Antivirus settings

The Antivirus settings configure settings for antivirus software installed on a Windows device.

The following table describes the Windows Defender antivirus settings that you can configure on a Windows device:

Table 1. Antivirus settings
Policy setting Description Supported devices
Configure antivirus settings Configure antivirus settings on the device. The configuration is supported on the native Windows Defender application. Enable the setting to view and configure antivirus settings.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Customize scan settings and frequency Configure the antivirus scan settings and the frequency to perform the scan.
  • Scan type: Select the type of device scan that you prefer such as quick scan or full scan.
  • Scan start time: Schedule the time for the scan to begin. Note: The operating system can override the scan time. The scan usually runs when the CPU usage is low on the system.
  • Scan frequency: Select the frequency that you want the scan to run on the device such as every day, a specific day, or no scheduled day.
  • Signature update frequency: Select the frequency that you want to update the signature such as every hour, every two hours, or every eight hours.
  • Catch up full scan: Select to force Windows Defender to run a full scan after a scheduled scan was missed.
  • Catch up quick scan: Select to force Windows Defender to run a quick scan after a scheduled scan was missed.
  • Low CPU priority while scanning: Specify that Windows Defender uses low CPU priority for scheduled scans.
  • Check for signature before running scan: Select that Windows Defender checks for new virus and spyware definitions before running a scan. This option applies to scheduled scans and the mpcmdrun -SigUpdate command-line option. This option does not apply to scans started manually from the user interface. If you do not enable this option, the scan uses existing definitions.
  • Signature update fallback order: Select the order that definition update sources are contacted by Windows Defender. Set the order of priority that each of the following sources download definition updates:
    • Internal Definition Update Server: Use a Windows Server Update Service (WSUS) server to manage updates for the network.
    • Microsoft Update Server: Connects directly to Microsoft Update. Use this option if devices cannot connect to the enterprise network on a consistent basis or if you do not use Windows Server Update Service to manage updates.
    • MMPC: Delivers SHA-2 signed updates through Windows Update. Your devices must support SHA-2.

      Use this option as a final fallback source, and not the primary source, especially if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for a specific number of days.

    • File Share: Use this option if you have devices that are not connected to the internet. Use a computer that is connected to the internet to download updates to a network share that devices can access.

      Signature updates file share resources: Defines the order that UNC (Universal Naming Convention) file share sources download definition updates. Use a comma-separated list to define the UNC file share sources.

Note: Definition update sources are contacted in the order that you specified. If definition updates are successfully downloaded from one specific source, the remaining sources in the list are not contacted.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Included files types for antivirus scan Configure the types of files that are included during the device scan.
  • Enforce scanning of archives: Scans archived files such as .zip files.
  • Enforce scanning of emails: Scans emails. This setting is supported on Outlook 2003 and earlier versions.
  • Enforce scanning of network files: When network files are accessed, these files are scanned.
  • Enforce full scan on mapped network drives: Scans network files when a full scan is initiated.
  • Allow bidirectional file scan: Specify whether to monitor both incoming and outgoing files, only incoming files, or only outgoing files during an antivirus scan.
  • Enforce full scan on removable drive: Scans connected removable drives when a full scan is initiated.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Excluded file types for scan Configure the types of files that are not included during a device scan.
  • Excluded file types for scan: Specify comma-separated file formats (lib, obj, cmd) that are ignored during an antivirus scan.
  • Exclude file paths for scan: Specify comma-separated directory paths (C:\example, C:\example1) that are ignored during an antivirus scan.
  • Excluded processes for scan: Specify comma-separated files (C:\Example.exe, C:\Example1.exe) that are opened by processors that are ignored during an antivirus scan.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Advanced settings
  • Enable real-time protection: Real-time protection is configured on the device.
  • Enforce behavior monitoring: Enforces behavior monitoring on the device. Behavior monitoring is an internal feature that the Windows Defender engine uses to collect data for suspicious behaviors. Users are not shown any information directly.
  • Enforce cloud protection: Allows Windows Defender to send information to Microsoft.
  • Cloud block level: Specify how aggressive the Windows Defender antivirus engine is if it detects and identifies suspicious files. The following blocking levels are supported:
    • Default: The default Windows Defender blocking level that provides strong detection without increasing the risk of detecting legitimate files.
    • High: This blocking level aggressively blocks unknown files while optimizing client performance (increases the risk of false positives).
    • High +: This blocking level aggressively blocks unknown files and applies additional protection measures (might impact client performance and increase the risk of false positives).
    • Zero tolerance: This blocking level blocks all unknown executables.
    Note: This option is supported on Windows 10 version 1709 and later.
  • Cloud extended timeout: Specifies the number of seconds that the Cloud Protection Service blocks a file while the service checks whether the file is known to be malicious. The range is 0 - 50 seconds. Note: The number of seconds that you select for this option is in addition to a default 10 second timeout. For example, if you enter 0 seconds, the Cloud Protection Service blocks the file for 10 seconds.
    Note: This option is supported on Windows 10 version 1709 and later.
  • Prompt for user consent before submitting Defender information: Choose user consent options before submitting the information to Windows Defender.
    • Always prompt
    • Send safe samples automatically without prompting for user consent
    • Never send Defender information
    • Send all samples automatically without prompting for user consent
  • Enforce IOAV protection: Enables the IofficeAntiVirus API to allow applications such as email clients or web browsers to query Windows Defender for a content scan when those programs handle a file.
  • Allow intrusion prevention: Allows the Windows Defender intrusion prevention functionality. Enable this option to protect computers against known network exploits by inspecting network traffic and blocking any suspicious activity.
  • Allow access to Defender UI: Allows access to the Windows Defender user interface.
  • Allow on access protection: Allows the Windows Defender access protection functionality. Enable this option to use URL authorization rules and built-in request filtering to protect web servers from malicious requests and unauthorized access.
  • Average CPU load factor: Specify the CPU load factor for the Windows Defender scan (by percentage). The default value is 50%. This option applies to scheduled scans only and not real-time scans or user-initiated scans.
  • Allow script scanning: Allows the Windows Defender script scanning functionality. Enable this option if you want to scan any scripts that run on computers for suspicious activity.
  • Enable controlled folder access: Enable this option to protect documents and files from being modified by suspicious or malicious apps. This option helps protect documents and files from ransomware that can attempt to encrypt files and hold the files hostage.
  • Applications allowed for controlled access to folders: Specify the apps that can access documents and files in the protected folders. These apps are included on a list of trusted software. If the app is not on the list, the controlled folder access blocks the app from making changes to files in the protected folders.
  • Protected folders for controller folder access: Specify the folders that are protected from malicious apps or threats, such as ransomware. This feature checks against a list of known, trusted apps.
  • Potentially unwanted application protection: Potential Unwanted Applications (PUA) is a threat classification based on reputation and research-driven identification. These apps are unwanted app bundles or their bundled apps. If you enable this option, PUA are blocked from downloading and installing on devices. You can exclude specific files or folders to meet the specific needs of your organization.
  • Enable network protection: Allows you to prevent users and apps from accessing malicious websites. Set one of the following values:
    • Enabled: Protects employees from phishing scams, exploit-hosting sites, and malicious content on the internet.
    • Disabled: Allows connections to all websites without any protection.
    • Audit: Does not prevent users and apps from connecting to malicious sites, but does track their activities on those sites.
Important: Do not change the default values for the following parameters in this policy:
  • Enable real-time protection
  • Enforce behavior monitoring
  • Enforce IOAV protection
  • Allow intrusion prevention
  • Allow access to Defender UI
  • Allow on access protection
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Threat management settings
Enforcement action for threat severity Configure the actions that are enforced based on threat severity. The severities that are defined are high, low, moderate, and severe. Choose from the enforcement actions such as clean, quarantine, remove, allow, user defined, and block actions.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Days to retain cleaned malware Specify the time period (in days) that quarantined items are stored on the system. The maximum value that is supported is 90 days.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Attack surface reduction rules
Attack surface reduction rules Attack surface reduction rules target behaviors that malware and malicious apps use to infect computers with malicious code including:
  • Executable files and scripts used in Office apps or email programs that attempt to download or run files
  • Obfuscated or other suspicious scripts
  • Behaviors that apps would not normally initiate during normal business hours
Note: This option is supported on Windows 10 version 1709 and 1803 or later.
Set one of the following values for these rules:
  • Not configured: Disable the attack surface reduction rule.
  • Block: Enable the attack surface reduction rule.
  • Audit: Evaluate how the attack surface reduction rule would impact your organization if the rule was enabled. Run all rules in audit mode first to understand how these rules impact your line-of-business apps. Many line-of-business apps might perform tasks that are similar to malware. By monitoring audit data and adding exclusions for necessary apps, you can deploy attack surface reduction rules without impacting productivity.
Rules
  • Adobe Reader can create child processes: This rule prevents malware attacks by blocking Adobe Reader from creating additional processes.

    This rule was introduced in Windows 10 version 1809.

  • Office apps can launch child processes: This rule blocks Office apps (Word, Excel, PowerPoint, OneNote, Access) from creating child processes.

    This type of malware behavior uses VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business apps might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.

    This rule was introduced in Windows 10 version 1709.

  • Flag credential stealing from the Windows local security authority subsystem: Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. This rule locks down LSASS to prevent malicious attempts to extract user credentials from LSASS. Microsoft Defender Credential Guard in Windows 10+ prevents these attempts, but organizations might not be able to enable Credential Guard on all computers due to compatibility issues with custom smart card drivers or other programs that load into the Local Security Authority (LSA).
    Note: In some apps, the code enumerates all running processes and attempts to open these processes with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate an excessive amount of log entries. If you have an app that overly enumerates LSASS, you must add the app to the exclusion list. This event log entry does not necessarily indicate a malicious threat.

    This rule was introduced in Windows 10 version 1803.

  • Executable content (exe, dll, ps, js, vbs, etc.) from email (webmail/mail client) can run (without exceptions): This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other email providers:
    • Executable files (.exe, .dll, or .scr)
    • Script files (PowerShell .ps, VisualBasic .vbs, or JavaScript .js)

    This rule was introduced in Windows 10 version 1709.

  • Executables that don't meet prevalence, age or trusted list criteria can run: This rule blocks executable files (.exe, .dll, or .scr) from launching unless the files meet prevalence or age criteria, or the file types are listed in a trusted list or exclusion list.
    Note: You must enable cloud-delivered protection to use this rule.
    Important: The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and cannot be modified by administrators. This rule uses cloud-delivered protection to update its trusted list regularly.

    You can specify individual files or folders (using folder paths or fully qualified resource names), but you cannot specify which rules or exclusions apply to those individual files or folders.

    This rule was introduced in Windows 10 version 1803.

  • Potentially obfuscated js/vbs/ps/macro code can run: This rule detects suspicious properties within an obfuscated script.

    This rule was introduced in Windows 10 version 1709.

  • Javascript/vbs can execute payload downloaded from Internet (without exceptions): This rule prevents scripts from launching downloaded content that might contain malware and infect machines. Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
    Note: File and folder exclusions do not apply to this attack surface reduction rule.

    This rule was introduced in Windows 10 version 1709.

  • Office apps & macros can create executable content: This rule prevents Office apps (Word, Excel, PowerPoint) from creating executable content.

    This rule targets a behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.

    This rule was introduced in Windows 10 version 1709.

  • Office apps can inject code into other processes (without exceptions): This rule blocks code injection attempts from Office apps (Word, Excel, PowerPoint) into other processes.

    This rule was introduced in Windows 10 version 1709.

  • Office communication products can create child processes: This rule prevents Outlook (and Outlook.com) from creating child processes. This rule protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. This rule prevents the launch of additional payload while still allowing legitimate Outlook functions. This rule also protects against Outlook rules and exploits that attackers can use when a user's credentials are compromised.

    This rule was introduced in Windows 10 version 1809.

  • Persistence through WMI event subscription: This rule allows administrators to prevent threats that abuse Windows Management Instrumentation (WMI) to persist and stay hidden in the WMI repository. For more information about WMI, see https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page.

    This rule was introduced in Windows 10 version 1903.

  • Process creations originating from PSExec and WMI commands: This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. For more information about PsExec, see https://docs.microsoft.com/en-us/sysinternals/downloads/psexec. For more information about WMI, see https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page.
    Note: File and folder exclusions do not apply to this attack surface reduction rule.

    This rule was introduced in Windows 10 version 1803.

  • Untrusted and unsigned processes can run from USB: This rule allows administrators to prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. The following file types are blocked:
    • Executable files (.exe, .dll, or .scr)
    • Script files (PowerShell .ps, VisualBasic .vbs, or JavaScript .js)

    This rule was introduced in Windows 10 version 1803.

  • Office macros can call & import win32 APIs: This rule allows administrators to prevent the use of Win32 APIs in VBA macros, which reduces the attack surface.

    This rule was introduced in Windows 10 version 1709.

  • Advanced ransomware protection: This rule provides an extra layer of protection against ransomware. This rule scans executable files entering the system to determine whether the file can be trusted. If the files closely resemble ransomware, this rule blocks the files from running, unless the files are listed in a trusted list or exclusion list.
    Note: You must enable cloud-delivered protection to use this rule.

    This rule was introduced in Windows 10 version 1803.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team
Attack surface reduction exclusions Specify a comma-separated list of the files and folders that you want to exclude from being evaluated by the attack surface reduction rules.

The file and folder exclusions do not apply to the following attack surface reduction rules:

  • Process creations originating from PSExec and WMI commands
  • Javascript/vbs can execute payload downloaded from Internet (without exceptions)
Note: You can specify individual files or folders (using folder paths or fully qualified path names), but you cannot specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
Warning: If an attack surface reduction rule determines that a file or folder contains malicious behavior, the rule will not block the file from running. This might allow unsafe files to run and infect your devices.
  • Windows 10+ Professional, Education, Enterprise
  • Windows Team