MDE Antivirus Policy Best Practices

Why Customizing Microsoft Defender for Endpoint Antivirus Policy Settings is Crucial

Microsoft Defender for Endpoint (MDE)is a powerful endpoint security solution that provides advanced threat protection and response capabilities. While the default settings offer a good baseline of protection, customizing these settings to align with your organization’s specific needs is crucial. Here’s why adjusting the antivirus policy settings in MDE is important for your organization’s security and performance:

Tailored Threat Protection

Targeted Threats: Every organization faces unique threats depending on its industry, location, and size. Customizing antivirus policies helps defend against specific threats that are more likely to target your organization.

Advanced Threat Detection: Fine-tuning the settings allows for more effective use of advanced detection techniques, enhancing overall threat detection capabilities.

Optimized Performance

Resource Management: Default settings might not be optimized for your specific hardware and network configuration. Customizing settings ensures that the antivirus software does not unnecessarily consume resources, maintaining optimal system performance.

Minimized Business Disruption: Adjusting scan schedules and intensity can reduce the impact on users’ productivity by ensuring that resource-intensive scans are performed during off-peak hours.

Improved Incident Response

Customized Alerting: Configuring custom alert thresholds and notification settings ensures that critical alerts are prioritized and addressed promptly, reducing the response time to potential security incidents.

Automatic Remediation: Custom policies can enable or adjust automatic remediation actions based on the severity of threats, ensuring swift containment and resolution of incidents.

Inclusion of Critical Areas: Conversely, you can specify critical areas of your infrastructure that require more stringent scanning and protection, ensuring that high-risk assets are thoroughly protected.

Key Areas to Customize in Antivirus Policy Settings

Scan Settings: Adjust the frequency, depth, and timing of scans to balance protection and performance. This includes configuring quick scans, full scans, and scheduled scans according to organizational needs.

Real-Time Protection: Fine-tune real-time protection settings to ensure immediate detection and mitigation of threats without significantly impacting system performance.

Cloud Delivered Protection: Enable or adjust cloud-delivered protection settings to leverage the latest threat intelligence and provide rapid response to new threats.

Automatic Sample Submission: Configure settings for automatic sample submission to Microsoft for analysis, helping improve detection rates and reduce false positives.

Remediation Actions: Customize the remediation actions that should be taken for different types of threats, including automatic quarantine, removal, or user notification.

You can find below 3 different MDE Antivirus Policies in detail, with all the important settings configured for general use Windows Endpoints (Windows 10 and 11) as well as for general purpose and mission critical Windows Servers.

 

SettingConfiguration OptionsWorkstationsServersMission Critical
Servers
Explanation
Allow Archive ScanningNot Allowed
Allowed
Not configured
Allowed Allowed Not AllowedThis policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.

If you have servers with lots of archived documents, this setting might make the scans run for too long and consume too much resources. Group such servers together to exclude them from this policy setting.
Allow Behavior MonitoringNot Allowed
Allowed
Not configured
Allowed. Allowed AllowedThis policy setting allows you to configure behavior monitoring.

If you enable or don’t configure this setting, behavior monitoring will be enabled.
Allow Cloud ProtectionNot Allowed
Allowed
Not configured
AllowedAllowedAllowedCertain security features and capabilities in Microsoft Defender for Endpoint only work when cloud protection is enabled.
Allow Email ScanningNot Allowed
Allowed
Not configured
AllowedNot AllowedNot AllowedThis policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.

E-mail reception is not an activity that is expected to happen on servers. Unless your application receives and processes emails as part of a business integration do not activate this policy setting on servers.
Allow Full Scan On Mapped Network DrivesNot Allowed
Allowed
Not configured
Not AllowedNot AllowedNot AllowedThe scans take much longer on machines and it is not logical to scanned mapped drives from every single computer.

File Servers hosting the files should be scanned instead of activating this feature.
Allow scanning of all downloaded files and attachmentsNot Allowed
Allowed
Not configured
AllowedAllowedAllowed
Allow Realtime MonitoringNot Allowed
Allowed
Not configured
Allowed AllowedAllowedAllows or disallows Windows Defender Realtime Monitoring functionality.
Allow Scanning Network FilesNot Allowed
Allowed
Not configured
AllowedAllowedAllowedThis policy setting allows you to configure scheduled scans and on-demand (manually initiated) scans for files that are accessed over the network. It is recommended to enable this setting.
Allow Script ScanningNot Allowed
Allowed
Not configured
AllowedAllowedAllowed
Avg CPU Load FactorNot Configured
Configured
Configured. 50Configured. 30Configured.20This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50.

If you enable this setting, CPU utilization won’t exceed the percentage specified.

If you disable or don’t configure this setting, CPU utilization won’t exceed the default value.
Cloud Block LevelDefault State
High
High Plus
Zero Tolerance
Not Configured
HighHighHighThis policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files.

