Jeffrey Appel | Microsoft MVP Profile picture
Microsoft MVP | Cloud Security Consultant | Microsoft 365 Defender #MDE | Azure | Sentinel | #M365D #XDR #EDR | Tweets are my own | blogger @ https://t.co/pAgXLcis0E

Nov 1, 2022, 9 tweets

MDE thread: Part 4A of the MDE series is online. Focussing on; AV baselines and policies.

Policy configuration is important. A small thread of 8 Defender Antivirus config tips that are often not applied or underrated.

Blog; jeffreyappel.nl/microsoft-defe…

#MDE

Tip 1: Enable Cloud Protection, Sample Submission, and cloud block timeout period for getting all MDE features enabled. Always use one of the options for sending samples to Microsoft. Never use "Do not send" which is disabling the complete feature.

Tip 2: Enable Network Protection in block mode for block custom indicators and block C2 infrastructure attacks. Did you know Windows Servers require additional configuration for getting NP enabled?

Tip 3: - Configure the correct signature updating settings. Use a quick update interval (1 hour) and avoid WSUS/ MECM. Don't use slow frequencies for “skipping” bad updates. Microsoft is really quick in deploying fixes; how quicker the signature frequency how better it is.

Tip 4: - Disable Local Admin Merge for preventing local admins to manage exclusions locally. Always manage exclusion from centralized systems (Intune/ GPO/ MECM), and yes it is not completely blocking the local admin exclusions permissions.

Tip 5: - Only a quick scan is fine in combination with all cloud protection and AIR features. Use only the full scan in case of incidents or the first scan on the machine after onboarding.

Tip 6: - Enable always Tamper Protection. There are no excuses anymore; we need to do some troubleshooting. The new troubleshooting mode is available which disables Tamper Protection for a short time. More information: jeffreyappel.nl/microsoft-defe…

Tip 7: - Enable Windows Firewall for all zones and enable additional auditing events for more in-depth network details in MDE.

Audit events:

Audit Filtering Platform Packet Drop
Audit Filtering Platform Connection

More in part 4B of the series.

Tip 8: - New to Defender for Endpoint and Defender AV? Really recommended watching the Virtual Ninja Episodes by @HeikeRitter. Episode 2 starts tomorrow with some brand-new content.

adoption.microsoft.com/en-us/ninja-sh…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling