What will happen is that the hash will be checked via the intelligent security graph to see if it can determine if this is a previously undetermined file. If the cloud-backend/intelligent security graph is unable to make a determination Windows Defender Antivirus will then lock the file and upload a copy to the cloud. In the cloud there will be some analytics be done in order to determine if the file contains malware. If the file indeed contains malware it will block the file from running.
To make sure the Windows Defender Antivirus can reach the Microsoft servers to analyze files that users will be downloading, you need to allow certain connections. Computers must have access to the internet and reach the ATP machine learning services.
|Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)||Used by Microsoft Defender Antivirus to provide cloud-delivered protection|
|Microsoft Update Service (MU)||Security intelligence and product updates||*.update.microsoft.com|
|Security intelligence updates Alternate Download Location (ADL)||Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)||*.download.microsoft.com|
|Malware submission storage||Upload location for files submitted to Microsoft via the Submission form or automatic sample submission|
|Certificate Revocation List (CRL)||Used by Windows when creating the SSL connection to MAPS for updating the CRL|
|Symbol Store||Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows||https://msdl.microsoft.com/download/symbols|
|Universal Telemetry Client||Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes||This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: |
Configue Block at first sight
So how can we configure block at first sight with Microsoft Endpoint Manager (Intune)? First we need to create a device restriction policy. Within the device restriction option find Microsoft Defender Antivirus. There you can configure three options, cloud-delivered protection, File Blocking Level and Time extension for file scanning by the cloud.
When you have configured those settings and saved the policy, it’s time to test is. So how can we test if block at first site is actually working? Log in to the machine which received the updated policy and open PowerShell as an administrator. Run the following command in order to test the connectivity to the intelligent security graph:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
If the connection is validated we can test if block at first sight is actually working. Open a browser and navigate to: https://demo.wd.microsoft.com/page/BAFS
Click on the button Create & download a new file! and a file download should be starting, right after the file is downloaded it should be blocked immediatly.
I think it is a easy and simple way to get your users protected via Intune policies which should be implemented be default.