Intune – Detect and block malware

The build in Microsoft Defender AntiVirus on Windows 10 has a nice capability to protect you from malware. This feature is called block at first sight, this feature is introduced since Windows 10 build 1803. It can block non portable executable files like Javascript, Visual Basic script or macro and it can block regular exe. This is done by leveraging the cloud.

What will happen is that the hash will be checked via the intelligent security graph to see if it can determine if this is a previously undetermined file. If the cloud-backend/intelligent security graph is unable to make a determination Windows Defender Antivirus will then lock the file and upload a copy to the cloud. In the cloud there will be some analytics be done in order to determine if the file contains malware. If the file indeed contains malware it will block the file from running.

To make sure the Windows Defender Antivirus can reach the Microsoft servers to analyze files that users will be downloading, you need to allow certain connections. Computers must have access to the internet and reach the ATP machine learning services.

Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)Used by Microsoft Defender Antivirus to provide cloud-delivered protection*
Microsoft Update Service (MU)Security intelligence and product updates*
Security intelligence updates Alternate Download Location (ADL)Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)*
Malware submission storageUpload location for files submitted to Microsoft via the Submission form or automatic sample
Certificate Revocation List (CRL)Used by Windows when creating the SSL connection to MAPS for updating the CRL
Symbol StoreUsed by Microsoft Defender Antivirus to restore certain critical files during remediation flows
Universal Telemetry ClientUsed by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposesThis update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:

Configue Block at first sight

So how can we configure block at first sight with Microsoft Endpoint Manager (Intune)? First we need to create a device restriction policy. Within the device restriction option find Microsoft Defender Antivirus. There you can configure three options, cloud-delivered protection, File Blocking Level and Time extension for file scanning by the cloud.

When you have configured those settings and saved the policy, it’s time to test is. So how can we test if block at first site is actually working? Log in to the machine which received the updated policy and open PowerShell as an administrator. Run the following command in order to test the connectivity to the intelligent security graph:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection

If the connection is validated we can test if block at first sight is actually working. Open a browser and navigate to:

Click on the button Create & download a new file! and a file download should be starting, right after the file is downloaded it should be blocked immediatly.

I think it is a easy and simple way to get your users protected via Intune policies which should be implemented be default.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.