Moderate- Microsoft Defender Antivirus blocking level, delivers verdict only for high confidence detections
High- aggressively block unknowns while optimizing client performance (greater chance of false positives)
High+ – aggressively block unknowns and apply additional protection measures (may impact client performance)
Zero tolerance – block all unknown executables.
Cloud Extended TimeoutNot Configured
Configured
Configured. 50Configured. 20Configured. 20This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it’s safe.

The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.

Be extremely careful applying this setting on servers where too many new documents are being ingested
Disable Catchup Full ScanDisabled
Enabled
Not Configured
EnabledDisabledDisabledThis policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that’s initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off.

Full scans for Servers should only happen on specific times where maintenance activities are permitted and off-peak periods, hence the Disabled setting recommendation.
Disable Catchup Quick ScanDisabled
Enabled
Not Configured
EnabledEnabledEnabledThis policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that’s initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

Quick scans are not resource intensive and very often take only a couple of minutes. It is recommended to enable this setting for all systems.
Enable Low CPU PriorityDisabled
Enabled
Not Configured
EnabledEnabledEnabled
Enable Network ProtectionDisabled
Enabled (Audit Mode)
Enabled (Block Mode)
Not Configured
Enabled (block mode)Enabled (block mode)Enabled (block mode)Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet.

Enabled-Block: Users and applications won’t be able to access dangerous domains
Enabled-Audit Mode: Users and applications can connect to dangerous domains, however if this feature would’ve blocked access if it were set to Block, then a record of the event will be in the event logs.
Disabled: Users and applications won’t be blocked from connecting to dangerous domains.
Not configured: Same as Disabled.
PUA ProtectionPUA Protection off.
PUA Protection on
Not Configured
PUA protection onAudit ModeAudit ModePUA Protection off. Windows Defender will not protect against potentially unwanted applications
PUA Protection on. Detected items are blocked. They will show in history along with other threats.
Audit mode. Windows Defender will detect potentially unwanted applications, but take not action.
Real Time Scan DirectionMonitor incoming files.
Monitor outgoing files.
Monitor all files (bi-directional).
Not Configured
Monitor all files (bi-directional).Monitor all files (bi-directional).Monitor all files (bi-directional).
Scan ParameterQuick Scan
Full Scan
Not Configured
Quick scanQuick scanQuick scanThese options configure regular scans to happen every Monday at 12:00 PM (720 minutes after midnight).
Please change these settings for your organization accordingly.
Think also about creating different groups of servers for reduced impact on servers.
Schedule Quick Scan TimeNot Configured
Configured
Configured. 720Configured. 720Configured. 720
Schedule Scan DayDays (…)
Not Configured
MondayMondayMonday
Signature Update IntervalNot Configured
Configured
Configured. 8Configured. 2Configured. 2This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).
Submit Samples ConsentAlways prompt
Send safe samples automatically
Never send
Send all samples automatically
Not configured
Send all samples automaticallyNever sendNever sendThis policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set.
Allow On Access ProtectionAllowed
Not allowed
Not configured
AllowedAllowedAllowed
Remediation action for Severe ThreatsClean.
Quarantine.
Removed.
Allow
User defined
Not configured
BlockBlockBlockClean. Service tries to recover files and try to disinfect.
Quarantine. Moves files to quarantine
Removed. Removes files from system.
Allow. Allows file/does none of the above actions.
User defined. Requires user to make a decision on which action to take.
Not configured
Remediation action for Moderate ThreatsQuarantineQuarantineQuarantine
Remediation action for Low ThreatsCleanCleanClean
Remediation action for HighThreatsBlockBlockBlock
Allow Network Protection Down LevelNetwork protection will be disabled downlevel.
Network protection will be enabled downlevel.
Not configured
Network protection will be enabled downlevel.Network protection will be enabled downlevel.Network protection will be enabled downlevel.Down Level means older version operating systems. Network Protection needs to be enabled on all endpoints.
Engine Updates ChannelNot configured.
Beta Channel
Current Channel(Preview)
Current Channel(Staged)
Current Channel(Broad)
Critical – Time delay
Current Channel(Broad)Current Channel(Broad)Critical – Time delay See detailed explanation in the below table.
Platform Updates ChannelNot configured.
Beta Channel
Current Channel(Preview)
Current Channel(Staged)
Current Channel(Broad)
Critical – Time delay
Current Channel(Broad)Current Channel(Broad)Critical – Time delay See detailed explanation in the below table.
Security Intelligence Updates ChannelNot configured.
Beta Channel
Current Channel(Preview)
Current Channel(Staged)
Current Channel(Broad)
Critical – Time delay
Current Channel(Broad)Current Channel(Broad)Current Channel(Broad)See detailed explanation in the below table.