Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable sample submission and MAPS Reporting from Windows Defender #98705

Merged
merged 1 commit into from Feb 5, 2021
Merged

Disable sample submission and MAPS Reporting from Windows Defender #98705

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 16 additions & 0 deletions cluster/gce/windows/k8s-node-setup.psm1
View file
Open in desktop
Expand Up @@ -161,6 +161,20 @@ function Dump-DebugInfoToConsole {
} Catch { }
}

# Configures Window Defender preferences
function Configure-WindowsDefender {
if ((Get-WindowsFeature -Name 'Windows-Defender').Installed) {
Log-Output "Configuring Windows Defender preferences"
Set-MpPreference -SubmitSamplesConsent NeverSend
Log-Output "Disabling Windows Defender sample submission"
Set-MpPreference -MAPSReporting Disabled
Log-Output "Disabling Windows Defender Microsoft Active Protection Service Reporting"

Log-Output "Defender Preferences"
Get-MpPreference
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another thought: to ensure these changes take effect, it might be a good idea to restart the Windows Defender service.

Here's what I see when examining the Windows services:

PS C:\Windows\system32> get-service | Where-Object 'DisplayName' -like "*efender*"

Status   Name               DisplayName
------   ----               -----------
Running  mpssvc             Windows Defender Firewall
Stopped  Sense              Windows Defender Advanced Threat Pr...
Running  WdNisSvc           Windows Defender Antivirus Network ...
Running  WinDefend          Windows Defender Antivirus Service

WinDefend looks like the relevant service. Can you try adding this command here too?:

Restart-Service WinDefend

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looked into this a bit. If you go to services.msc the WinDefend service has all the service control options grayed out. This is probably intentional due to the criticality of the service itself. Instead I'd recommend just dumping out the Windows Defender prefs via Get-MpPreference

Also given that the command does not reveal itself I'd recommend adding a Log-Output? command to ensure folks can search it.

 Get-MpPreference


AllowNetworkProtectionOnWinServer             : False
AttackSurfaceReductionOnlyExclusions          : 
AttackSurfaceReductionRules_Actions           : 
AttackSurfaceReductionRules_Ids               : 
CheckForSignaturesBeforeRunningScan           : False
CloudBlockLevel                               : 0
CloudExtendedTimeout                          : 0
ComputerID                                    : REDACTED
ControlledFolderAccessAllowedApplications     : 
ControlledFolderAccessProtectedFolders        : 
DisableArchiveScanning                        : False
DisableAutoExclusions                         : False
DisableBehaviorMonitoring                     : False
DisableBlockAtFirstSeen                       : False
DisableCatchupFullScan                        : True
DisableCatchupQuickScan                       : True
DisableCpuThrottleOnIdleScans                 : True
DisableDatagramProcessing                     : False
DisableEmailScanning                          : True
DisableIntrusionPreventionSystem              : 
DisableIOAVProtection                         : False
DisablePrivacyMode                            : False
DisableRealtimeMonitoring                     : False
DisableRemovableDriveScanning                 : True
DisableRestorePoint                           : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles                   : False
DisableScriptScanning                         : False
EnableControlledFolderAccess                  : 0
EnableFileHashComputation                     : False
EnableFullScanOnBatteryPower                  : False
EnableLowCpuPriority                          : False
EnableNetworkProtection                       : 0
ExclusionExtension                            : 
ExclusionIpAddress                            : 
ExclusionPath                                 : 
ExclusionProcess                              : 
ForceUseProxyOnly                             : False
HighThreatDefaultAction                       : 0
LowThreatDefaultAction                        : 0
MAPSReporting                                 : 2
MeteredConnectionUpdates                      : False
ModerateThreatDefaultAction                   : 0
ProxyBypass                                   : 
ProxyPacUrl                                   : 
ProxyServer                                   : 
PUAProtection                                 : 0
QuarantinePurgeItemsAfterDelay                : 90
RandomizeScheduleTaskTimes                    : True
RealTimeScanDirection                         : 0
RemediationScheduleDay                        : 0
RemediationScheduleTime                       : 02:00:00
ReportingAdditionalActionTimeOut              : 10080
ReportingCriticalFailureTimeOut               : 10080
ReportingNonCriticalTimeOut                   : 1440
ScanAvgCPULoadFactor                          : 50
ScanOnlyIfIdleEnabled                         : True
ScanParameters                                : 1
ScanPurgeItemsAfterDelay                      : 15
ScanScheduleDay                               : 0
ScanScheduleQuickScanTime                     : 00:00:00
ScanScheduleTime                              : 02:00:00
SevereThreatDefaultAction                     : 0
SharedSignaturesPath                          : 
SignatureAuGracePeriod                        : 0
SignatureBlobFileSharesSources                : 
SignatureBlobUpdateInterval                   : 60
SignatureDefinitionUpdateFileSharesSources    : 
SignatureDisableUpdateOnStartupWithoutEngine  : False
SignatureFallbackOrder                        : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod                   : 120
SignatureScheduleDay                          : 8
SignatureScheduleTime                         : 01:45:00
SignatureUpdateCatchupInterval                : 1
SignatureUpdateInterval                       : 0
SubmitSamplesConsent                          : 1
ThreatIDDefaultAction_Actions                 : 
ThreatIDDefaultAction_Ids                     : 
UILockdown                                    : False
UnknownThreatDefaultAction                    : 0
PSComputerName                                :

}

# Converts the kube-env string in Yaml
#
# Returns: a PowerShell Hashtable object containing the key-value pairs from
Expand Down Expand Up @@ -307,6 +321,8 @@ function Set-PrerequisiteOptions {
# Use TLS 1.2: needed for Invoke-WebRequest downloads from github.com.
[Net.ServicePointManager]::SecurityProtocol = `
[Net.SecurityProtocolType]::Tls12

Configure-WindowsDefender
}

# Creates directories where other functions in this module will read and write
Expand Down