STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Defender Antivirus Security Technical Implementation Guide

Version

V2R8

Release Date

Feb 17, 2026

SCAP Benchmark ID

MS_Defender_Antivirus

Total Checks

67

Tags

other

CAT I: 4CAT II: 63CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (67)

V-213426HIGHMicrosoft Defender AV must be configured to block the Potentially Unwanted Application (PUA) feature.V-213427MEDIUMMicrosoft Defender AV must be configured to automatically take action on all detected tasks.V-213428HIGHMicrosoft Defender AV must be configured to run and scan for malware and other potentially unwanted software.V-213429MEDIUMMicrosoft Defender AV must be configured to not exclude files for scanning.V-213430MEDIUMMicrosoft Defender AV must be configured to not exclude files opened by specified processes.V-213431MEDIUMMicrosoft Defender AV must be configured to enable the Automatic Exclusions feature.V-213432MEDIUMMicrosoft Defender AV must be configured to disable local setting override for reporting to Microsoft MAPS.V-213433MEDIUMMicrosoft Defender AV must be configured to check in real time with MAPS before content is run or accessed.V-213434MEDIUMMicrosoft Defender AV must join Microsoft MAPS.V-213435MEDIUMMicrosoft Defender AV must be configured to only send safe samples for MAPS telemetry.V-213436MEDIUMMicrosoft Defender AV must be configured for protocol recognition for network protection.V-213437MEDIUMMicrosoft Defender AV must be configured to not allow local override of monitoring for file and program activity.V-213438MEDIUMMicrosoft Defender AV must be configured to not allow override of monitoring for incoming and outgoing file activity.V-213439MEDIUMMicrosoft Defender AV must be configured to not allow override of scanning for downloaded files and attachments.V-213440MEDIUMMicrosoft Defender AV must be configured to not allow override of behavior monitoring.V-213441MEDIUMMicrosoft Defender AV Group Policy settings must take priority over the local preference settings.V-213442MEDIUMMicrosoft Defender AV must monitor for incoming and outgoing files.V-213443MEDIUMMicrosoft Defender AV must be configured to monitor for file and program activity.V-213444MEDIUMMicrosoft Defender AV must be configured to scan all downloaded files and attachments.V-213445MEDIUMMicrosoft Defender AV must be configured to always enable real-time protection.V-213446MEDIUMMicrosoft Defender AV must be configured to enable behavior monitoring.V-213447MEDIUMMicrosoft Defender AV must be configured to process scanning when real-time protection is enabled.V-213448MEDIUMMicrosoft Defender AV must be configured to scan archive files.V-213449MEDIUMMicrosoft Defender AV must be configured to scan removable drives.V-213450MEDIUMMicrosoft Defender AV must be configured to perform a weekly scheduled scan.V-213451MEDIUMMicrosoft Defender AV must be configured to turn on e-mail scanning.V-213452HIGHMicrosoft Defender AV spyware definition age must not exceed 7 days.V-213453HIGHMicrosoft Defender AV virus definition age must not exceed 7 days.V-213454MEDIUMMicrosoft Defender AV must be configured to check for definition updates daily.V-213455MEDIUMMicrosoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Severe.V-213456MEDIUMMicrosoft Defender AV must be configured to block executable content from email client and webmail.V-213457MEDIUMMicrosoft Defender AV must be configured block Office applications from creating child processes.V-213458MEDIUMMicrosoft Defender AV must be configured block Office applications from creating executable content.V-213459MEDIUMMicrosoft Defender AV must be configured to block Office applications from injecting into other processes.V-213460MEDIUMMicrosoft Defender AV must be configured to impede JavaScript and VBScript to launch executables.V-213461MEDIUMMicrosoft Defender AV must be configured to block execution of potentially obfuscated scripts.V-213462MEDIUMMicrosoft Defender AV must be configured to block Win32 imports from macro code in Office.V-213463MEDIUMMicrosoft Defender AV must be configured to prevent user and apps from accessing dangerous websites.V-213464MEDIUMMicrosoft Defender AV must be configured for automatic remediation action to be taken for threat alert level High.V-213465MEDIUMMicrosoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Medium.V-213466MEDIUMMicrosoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Low.V-278647MEDIUMMicrosoft Defender AV must block Adobe Reader from creating child processes.V-278648MEDIUMMicrosoft Defender AV must block credential stealing from the Windows local security authority subsystem.V-278649MEDIUMMicrosoft Defender AV must block untrusted and unsigned processes that run from USB.V-278650MEDIUMMicrosoft Defender AV must use advanced protection against ransomware.V-278651MEDIUMMicrosoft Defender AV must audit process creations originating from PSExec and WMI commands.V-278652MEDIUMMicrosoft Defender AV must audit persistence through WMI event subscription.V-278653MEDIUMMicrosoft Defender AV must audit executable files from running unless they meet a prevalence, age, or trusted list criterion.V-278654MEDIUMMicrosoft Defender AV must block Office communication application from creating child processes.V-278655MEDIUMMicrosoft Defender AV must block abuse of exploited vulnerable signed drivers.V-278656MEDIUMMicrosoft Defender AV must configure local administrator merge behavior for lists.V-278658MEDIUMMicrosoft Defender AV must control whether exclusions are visible to Local Admins.V-278659MEDIUMMicrosoft Defender AV must randomize scheduled task times.V-278660MEDIUMMicrosoft Defender AV must hide the Family options area.V-278661MEDIUMMicrosoft Defender AV must enable the file hash computation feature.V-278662MEDIUMMicrosoft Defender AV must enable extended cloud check.V-278668MEDIUMMicrosoft Defender AV must enable script scanning.V-278669MEDIUMMicrosoft Defender AV must enable real-time protection and Security Intelligence Updates during OOBE.V-278672MEDIUMMicrosoft Defender AV must enable network protection to be configured into block or audit mode on Windows Server.V-278674MEDIUMMicrosoft Defender AV must enable EDR in block mode.V-278675MEDIUMMicrosoft Defender AV must report Dynamic Signature dropped events.V-278676MEDIUMMicrosoft Defender AV must scan excluded files and directories during quick scans.V-278677MEDIUMMicrosoft Defender AV must convert warn verdict to block.V-278678MEDIUMMicrosoft Defender AV must enable asynchronous inspection.V-278679MEDIUMMicrosoft Defender AV must scan packed executables.V-278680MEDIUMMicrosoft Defender AV must enable heuristics.V-278863MEDIUMMicrosoft Defender AV must set cloud protection level to High.