Skip to content

Commit 66f2386

Browse files
simonjaegersimonjaeger
committed
Add 2411 CSVs
1 parent 54d8b3c commit 66f2386

2 files changed

Lines changed: 380 additions & 0 deletions

File tree

security/Defender_Antivirus-2411.csv

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
"Name","ExtraId","Control Name","Registry Key","Registry Value","CSP Name","CSP Path(s)","Data Type","Default Value: Domain Controller","Default Value: Member Server","Default Value: Workgroup Member","Allowed Value","Severity","Availability","Category"
2+
"AllowDatagramProcessingOnWinServer",,"This setting controls datagram processing for Network Protection is enabled on Server","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS","AllowDatagramProcessingOnWinServer",,,"Number",,,,"Range(0, 2)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
3+
"AllowNetworkProtectionOnWinServer",,"This setting controls whether Network Protection is allows to be configured into block or Audit mode on Windows Server","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection","AllowNetworkProtectionOnWinServer",,,"Number",,,,"Range(0, 2)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
4+
"ASRBlockAbuseOfExploitedVulnerableSignedDrivers",,"Block abuse of exploited vulnerable signed drivers","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","56a863a9-875e-4185-98a7-b882c64b5ce5",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
5+
"ASRBlockAdobeReaderFromCreatingChildProcesses",,"Block Adobe Reader from creating child processes","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c",,,"Number",,,,"Range(0, 2)","Informational","Domain Controller, Member Server, Workgroup Member","Registry"
6+
"ASRBlockEXEFromEmailClientAndWebmail",,"Block executable content from email client and webmail","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","be9ba2d9-53ea-4cdc-84e5-9b1eeee46550",,,"Number",,,,"Range(0, 2)","Informational","Domain Controller, Member Server, Workgroup Member","Registry"
7+
"ASRBlockEXEFromRunningUnlessTrusted",,"Block executable files from running unless they meet a prevalence, age, or trusted list criterion","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","01443614-cd74-433a-b99e-2ecdc07bfc25",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
8+
"ASRBlockJSVBSLaunchingDownloadedContent",,"Block JavaScript or VBScript from launching downloaded executable content","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","d3e037e1-3eb8-44c8-a917-57927947596d",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
9+
"ASRBlockLSASSCredentialStealing",,"Block credential stealing from the Windows local security authority subsystem (lsass.exe)","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
10+
"ASRBlockOfficeApplicationsFromCreatingChildProcesses",,"Block all Office applications from creating child processes","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","d4f940ab-401b-4efc-aadc-ad5f3c50688a",,,"Number",,,,"Range(0, 2)","Informational","Domain Controller, Member Server, Workgroup Member","Registry"
11+
"ASRBlockOfficeCommunicationApplicationFromCreatingChildProcesses",,"Block Office communication application from creating child processes","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","26190899-1602-49e8-8b27-eb1d0a1ce869",,,"Number",,,,"Range(0, 2)","Informational","Domain Controller, Member Server, Workgroup Member","Registry"
12+
"ASRBlockOfficeFromCreatingExecutableContent",,"Block Office applications from creating executable content","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","3b576869-a4ec-4529-8536-b80a7769e899",,,"Number",,,,"Range(0, 2)","Informational","Domain Controller, Member Server, Workgroup Member","Registry"
13+
"ASRBlockOfficeFromInjectingCodeIntoProcesses",,"Block Office applications from injecting code into other processes","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84",,,"Number",,,,"Range(0, 2)","Informational","Domain Controller, Member Server, Workgroup Member","Registry"
14+
"ASRBlockPersistenceThroughWMIEventSubscription",,"Block persistence through WMI event subscription (File and folder exclusions not supported)","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","e6db77e5-3df2-4cf1-b95a-636979351e5b",,,"Number",,,,"Range(0, 2)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
15+
"ASRBlockPotentiallyObfuscatedScripts",,"Block execution of potentially obfuscated scripts","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","5beb7efe-fd9a-4556-801d-275e5ffc04cc",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
16+
"ASRBlockProcessCreationFromPSExecAndWMICommands",,"Block process creations originating from PSExec and WMI commands","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","d1e49aac-8f56-4280-b9ba-993a6d77406c",,,"Number",,,,"Range(0, 2)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
17+
"ASRBlockRebootingMachineInSafeMode",,"Block rebooting machine in Safe Mode (preview)","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","33ddedf1-c6e0-47cb-833e-de6133960387",,,"Number",,,,"Range(0, 2)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
18+
"ASRBlockUntrustedAndUnsignedProcessesRunningFromUSB",,"Block untrusted and unsigned processes that run from USB","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
19+
"ASRBlockUseOfCopiedOrImpersonatedSystemTools",,"Block use of copied or impersonated system tools (preview)","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb",,,"Number",,,,"Range(0, 2)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
20+
"ASRBlockWebshellCreationForServers",,"Block Webshell creation for Servers","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","a8f5898e-1dc8-49a9-9878-85004b8a61e6",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
21+
"ASRBlockWIN32APIFromOfficeMacros",,"Block Win32 API calls from Office macros","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b",,,"Number",,,,"Range(0, 2)","Informational","Domain Controller, Member Server, Workgroup Member","Registry"
22+
"ASRUseAdvancedProtectionAgainstRansomware",,"Use advanced protection against ransomware","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules","c1db55ab-c21a-4637-bb3f-a12568109d35",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
23+
