← Back to Microsoft Defender Antivirus Security Technical Implementation Guide

V-278662

CAT II (Medium)

Microsoft Defender AV must enable extended cloud check.

Rule ID

SV-278662r1190754_rule

STIG

Microsoft Defender Antivirus Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-001170

Discussion

When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the Microsoft Defender Antivirus cloud service. The default period that the file is blocked is 10 seconds. Extending the cloud block timeout period can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.

Check Content

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> MpEngine >> Configure extended cloud check is set to "Enabled" with a Policy Option value of "50"; otherwise, this is a finding.

Procedure: Use the Windows Registry Editor to navigate to the following key: 
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine

Criteria: If the value "MpBafsExtendedTimeout" is REG_DWORD = 50, this is not a finding.

If the value is other than 50, this is a finding.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> MpEngine >> Configure extended cloud check to "Enabled" with a Policy Option value of "50".