- Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
Before attempting to change your default antivirus behavior, it is important to understand what you are planning to do. While many of the available settings may increase performance or improve compatibility with applications, if applied incorrectly, they reduce protection against attacks.
In centrally managed environments, you can prevent end users from playing with Defender settings by applying a configuration using group policies.
However, Microsoft provides a whole range of options in the group policies that allow centrally defined settings to be overwritten locally. Their names always start with "Configure local setting override for..." This way, you can exempt advanced users from general restrictions.
In addition to group policies and the security app, you can also use PowerShell to customize Defender according to your own requirements. The Set-MpPreference and Add-MpPreference cmdlets are responsible for this.
The virus scanner can cause problems with certain applications or reduce their performance, for example, when it scans databases in use or if it quarantines critical files. For this reason, it may be advisable to limit the scope of Defender Antivirus. However, this means that its protection will also be reduced.
The group policies provide five settings for this purpose. One of them does not define exclusions, but instead disables those that Microsoft sets by default. For example, the virus scanner skips the AD database ntds.dit on domain controllers. You can stop this by selecting Turn off Auto Exclusions.
The other three settings, on the other hand, allow you to define your own exclusions, either by path, file extension, processes, or IP addresses. The first two are self-explanatory. Exclusions by process allow you to prevent Defender from scanning files opened by a specific program.
Antivirus scans not only the file system, but also several protocols that are considered vulnerable. By excluding IP addresses, you can prevent Antivirus from scanning requests coming from these systems.
If you define exclusions using PowerShell, then the Set-MpPreference parameters DisableAutoExclusions, ExclusionExtension, ExclusionIpAddress, ExclusionPath, and ExclusionProcess achieve this task. An example of this is:
Set-MpPreference -ExclusionExtension "dat,db"
This excludes files with the extension .dat and .db from the scan. You can remove these exclusions with
Remove-MpPreference -ExclusionExtension "dat,db"
A key feature of Defender Antivirus is that it continuously monitors changes in the file system or registry to detect suspicious activities or objects.
Defender Antivirus cannot be uninstalled on client operating systems, but you can switch off real-time protection using the respective policy. This only works if the tamper protection is deactivated.
However, there are not many good reasons to do this. If another virus scanner from a different vendor is running, Defender will switch itself off anyway. According to the documentation, the setting Turn off Microsoft Defender Antivirus has no effect.
In PowerShell, this can be done with:
Set-MpPreference -DisableRealtimeMonitoring $true
Most real-time protection features that can be configured via GPO are enabled by default, so you can disable them via policy. This applies, for example, to behavior monitoring and scanning of downloaded files or scripts. Usually, you will leave the defaults.
Admins can use several settings to control when and how often Defender checks the system for malware. This can be used, for example, to schedule scans so that they affect users as little as possible. On a multiuser system, such as an RD Session Host, this will play an important role.
Unless you choose extremely unfavorable values for the scan timing, it should not have any impact on security. The situation is different for other scanning policies. They can be used to disable scanning of emails, archive files, removable media, or the use of heuristics.
All of these functions are active by default and should remain so for unless you have a good reason to disable them. The documentation also includes the PowerShell counterparts to Group Policy.
A special rule applies to network drives. These are only checked if they have been mapped at the system level. If the user has set up the mapping themselves, then Defender ignores these shares by default. This can be changed with Scan files on the network.
The equivalent in PowerShell looks like this:
Set-MpPreference -DisableScanningNetworkFiles $false
In general, a file server will run its own virus scanner anyway. So you should prevent excessive resource consumption when all clients run their scans over the network.
Reaction to detected threats
Microsoft offers admins several ways to control Defender Antivirus' response to detected threats. One option is to completely override the tool's automatic mechanisms. The setting Turn off routine remediation serves this purpose.
Most environments will not activate this setting because the users then have to decide what action to take.
Alternatively, if you are not satisfied with the default behavior, you can control how Defender responds to certain events. There are two settings for this purpose:
- Specify threat alert levels at which default action should not be taken when detected
- Specify threats upon which default action should not be taken when detected
Both policies contain a two-column table in which you enter the threat on the left and the action on the right. In the first setting, you specify only the severity level; in the second, you specify the ID of the threat. You can get a complete list of IDs with
These are assigned actions to be taken when these events occur (quarantine, remove, ignore).
In PowerShell, the following parameters are available for Set-MpPreference:
- ThreatIDDefaultAction_Ids <Int64>
- ThreatIDDefaultAction_Actions <ThreatAction>
- UnknownThreatDefaultAction <ThreatAction>
- LowThreatDefaultAction <ThreatAction>
- ModerateThreatDefaultAction <ThreatAction>
- HighThreatDefaultAction <ThreatAction>
- SevereThreatDefaultAction <ThreatAction>
For example, to respond to severe threats by deleting the object in question, you would proceed as follows:
Set-MpPreference -SevereThreatDefaultAction Remove
The actions for specific Threat IDs can also be set this way:
Set-MpPreference -ThreatIDDefaultAction\_Actions @(2,2) \` -ThreatIDDefaultAction\_Ids @(15112,15113)
In this example, threats with IDs 15112 and 15113 are quarantined. This option is currently not covered by the tamper protection and may enable abuse, for example, with the Allow action. For example, a bypass for Mimikatz could be set up with it.
Another setting under Quarantine limits the duration for isolating files before they are deleted. This is called Configure removal of items from Quarantine folder.
In general, the default settings of Defender Antivirus offer good protection and are suitable for most environments. For special requirements, admins have numerous settings that can be configured via the local app, PowerShell, or group policies.
The majority of these options are used to disable or restrict the functions of the virus scanner. This applies, for example, to exclusions, which are particularly important on Windows servers. Interventions in real-time protection are usually unnecessary and should be avoided when there is no good reason to do so.
In the case of periodic scans, the options for scheduling and regulating resource consumption are of particular interest. The omission of certain objects should, however, be carefully considered.
Subscribe to 4sysops newsletter!
The most likely need for customization is in the measures with which Defender Antivirus reacts to detected threats. Several options that support a fine granular configuration are available for this.