"AttackSurfaceReductionRules","AZ-WIN-202205","Configure Attack Surface Reduction rules","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR","ExploitGuard_ASR_Rules",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
24+
"DisableAntiSpyware",,"Turn off Microsoft Defender AntiVirus","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","DisableAntiSpyware",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
25+
"DisableAutoExclusions",,"Turn off Auto Exclusions","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions","DisableAutoExclusions",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
26+
"DisableBehaviorMonitoring",,"Turn on behavior monitoring","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection","DisableBehaviorMonitoring",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
27+
"DisableBlockAtFirstSeen",,"Configure the 'Block at First Sight' feature","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet","DisableBlockAtFirstSeen",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
28+
"DisableEmailScanning",,"Turn on e-mail scanning","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan","DisableEmailScanning",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
29+
"DisableIOAVProtection",,"Scan all downloaded files and attachments","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection","DisableIOAVProtection",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
30+
"DisableRealtimeMonitoring",,"Turn off real-time protection","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection","DisableRealtimeMonitoring",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
31+
"DisableRemovableDriveScanning",,"Scan removable drives","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan","DisableRemovableDriveScanning",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
32+
"DisableRoutinelyTakingAction",,"Turn off routine remediation","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","DisableRoutinelyTakingAction",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
33+
"DisableScanOnUpdate",,"Turn on scan after security intelligence update","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates","DisableScanOnUpdate",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
34+
"DisableScriptScanning",,"Turn on script scanning","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection","DisableScriptScanning",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
35+
"DisallowExploitProtectionOverride",,"Prevent users from modifying settings","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection","DisallowExploitProtectionOverride",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
36+
"EnableConvertWarnToBlock",,"Convert warn verdict to block","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\NIS","EnableConvertWarnToBlock",,,"Number",,,,"Range(0, 1)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
37+
"EngineRing",,"Select the channel for Microsoft Defender monthly engine updates","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","EngineRing",,,"Number",,,,"OneOf(Equals(2),Equals(3),Equals(4),Equals(5),Equals(6))","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
38+
"HideExclusionsFromLocalAdmins",,"Control whether or not exclusions are visible to Local Admins","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","HideExclusionsFromLocalAdmins",,,"Number",,,,"Range(0, 1)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
39+
"HideExclusionsFromLocalUsers",,"Control whether exclusions are visible to local users","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","HideExclusionsFromLocalUsers",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
40+
"LocalSettingOverrideSpynetReporting",,"Configure local setting override for reporting to Microsoft MAPS","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet","LocalSettingOverrideSpynetReporting",,,"Number",,,,"Range(0, 1)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
41+
"MpCloudBlockLevel",,"Select cloud protection level","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine","MpCloudBlockLevel",,,"Number",,,,"OneOf(Equals(1),Equals(2),Equals(4),Equals(6))","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
42+
"OobeEnableRtpAndSigUpdate",,"Configure real-time protection and Security Intelligence Updates during OOBE","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection","OobeEnableRtpAndSigUpdate",,,"Number",,,,"Range(0, 1)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
43+
"PlatformRing",,"Select the channel for Microsoft Defender monthly platform updates","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","PlatformRing",,,"Number",,,,"OneOf(Equals(2),Equals(3),Equals(4),Equals(5),Equals(6))","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
44+
"PUAProtection",,"Configure detection for potentially unwanted applications","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","PUAProtection",,,"Number",,,,"OneOf(Equals(0),Equals(1),Equals(2))","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
45+
"QuickScanIncludeExclusions",,"Scan excluded files and directories during quick scans","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan","QuickScanIncludeExclusions",,,"Number",,,,"Range(0, 1)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
46+
"SchedulerRandomizationTime",,"Configure scheduled task times randomization window","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","SchedulerRandomizationTime",,,"Number",,,,"Range(0, 23)","Important","Domain Controller, Member Server, Workgroup Member","Registry"
47+
"SignaturesRing",,"Select the channel for Microsoft Defender daily security intelligence updates","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender","SignaturesRing",,,"Number",,,,"OneOf(Equals(4),Equals(5))","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
48+
"SpynetReporting",,"Join Microsoft MAPS","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet","SpynetReporting",,,"Number",,,,"Range(0, 2)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"
49+
"SubmitSamplesConsent",,"Send file samples when further analysis is required","HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet","SubmitSamplesConsent",,,"Number",,,,"Range(0, 3)","Critical","Domain Controller, Member Server, Workgroup Member","Registry"

0 commit comments

Comments
 (0)