STIGQter: STIG Summary: Microsoft Windows Defender Antivirus Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Windows Defender AV must be configured to check in real time with MAPS before content is run or accessed.

DISA Rule

SV-213433r569189_rule

Vulnerability Number

V-213433

Group Title

SRG-APP-000278

Rule Version

WNDF-AV-000009

Severity

CAT II

CCI(s)

CCI-001242 - The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.

Weight

Fix Recommendation

This is applicable to unclassified systems, for other systems this is NA.

Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Configure the 'Block at First Sight' feature" to "Enabled".

Check Contents

This is applicable to unclassified systems, for other systems this is NA.

Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Configure the 'Block at First Sight' feature" is set to "Enabled".

Procedure: Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet

Criteria: If the value "DisableBlockAtFirstSeen" is REG_DWORD = 0, this is not a finding.

Windows Defender AV must be configured to check in real time with MAPS before content is run or accessed.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments