Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Managed Microsoft Defender
Environment: Windows
Summary: This article lists all of the Huntress recommended defaults for Microsoft Defender Antivirus in the Managed Defender dashboard.
About Huntress Recommended Defaults
Huntress Recommended Defaults is a feature created to streamline the configuration of best-practice Defender Antivirus policies by automatically applying default settings recommended by Huntress.
These recommended settings can be easily applied by inheriting them at the Account level. You can also customize these settings by simply overriding at the Account, Organization, or Host levels.
Overview
This feature replaces these endpoint default that come natively preconfigured ("Use System Default") when Defender Antivirus is first installed and actively sets a Huntress Recommended Default setting depending on best practice antivirus configuration at the Account level. If an override of a policy mode is already configured at the Account, Organization, or Host level, this override will be preserved.
For partners who are in Audit Mode, Huntress will not modify any endpoints. Huntress will simply record the current settings in place for Defender Antivirus on that endpoint inside of the Huntress platform.
For partners who are in Enforce Mode, Huntress Recommended Defaults will take the place of "Use System Default" at the Account level. See the table below to understand what settings may change. You can always override any Huntress Recommended Settings at the Account level if desired for your Account or organization.
What are the settings?
Setting Client Interface |
Defender Default |
Huntress Default |
Huntress Explanation |
Microsoft Article |
Hide Defender UI | Disabled | Disabled |
Hide the Microsoft Defender configuration interface. This will keep users from attempting to change settings.
|
Enable Headless UI Mode |
Suppress all notifications | Disabled | Disabled |
Suppress Microsoft Defender notifications. This will mute Microsoft Defender alerts and notifications from users.
|
Suppress all notifications |
Protection (0.13.52+) | ||||
Cloud Delivered Protection | enabled | enabled | Allows Defender to download security intelligence as soon as they're available, and allows for automatic submission of suspicious files to Microsoft MAPS | Cloud Delivered Protection |
Automatic Sample Submissions | enabled | enabled | Submits suspicious files automatically to Microsoft MAPS. This setting only applies if Cloud-Delivered Protection is set to Enabled) | Auto Sample Submissions |
Exclusions |
||||
Path Exclusions | No action | No action |
Defender will not scan any files within the directories specified by these paths or any sub-directories.
|
Path Exclusions |
Extension Exclusions | No action | No action |
Defender will not scan any files with these extensions.
|
Extension Exclusions |
Process Exclusions | No action | No action |
Defender will ignore these processes and will not trigger behavioral detections.
|
Process Exclusions |
Reputation (0.13.52+) | ||||
SmartScreen | disabled | disabled | Scans apps and downloaded files for suspicious activity. Also can warn users if they're attempting to interact with a non-Microsoft store app | SmartScreen |
PUA Blocking | audit | audit | Scans for Potentially Unwanted Apps (PUA) and can be setup to block unwanted software. | PUP - Potentially Unwanted Program blocking |
Scanning |
||||
Catch-up scans | Disabled | Enabled |
Catch-up scans for quick scans. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer
|
Turn on catch-up quick scan |
Scan Time | 2 am local time | 2 am local time |
The base start time for a daily quick scan.
|
Specify the time for a daily quick scan |
Scan removable drives* | Enabled | Enabled |
Scans removable drives. This is recommended per Defender guidelines and set to "Enabled" by Huntress Managed Antivirus.
|
Scan removable drives |
Scan archive files* | Enabled | Enabled |
Scan for malicious and unwanted programs in archive files such as .zip or .cab files. This policy is always "Enabled" for Huntress Managed Antivirus.
|
Scan archive files |
Scan packed executables* | Enabled | Enabled |
Scan packed executable files for malicious and unwanted programs. This policy is always "Enabled" for Huntress Managed Antivirus.
|
Scan packed executables |
Scan network files* | Disabled | Disabled |
Scans network files. This is currently not recommended per Defender guidelines and set to "Disabled" by Huntress Managed Antivirus.
|
Scan network files |
Signatures |
||||
Signature Update Interval | 15 mins b/f scheduled scan | Every 6 hours |
The interval for how often to check for security intelligence updates.
|
Group Policy |
Signature Catch-up Interval* | Every Day | Every Day |
The number of days after which a catch-up security intelligence update is required. This policy is always "Every day" for Huntress Managed Antivirus.
|
|
Update Signatures on Startup* | Enabled | Enabled |
Check for the latest security intelligence on service startup. This policy is always "Enabled" for Huntress Managed Antivirus.
|
Configured in Group Policy |
Update Signatures from Microsoft Update* | Enabled | Enabled |
Download latest security intelligence from Microsoft Update. This policy is always "Enabled" for Huntress Managed Antivirus.
|
|
Advanced |
||||
Purge Quarantine After Delay* | 90 Days | Never |
The number of days after which items are removed from the Quarantine folder. This policy is always "Never" for Huntress Managed Antivirus.
|
|
NIS Definition Retirement* | Enabled | Enabled |
After checking if the host has the necessary updates for network protection against an exploit, retire the exploit definition if no longer necessary. This policy is always "Enabled" for Huntress Managed Antivirus.
|
|
NIS Protocol Recognition* | Enabled | Enabled |
Protocol recognition of known vulnerabilities for network protection. This policy is always "Enabled" for Huntress Managed Antivirus.
|
* These settings are enforced and cannot be changed from the Huntress default configuration to maintain best-practice configuration and compliance.