Intune – Detect and block malware


The build in Microsoft Defender AntiVirus on Windows 10 has a nice capability to protect you from malware. This feature is called block at first sight, this feature is introduced since Windows 10 build 1803. It can block non portable executable files like Javascript, Visual Basic script or macro and it can block regular exe. This is done by leveraging the cloud.

What will happen is that the hash will be checked via the intelligent security graph to see if it can determine if this is a previously undetermined file. If the cloud-backend/intelligent security graph is unable to make a determination Windows Defender Antivirus will then lock the file and upload a copy to the cloud. In the cloud there will be some analytics be done in order to determine if the file contains malware. If the file indeed contains malware it will block the file from running.

To make sure the Windows Defender Antivirus can reach the Microsoft servers to analyze files that users will be downloading, you need to allow certain connections. Computers must have access to the internet and reach the ATP machine learning services.

ServiceDescriptionURL
Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)Used by Microsoft Defender Antivirus to provide cloud-delivered protection*.wdcp.microsoft.com
*.wdcpalt.microsoft.com
*.wd.microsoft.com
Microsoft Update Service (MU)Security intelligence and product updates*.update.microsoft.com
Security intelligence updates Alternate Download Location (ADL)Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)*.download.microsoft.com
Malware submission storageUpload location for files submitted to Microsoft via the Submission form or automatic sample submissionussus1eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net
usseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
ussuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
ussas1eastprod.blob.core.windows.net
ussas1southeastprod.blob.core.windows.net
ussau1eastprod.blob.core.windows.net
ussau1southeastprod.blob.core.windows.net
Certificate Revocation List (CRL)Used by Windows when creating the SSL connection to MAPS for updating the CRLhttps://www.microsoft.com/pkiops/crl/
https://www.microsoft.com/pkiops/certs
https://crl.microsoft.com/pki/crl/products
https://www.microsoft.com/pki/certs
Symbol StoreUsed by Microsoft Defender Antivirus to restore certain critical files during remediation flowshttps://msdl.microsoft.com/download/symbols
Universal Telemetry ClientUsed by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposesThis update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com
settings-win.data.microsoft.com

Configue Block at first sight

So how can we configure block at first sight with Microsoft Endpoint Manager (Intune)? First we need to create a device restriction policy. Within the device restriction option find Microsoft Defender Antivirus. There you can configure three options, cloud-delivered protection, File Blocking Level and Time extension for file scanning by the cloud.

When you have configured those settings and saved the policy, it’s time to test is. So how can we test if block at first site is actually working? Log in to the machine which received the updated policy and open PowerShell as an administrator. Run the following command in order to test the connectivity to the intelligent security graph:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection

If the connection is validated we can test if block at first sight is actually working. Open a browser and navigate to: https://demo.wd.microsoft.com/page/BAFS

Click on the button Create & download a new file! and a file download should be starting, right after the file is downloaded it should be blocked immediatly.

I think it is a easy and simple way to get your users protected via Intune policies which should be implemented be default.

Sources:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.