Windows Defender Antivirus

Windows Defender Antivirus is a built-in antimalware component of Microsoft Windows that is delivered starting from Windows 8.

The Windows Defender Antivirus (WDA) module allows you to configure Windows Defender Antivirus security policy and track its status via the Cyber Protection service console.

This module is applicable for the machines on which Windows Defender Antivirus is installed.

Schedule scan

Specify the schedule for scheduled scanning.

Scan mode:

  • Full – a full check of all files and folders additionally to the items scanned in the quick scan. It required more machine resources for execution compared to the quick scan.
  • Quick – a quick check of the in-memory processes and folders where malware is typically found. It required less machine resources for execution.

Define the time and day of week when the scan will be performed.

Daily quick scan – define the time for the daily quick scan.

You can set the following options depending on your needs:

Start the scheduled scan when the machine is on but not in use

Check for the latest virus and spyware definitions before running a scheduled scan

Limit CPU usage during the scan to

For more details about the WDA settings, refer to https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings

Default actions

Define the default actions to be performed for the detected threats of different severity levels:

  • Clean – clean up the detected malware on a machine.
  • Quarantine – put the detected malware in the quarantine folder but do not remove it.
  • Remove – remove the detected malware from a machine.
  • Allow – do not remove or quarantine the detected malware.
  • User defined – a user will be prompted to specify the action to be performed with the detected malware.
  • No action – no actions will be taken.
  • Block – block the detected malware.

For more details about the WDA settings, refer to https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#default-actions-settings

Real-time protection

Enable Real-time protection to detect and stop malware from installing or running on machines.

Scan all downloads – if selected, scanning is performed for all downloaded files and attachments.

Enable behavior monitoring – if selected, behavior monitoring will be enabled.

Scan network files – if selected, network files will be scanned.

Allow full scan on mapped network drives – if selected, mapped network drives will be fully scanned.

Allow email scanning – if enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments.

For more details about the WDA settings, refer to https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings

Advanced

Specify the advanced scan settings:

  • Scan archive files – include archived files such as .zip or .rar files into scanning.
  • Scan removable drives – scan removable drives during full scans.
  • Create a system restore point – in some cases an important file or registry entry could be removed as "false positive", then you will be able to recover from a restore point.
  • Remove quarantined files after – define the period after which the quarantined files will be removed.

  • Send file samples automatically when a further analysis is required:

    • Always prompt – you will be asked for confirmation before file sending.
    • Send safe samples automatically – most samples will be sent automatically except files that may contain personal information. Such files will require additional confirmation.
    • Send all samples automatically – all samples will be sent automatically.
  • Disable Windows Defender Antivirus GUI – if selected, the WDA user interface will not be available to a user. You can manage the WDA policies via Cyber Protection service console.

  • MAPS (Microsoft Active Protection Service) – online community that helps you choose how to respond to potential threats.

    • I don't want to join MAPS – no information will be sent to Microsoft about the software that was detected.
    • Basic membership – basic information will be sent to Microsoft about the software that was detected.
    • Advanced membership – more detailed information will be sent to Microsoft about the software that was detected.

    For more details, refer to https://www.microsoft.com/security/blog/2015/01/14/maps-in-the-cloud-how-can-it-help-your-enterprise/

For more details about the WDA settings, refer to https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings

Exclusions

You can define the following files and folders to be excluded from scanning:

  • Processes – any file that the defined process reads from or writes to will be excluded from scanning. You need to define a full path to the executable file of the process.
  • Files and folders – the specified files and folders will be excluded from scanning. You need to define a full path to a folder or file, or define the file extension.

For more details about the WDA settings, refer to https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings