Leveraging Microsoft Defender Antivirus with Datto EDR
NAVIGATION Policies
SECURITY Datto EDR subscription with administrator or analyst-level platform access
IMPORTANT Microsoft has announced a bug that impacts antivirus Attack Surface Reduction rules. Before enabling your Windows Defender AV policy, please ensure that the requirements listed in this article are met.
In addition to offering extensive policy customization and ransomware detection options, Datto EDR enables system administrators to quickly implement comprehensive Microsoft Defender Antivirus configurations on endpoints with the click of a toggle. Microsoft Defender integrates seamlessly into your existing Datto EDR suite to provide your organization with an additional layer of security against malware, spyware, and malicious browser activity.
Requirements
- You must have an active Datto EDR subscription.
- Microsoft Defender Antivirus must be installed on all endpoints you wish to monitor.
- The Datto Endpoint Security agent must be installed on all endpoints you wish to monitor, and those devices must be able to communicate with your EDR instance.
-
Your endpoint must be running Windows antivirus version 1.381.2164.0 or higher. If doing so is not possible, you will need to disable the toggle labeled Use advanced Office/Adobe Reader protection in the Attack Surface Reduction section of your Windows Defender AV policy.
Supported operating systems
Microsoft Defender Antivirus management has been tested, and all options are fully supported in the following versions and higher. For previous versions, certain options may not be available. Refer to Microsoft Defender's antivirus documentation for any versions not listed to verify the options available.
|
Operating system name |
Windows 10 Pro | Windows Server 2019 Datacenter |
|
Operating system version |
21H2 | 1809 |
|
Operating system build |
19044.2364 | 17763.3406 |
|
Antimalware client version |
4.18.221.5 | 4.18.2211.5 |
|
Engine version |
1.1.19900.2 | 1.1.19900.2 |
|
Antivirus version |
1.381.2164.0 | 1.381.2164.0 |
|
Antispyware version |
1.381.2164.0 | 1.381.2164.0 |
Microsoft Defender Antivirus features
Manage multiple Microsoft Defender Antivirus built-in configuration options with Datto EDR. You can enable or disable unique interface, protection, scanning, exclusions, and attack surface reduction settings. When integrated with Datto EDR, Microsoft Defender Antivirus provides robust detection of and protection against known and emerging threats.
For more information about how to configure Microsoft Defender policies, refer to Working with the Policies page.
Microsoft Defender Antivirus configuration options
You'll find your Microsoft Defender Antivirus settings on the Policies page. Clicking the name of a Microsoft Defender Antivirus policy opens its Edit Policy page. From this location, the following configuration options are available.
NOTE Some of the options listed below are enabled but not editable.
| Details | |
|---|---|
| Field name | Definition |
|
The type of policy |
|
|
Name |
The name of the policy |
| Description |
The extended description of the policy's purpose, functions, and any other pertinent information |
| Interface | |
|---|---|
| Feature name | Definition |
| Disable user interface |
Limits the user's ability to view Defender UI, notifications, or change any scanning behavior |
| Use a proxy server |
Enables proxy configuration for partners who run updates via a proxy |
| Protection | |
|---|---|
| Feature name | Definition |
| Cloud-based protection |
Leverage Microsoft Defender's cloud platform to evaluate file samples and block content determined to be a threat by the Defender community |
| Behavior-based protection |
Monitor for threats that are detected through machine learning |
| Keep Defender service alive in all circumstances |
Enable the Defender service's keepalive functions |
| Monitor file and program activity |
Monitor new files and file-related activity |
| Network inspection and protocol recognition |
Monitors outbound HTTP(s) traffic and block connections to sites such as Command & Control (C&C) servers, phishing, and other malicious targets |
| Scan scripts used in Microsoft browsers |
Scan for malicious scripts from web pages when using Microsoft browsers |
| Block risky DNS request |
Attempts to identify and block connections to URLs known to be risky or host malware |
| Detection based on heuristics |
Inspects code for suspicious elements |
| Microsoft Outlook protection |
Scan Microsoft Outlook for suspicious emails and attachments |
| Scanning exclusions | |
|---|---|
| Feature name | Definition |
| Process exclusions |
Excludes specific processes, files, folders, and extensions from scanning |
| File / folder exceptions | |
| File extension exclusions | |
| Defender attack surface reduction | |
|---|---|
| Feature name | Definition |
| Use advanced ransomware protection |
Use your Windows-embedded client and cloud heuristics to determine if a file resembles ransomware; can run in conjunction with your Datto EDR ransomware policy |
| Block abuse of exploited / vulnerable signed drivers |
Prevent applications from writing a vulnerable signed driver to disk |
| Block untrusted unsigned process running from USB |
Block untrusted processes from executing that are on a USB drive |
| Block advanced malware attack techniques |
Block potentially obfuscated scripts, possible persistence through WMI, and processes creations from PSExec and WMI |
| Use advanced Office / Adobe Reader protection |
Monitor and block Microsoft Office and Adobe applications that may inject codes, create child processes, or make Win32 API calls; before enabling this toggle, refer to Requirements |
| Protection Level |
Enables you to toggle Windows Defender's response level to Audit or Block mode |
| Attack surface reduction exclusions | |
|---|---|
| Field name | Definition |
| Process exclusions |
Exclude specific processes from analysis in the Attack surface reduction exclusions ruleset |
To learn how to create and manage policies, refer to Adding or editing rules and Named policies.
Resetting Microsoft Defender after use with Datto EDR
If the Datto Endpoint Security agent is disabled for or uninstalled from an endpoint with an active Microsoft Defender policy, EDR will not reset Defender to its defaults. The previously enforced policy will remain. To reset Microsoft Defender, follow the steps described in How to Reset Windows Security or Windows Defender - 4 Proven Ways (external link).
FAQs
Can I use Microsoft Defender alongside my existing antimalware solution?
If you are using a third-party antimalware product on the device, running Microsoft Defender in passive mode and the non-Microsoft program may be possible. Viability depends on the operating system and the third-party product.
Will ransomware detection work with Microsoft Defender Antivirus?
Ransomware detection is designed to work alongside other security products you deploy to your customer endpoints.
How should I format exclusions?
Exclusions must be one per line. Comma-separated formatting is not supported.
Need support?
Kaseya is always available to assist further. Your Kaseya Account Executive can enroll you in basic and intermediate-level platform training. For technical assistance, visit our Kaseya Support article to learn how to get in touch.
