Team: Huntress EDR
Product: Managed AV, MAV, Managed Antivirus
Environment: Managed AV management portal, Windows Defender
Summary: This article lists all of the Huntress recommended defaults in the Managed AV Dashboard.
- Managed Microsoft Defender Antivirus Overview
- Managed AV - FAQ/Known issues
- Managed AV - Interface & Basic Settings
- Managed AV - Exclusions
Huntress Recommended Defaults is a feature created to streamline the configuration of best-practice Defender policies by automatically applying default settings recommended by Huntress. This article details the Huntress Recommended default settings. You can navigate to the related Microsoft documentation by clicking the hyperlinked setting.
About Huntress Recommended Defaults
These recommended settings can be easily applied by inheriting them at the Account level. You can also customize these settings by simply overriding at the Account, Organization, or Host levels. For more information on inheritance, please see this.
In the current version of Managed AV configuration policy, all settings default to Use System Default at the Account level, which adopts the existing Microsoft Defender default that applies to each endpoint. This feature replaces these defaults and actively sets a Huntress Recommended Default setting depending on best practice AV configuration at the Account level. If an override (or a change from Use System Default) is already configured at the Account, Organization, or Host level, this override will be preserved.
For partners who are in Audit Mode, this will only update the configuration policy for Managed AV but will not modify any agents.
For partners who are in Enforce Mode, Huntress Recommended Defaults will take the place of "Use System Default" at the Account level. See the table below to understand what settings may change. You can always override any Huntress Recommended Settings at the Account level if desired for your Account or organization.
What are the settings?
|Setting Client Interface||
|Hide Defender UI||Disabled||Disabled||
Hide the Microsoft Defender configuration interface. This will keep users from attempting to change settings.
|Enable Headless UI Mode|
|Suppress all notifications||Disabled||Disabled||
Suppress Microsoft Defender notifications. This will mute Microsoft Defender alerts and notifications from users.
|Suppress all notifications|
|Cloud Delivered Protection||enabled||enabled||Allows Defender to download security intelligence as soon as they're available, and allows for automatic submission of suspicious files to Microsoft MAPS||Cloud Delivered Protection|
|Automatic Sample Submissions||enabled||enabled||Submits suspicious files automatically to Microsoft MAPS. This setting only applies if Cloud-Delivered Protection is set to Enabled)||Auto Sample Submissions|
|Path Exclusions||No action||No action||
Defender will not scan any files within the directories specified by these paths or any sub-directories.
|Extension Exclusions||No action||No action||
Defender will not scan any files with these extensions.
|Process Exclusions||No action||No action||
Defender will ignore these processes and will not trigger behavioral detections.
|SmartScreen||disabled||disabled||Scans apps and downloaded files for suspicious activity. Also can warn users if they're attempting to interact with a non-Microsoft store app||SmartScreen|
|PUA Blocking||audit||audit||Scans for Potentially Unwanted Apps (PUA) and can be setup to block unwanted software.||PUP - Potentially Unwanted Program blocking|
Catch-up scans for quick scans. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer
|Turn on catch-up quick scan|
|Scan Time||2 am local time||2 am local time||
The base start time for a daily quick scan.
|Specify the time for a daily quick scan|
|Scan removable drives*||Enabled||Enabled||
Scans removable drives. This is recommended per Defender guidelines and set to "Enabled" by Huntress Managed Antivirus.
|Scan removable drives|
|Scan archive files*||Enabled||Enabled||
Scan for malicious and unwanted programs in archive files such as .zip or .cab files. This policy is always "Enabled" for Huntress Managed Antivirus.
|Scan archive files|
|Scan packed executables*||Enabled||Enabled||
Scan packed executable files for malicious and unwanted programs. This policy is always "Enabled" for Huntress Managed Antivirus.
|Scan packed executables|
|Scan network files*||Disabled||Disabled||
Scans network files. This is currently not recommended per Defender guidelines and set to "Disabled" by Huntress Managed Antivirus.
|Scan network files|
|Signature Update Interval||15 mins b/f scheduled scan||Every 6 hours||
The interval for how often to check for security intelligence updates.
|Signature Catch-up Interval*||Every Day||Every Day||
The number of days after which a catch-up security intelligence update is required. This policy is always "Every day" for Huntress Managed Antivirus.
|Update Signatures on Startup*||Enabled||Enabled||
Check for the latest security intelligence on service startup. This policy is always "Enabled" for Huntress Managed Antivirus.
|Configured in Group Policy|
|Update Signatures from Microsoft Update*||Enabled||Enabled||
Download latest security intelligence from Microsoft Update. This policy is always "Enabled" for Huntress Managed Antivirus.
|Purge Quarantine After Delay*||90 Days||Never||
The number of days after which items are removed from the Quarantine folder. This policy is always "Never" for Huntress Managed Antivirus.
|NIS Definition Retirement*||Enabled||Enabled||
After checking if the host has the necessary updates for network protection against an exploit, retire the exploit definition if no longer necessary. This policy is always "Enabled" for Huntress Managed Antivirus.
|NIS Protocol Recognition*||Enabled||Enabled||
Protocol recognition of known vulnerabilities for network protection. This policy is always "Enabled" for Huntress Managed Antivirus.
* These settings are enforced and cannot be changed from the Huntress default configuration to maintain best-practice configuration and compliance. Please send any feedback to here.