Step-by-Step: How to harden Windows 10 Defender to provide greater security.

This document outlines how to modify Microsoft Windows Defender to supply a more robust defence against 

Prerequisites:  You must have administrator access to the computer to make these changes. 


Windows Defender is the built-in anti-virus application included with Windows 10.  Like all security applications its default configuration represents a compromise between security and usability that its designers consider sufficient for most people's use.

However, Windows Defender does include application settings that allow for a higher level of security at the cost of a possible performance hit on your computer.  Only you can decide at what point usability vs security is balanced.

Try out the settings and if you notice a performance hit that is unacceptable, the changes can easily be reversed.


1.  Check that Windows Defender's basic settings are configured properly.

When Windows Defender (a.k.a. Windows Security) is running, its icon is displayed in the task bar at the lower right-hand corner of the screen near the clock.  It is a small shield symbol with either a check mark or a red X superimposed on it.  If there is a check mark, then this is an indicator that everything is nominal.  If there is an X, then this is an indicator that something needs your attention. 

Hopefully, your system has the check mark.  For the purposes of this instructional document, we'll ignore this issue.  However, if you discover that you cannot correct whatever it is that is causing the X to appear, then please open up a Cyber security Issue or Concern service request to address the issue.

Click your mouse on the Windows Defender icon to launch the Windows Defender interface. Click on the Virus & Threat Protection icon.

On the subsequent window, click on Manage Settings link under the Virus & threat protection settings heading.

Ensure that Real-time protection is enabled.


What is Real-time protection?

If your computer is getting attacked, you can't afford to wait for the next time Windows Defender conducts a regular scan to be alerted to an infection that's already happened.  You need Windows Defender to always be monitoring your system's attack vectors for suspicious behaviour.  If malware hits your system, Windows Defender needs to be aware that a malware event is taking place and take action. Enabling Real-time protection allows Windows Defender to keep an eye on your system to be able to take immediate action when necessary.


Scroll further down the Virus & threat protection settings interface to the Tamper Protection setting.  Tamper protection ensures that a rogue program is unable to modify your Windows Defender settings without your knowledge.  Ensure this is turned on. 

Just below the Tamper Protection item is Controlled Folder Access.  Controlled folder access is designed to prevent ransomware from encrypting and taking your data hostage, but it also can protect files from unwanted changes from other malicious programs.  Enabling this option will provide much greater security of your specified files and folders, but the cost is that it can be quite intrusive. 

Basically, Controlled Folder Access monitors the folders you designate and watches for suspicious changes.  Its intent is to stop suspicious changes from happening.  However, there are a lot of programs you might use that Controlled Folder Access will wrongly identify as suspcious, and it will block them from changing files.  In these cases, you'll have to adjust the settings for Controlled Folder Access to allow specific programs to make changes in the monitored folders.  This is high security, but at a cost to productivity.

If you choose to use this option, you can start out small by monitoring only a single folder or small group of folders in order to gauge if the added security outweighs any inconvenience.  And remember, you can always back-out of this option if you wish.

For detailed instructions on how to configure and use Controlled Folder Access please see "How to enable controlled folder access on WIndows 10" from www.windowscentral.com.

Lastly in this Windows Defender interface, check to ensure the Windows Firewall is active.  Click on Firewall and Network Protection in the column at the left side of the interface and ensure all Firewall settings are on.

You can now close the Windows Defender interface.

 

2. Enable WIndows Defender's enhanced settings. 

Using the Windows local group policy editor, we will now enable some of Windows Defender's enhanced settings.  To launch the Group Policy Editor, click on the Windows 10 menu icon in the lower left-hand corner of the screen.  Enter the word group into the search field and Edit Group Policy will appear at the top of the search results list.  Click on Edit group policy or just hit the <ENTER> key.

When the editor opens, expand the Computer Configuration, then Administrative Templates, then Windows Components sections.

Scroll down the list of items under Windows Components and expand the list under Windows Defender Antivirus by clicking on the small arrow to the left of the heading and select the MAPS entry.

If not already enabled, double-click on Block at First Sight and enable it.

Next double-click on Join Microsoft MAPS in the right-hand column.  Set the level to Advanced MAPS and apply.

MAPS is the Microsoft Active Protection service.  Basically, enabling Block at First Sight allows your computer to consult the online MAPS database in real-time to check a suspected threat.  Joining MAPS allows your computer to contribute to the online database, the idea being that the greater number of samples, the more accurate real-time scanning will be.

Next, we move on to the MPEngine section located directly underneath the MAPS section in the policy editor.  Double-click on the Configure extended cloud check entry.

When enabled, Extended Cloud Check defaults to allowing Windows Defender up to 10 seconds to consult the MAPS database when checking a suspicious file.  If not result if returned after 10 seconds, the query is dropped and the file is no longer scrutinized.  We change this setting to allow Windows Defender a maximum of 30 seconds to check a file.  We could allow even more time, but the result of the extended check time is that you might experience what seems to be from the user perspective as a stuttering system.  As Windows Defender consutls MAPS, whatever process was interrupted by the file check will have to wait 30 seconds before it can continue (Assuming no threat was actually found).  For this reason, you may want to decide on more or less check time.

The default time period is 10 seconds, so whatever entry you place in the Specify the extended cloud check time in seconds is added to the initial 10 seconds.  IN our example the total is 30 seconds.  Click Apply after you've entered your desired time period.

Lastly, double-click on Select cloud protection level.  Enable it, select High+ blocking level and select Apply.

The Cloud protection level setting determines how aggressive Windows Defender is in blocking and scanning suspicious files.

Setting it to High+ blocking level aggressively blocks unknowns and applies additional protection measures.  Again, this may negatively affect overall system performance, but is a high security level.  As with other settings we've discussed, you'll have to decide if the system performance level is adequate with these levels set.  You can always dial the settings back later.

Lastly, we enable checks for Potentially Unwanted Programs or Potentially Unwanted Applications, otherwise knows as PUPs or PUAs.  These are a group of programs that are not necessarily viruses or malware, but have generally bad effects on a computer system.  Things such as advertising software that pops up unwanted advertisements, or browser add-ons that redirect web pages, and other such items.

These checks are enabled via the Windows PowerShell system.  PowerShell is a sort-of command prompt/batch file system on steroids and is an included part of the operating system often used by administrators to automate system maintenance and management. 

To launch PowerShell, click on the Windows icon in the lower left-hand corner of the screen and enter powershell in the search box.  PowerShell must be launched with administrator credentials, so you must right-click your mouse on the Windows PowerShell entry in the search list and select Run as administrator.  You'll be prompted for your administrator credentials before the PowerShell window will open.

A command prompt-like window opens.  Enter the command Set-MpPreference -PUAProtection 1 (That is the number one at the end).

There is only feedback from the command if there is an error.  For example, if you launched PowerShell without administrator credentials the command will fail.

If the command executes without error, then we are finished now.  Reboot the computer to ensure all the changes take effect.  


2020.05.01 dkearney

Ref: Detect and block potentially unwanted applications