Posts

Showing posts from 2021

Why you should enable Tamper Protection in Defender Antivirus?

Image
Probably I am a little late in blogging on this topic, but implementation of Defender policies is incomplete without addressing the requirement of Tamper protection and I wanted to make sure that I covered this. So what is Tamper Protection and why it should be enabled? There are a lot of security components within Defender AV which can be configured independantly while some being dependent on other settings. End users can knowingly or unknowingly disable the components or bad actors can disable security controls within Defender AV in an attempt to install malware and steal your data. This is why it is strongly recommended to enable Tamper protection. There are some ways to enable tamper protection, so let's look at each of these methods individually. Microsoft Defender 365 Portal You can enable Tamper protection across all your onboarded devices directly from the Defender Portal. However, there are some pre-requisites involved - -  Devices must be onboarded to Microsoft Defender f

Issue with some Microsoft Defender SmartScreen settings missing under Endpoint Security in Intune

Image
There are multiple ways of configuring Microsoft Defender SmartScreen settings in Intune. You can use the Device configuration, custom CSPs, Endpoint Security or even custom Powershell scripts. Microsoft recommends using Endpoint Security to configure device security policies on your endpoints. This is because the policies are specially focused around device security thus keeping the settings relevant. However, not all security settings are covered under Endpoint Security and this became evident while configuring SmartScreen. In order to configure SmartScreen , you enable the settings under  Endpoint Security-> Web Protection as shown below. While this does enable the SmartScreen, it does not configure all the way as users are allowed to disable the option if they like (That is the last thing you want). Also, there is no setting to enable SmartScreen for IE if you are using Endpoint Security profiles. To get around this, you will need to deploy some additional settings using Devic

Bloomberg and Defender Exclusions using Intune

Image
Continuing from my previous post on ' Controlled Folder Access - Ransomware Protection, Exclusions, Trusted apps and much more..' , I wanted to cover another application behavior involving Defender policies. The application in question is Bloomberg Excel addin which is widely used across the industry. Formally known as Bloomberg API (Applications Program Interface), is a powerful tool that allows you to deliver Bloomberg data into MS Excel spreadsheet for analysis and calculations. In the absence of exclusions and with the all relevant Defender policies switched on, users would see similar errors as shown below. As always, the best way to understand which all Defender policies are causing this, is to run the Advanced Hunting query to gather details on the device events. There are multiple ways in which a query can be formed, but since I want to know which policies are in question here, I am using a slightly generic query to get details on all possible ActionTypes causing the bl

The fine balance between Device Control Policy & removable storage

Image
Microsoft Defender for Endpoint Device Control protects against data loss by monitoring and controlling media use of removable storage devices and USB drives. It is part of the Attack Surface Reduction profiles which enables auditing, read, write or execute access to removable storage. Once you enable Device Control policy, you can find the device control report in the Microsoft 365 security center . However, please note that the device control report can have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the card or in the domain list. I recently came across a situation where there was a requirement for allowing the use of USB screen sharing solutions like Barco Clickshare . They are normally used in VC Meeting rooms and the process for activation requires plugging them into a laptop and running the application executable. To ensure the use of such devices, you either disable the Device Control policy or simply create a whitelist. Creat

Controlled Folder Access - Ransomware Protection, Exclusions, Trusted apps and much more..

Image
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or malicious apps. It does so by checking apps against a list of trusted apps. This is particularly important during Ransomware attacks when user data can get encrypted which is normally found in common system folders. Here is a list of Windows system folders that are protected by default: c:\Users\<username>\Documents c:\Users\Public\Documents c:\Users\<username>\Pictures c:\Users\Public\Pictures c:\Users\Public\Videos c:\Users\<username>\Videos c:\Users\<username>\Music c:\Users\Public\Music c:\Users\<username>\Favorites The protected folders also include boot sectors and you can add more folders, allow specific apps access to the protected folders or exclude them all together. I recently dealt with one such application that needed to be allowed access to the protected folders. The app in question is Symantec Encryption Desktop. The first ind

Challenges with enabling ASR rule - 'Block process creations originating from PSExec and WMI commands' on ConfigMgr clients

Image
Last year I had posted a blog on enabling Attack Surface Reduction rules within Microsoft Defender for Endpoint using Intune . This time I will be covering a particular use case that involves one of the ASR rules 'Block process creations originating from PSExec and WMI commands' and challenges around enabling it on devices running ConfigMgr agent. If you are managing ASR rules using Intune or another MDM provider, then there is little to no problem in enabling ASR rules. However, if you are managing the ASR rules using ConfigMgr or if your devices are running ConfigMgr client, then some of the ASR rules are not supported.  I am currently working on an implementation project of Defender for Endpoint where devices are in Co-managed state and the ASR rules are being deployed using Intune. As part of testing, I enabled all the ASR rules and all of a sudden started to see application installations to fail. My first clue was  seeing 'Access denied' errors in Appenforce.log. I

Microsoft Defender Application Guard & Web Content Filtering in Defender for Endpoint - A tale of two cities

Image
Just a while ago, I blogged on  How to enable and configure Web Content Filtering within Microsoft Defender for Endpoint   and also on  Creating custom Network Indicator rules in Defender for Endpoint .  Now as part of a wider implementation for Defender features, I moved on to configuring Application Guard . While the configuration of Application Guard is straight forward, I found out that this feature cannot work along side Web Content Filtering . Why is that? Well to understand this, let's first see what Application Guard is and how does it work. Application Guard For Microsoft Edge, Application Guard helps to isolate untrusted sites that have not been defined in the trusted web sites, cloud resources, and internal networks. Everything else is considered untrusted and  sites open in an isolated Hyper-V-enabled container. Similarly, in case of Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Here too