protection...

Cloud-delivered protection

You’ve seen the marketing emails. You’ve read the white papers. You’ve watched the webinars. They all preach one buzz phrase you’re probably now numb to: the power of the cloud. As much of a cliché as this now is, we cannot discuss MDAV and MDE without emphasizing the importance of its cloud-delivered protection.

As you learned in Chapter 2, Microsoft Defender Antivirus has a layered approach to threat protection, with layers beyond the client using cloud-delivered protection for defense. Detonation, reputation, file classification, behavioral, and metadata-based machine learning engines are all dependent on it. Even client-side capabilities, such as Antimalware Scan Interface (AMSI) are enhanced by it, to analyze potential fileless attacks. Suffice it to say, without cloud-delivered protection enabled, you severely limit the system’s ability to guard against threats that are not yet included (or cannot be included...

Block at first sight

BAFS is one of the most visible ways cloud-delivered protection can be applied practically. Malicious executable files are a serious concern, and this includes non-portable ones such as Office macros. As of Windows 10 1803, an MDAV client with BAFS enabled will query the hash value of executables with mark of the web (MOTW) against the cloud protection service. If the file is new to the cloud telemetry dataset but may pose a risk, it is locked for up to 1 minute and a sample is uploaded (based on your tenant’s geography) for further analysis. If a verdict of malicious is returned before this timeout period, execution is blocked. Decisions are usually returned in milliseconds based on metadata, but the additional time allows for analysis at levels further along the processing chain.

What is MOTW?

Files downloaded from the internet (based on zones) are given a MOTW, contained in an NTFS stream, by Windows, if the downloading/extracting software supports...

Always-on protection

In addition to Cloud-delivered protection, MDAV has always-on protection. This refers to client-based protective layers used to identify risky files and processes and includes real-time protection (RPT) and behavior monitoring. Always-on protection is enabled by default but should be force-enabled using your central management tool. Additionally, you can use these management tools to disable local setting override. This prevents a local administrator’s local settings from overriding your centrally managed settings.

You can find the always-on protection settings for Intune in Endpoint security | Antivirus, then within the Microsoft Defender Antivirus profile type. The settings available include Allow Realtime Monitoring, Allow Behavior Monitoring (identify threats based on risky behavior such as process, registry, and file activity), and Allow Intrusion Prevention System (inspects network traffic for exploits). The general recommendation is to force enable...

Potentially unwanted application protection

Potentially unwanted applications (PUAs) is a catch-all term to refer to software that is not, strictly speaking, malware but still compromises the machine’s integrity in several ways, particularly in the context of enterprise environments. PUAs might bundle lots of other unrelated apps in their installer and obfuscate the fact you’re also getting them. PUAs might also spam the user with excessive advertisements, put roadblocks in the way of uninstalling them, or consume excessive resources, potentially sideloading intensive processes such as hidden cryptocurrency miners.

In short, you probably don’t want these touching your devices.

Later in this chapter, you will learn about SmartScreen, a capability targeted at Windows 10/11 that can block PUAs based on reputation and heuristics. This prevents installation, but what about PUAs already installed when you deploy MDE and MDAV?

For Windows 10 E5 licensed devices...

Running modes

As it is built into the OS, MDAV has different running modes to provide compatibility with other endpoint protection software. If no other antimalware service is running, normal mode is used, and MDAV provides its configured threat protection capabilities.

In the presence of a third-party service for endpoint protection, MDAV can enter passive mode. This is only an option if the device is onboarded to MDE: consumer or unlicensed devices cannot leverage it, and instead use disabled mode. In passive mode, many of the features you will learn about in this chapter enter a state you can think of as hibernating: they are not explicitly disabled but will not be active either, on the assumption the third-party service has been chosen to replace them. The following will not be available in passive mode:

  • Real-time protection and Cloud-delivered protection, and anything that has those as a prerequisite
  • Attack surface reduction (ASR) rules
  • Network protection and...

Tamper protection

The MITRE ATT&CK tactic of defense evasion is one seen frequently in security incidents. This tactic refers to all techniques that avoid, disable, or otherwise circumvent security mechanisms. If an attacker can simply turn off MDE/MDAV when trying to compromise a system, life gets a lot easier. As defenders, we want to stop that.

Tamper protection for Microsoft Defender Antivirus is an on-by-default capability to make evasion harder. It is available for Windows 10/Server 2016 or later, and Windows Server 2012 R2 with the unified agent.

Malware or intruders can try to evade MDAV in several ways. The registry editor, PowerShell, Intune, Group Policy (local or Active Directory), and MpCmdRun.exe: these all allow a legitimate or illegitimate user to tamper with protection. When enabled, tamper protection restricts such methods of editing settings. Let’s reiterate that: when tamper protection is enabled, you cannot disable certain features of MDAV, even...

Ongoing management of MDAV

In the following subsections, you’ll learn about how to troubleshoot MDAV and work with its reports. This information will assist in your day-to-day operations, service desk issues, and ongoing security posture reviews.

Troubleshooting

The reality of enterprise IT management is that we’re going to run into problems sooner or later. It would be naïve to try and cram every possible problem you’ll experience into this book, so in this section, we’ll look at some guidance specific to MDAV, which you can use, as well as general troubleshooting tools such as Windows Performance Recorder and Process Monitor.

Troubleshooting mode

After enabling central policy and tamper protection, you may struggle to troubleshoot MDAV endpoints. For example, a user reports trouble updating a Microsoft 365 Apps for Enterprise add-in because of ASR rules (see Chapter 7); or after changing the cloud-delivered protection level to High Plus...

Summary

This chapter expanded on many of the advanced and cloud-powered capabilities of Microsoft Defender Antivirus. You learned how cloud-delivered protection drastically improves the security of the OS, and how it facilitates things such as BAFS and EDR in block mode. You also learned how to fight against evasive action using tamper protection, to control unauthorized changes to MDAV.

In the next chapter, your understanding of MDAV will continue to grow as we explore ASR to minimize risk as early in the attack chain as possible.

Questions

To test your knowledge of protecting Windows clients and servers with Microsoft Defender for Endpoint, you can try answering the following questions. The answers can be found toward the end of this book:

  1. A developer is generating test versions of their new application and reports it is not launching successfully. You run Get-MpPreference and discover that its CloudBlockLevel is 6. What does this mean?
    1. Block at first sight is in zero-tolerance mode
    2. Block at first sight is in high plus mode
    3. Block at first sight is in its default configuration
  2. A bad actor has local administrative rights to a Windows 11 device and is trying to evade defenses using PowerShell. You have enabled tamper protection on the device using Intune. Which of the following can the attacker not disable or evade? Choose all that apply.
    1. Real-time protection
    2. Cloud-delivered protection
    3. Default action based on threat ID
    4. Attack surface reduction rules
  3. You are migrating Windows Server 2016 from a well-known...

Further reading

To go into even further detail about some of the topics in this chapter, you can refer to the following online material:

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 9 of 33
Next Chapter
You have been reading a chapter from
Mastering Microsoft 365 Defender
Published in: Jul 2023Publisher: PacktISBN-13: 9781803241708
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Ru Campbell

Ruairidh (Ru) Campbell is a Microsoft Security MVP and leads Microsoft consultancy at Threatscape. At Threatscape, Ru develops, delivers, and manages offerings and professional services for cybersecurity, compliance, identity, and management. In the cybersecurity community, Ru runs the Microsoft 365 Security & Compliance user group and his blog (campbell.scot), regularly speaks at other user groups and conferences, and contributes to well-known industry publications such as Practical 365. Ru holds 14 Microsoft certifications and a B.Sc. (Distinction) in computer networking from the University of the West of Scotland. Away from cybersecurity, he is a petrolhead who enjoys heavy metal and hiking around Scotland with his wife.
Read more about Ru Campbell

author image
Viktor Hedberg

Viktor Hedberg is a Microsoft Security MVP and senior consultant at Truesec. At Truesec, Viktor works with proactive security measures within the Microsoft sphere of technologies, by delivering workshops on best practices and by his deep technical expertise in these areas. In the cybersecurity community, Viktor runs his blogs at Truesec (Experts – viktor-hedberg). Alongside this, he is one of the hosts of the Swedish Windows Security user group, as well as a co-host of the Swedish podcast The Nerd Herd. He is a frequent speaker at both conferences and user groups around the world, focusing on matters of Microsoft Security. Viktor holds numerous Microsoft certifications, as well as being a Microsoft Certified Trainer. Away from cybersecurity, Viktor is a family man, spending most of his time with his wife and three kids, as well as enjoying football, both as a practitioner and as a fan. Heavy metal has been part of his life since his early teens.
Read more about Viktor Hedberg

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages