Malware delivered through cloud services such as OneDrive or SharePoint will try to disable and evade Defender. These simple settings will help prevent that. Credit: Thinkstock Attackers are now using more “interesting” platforms and methods to gain access to our networks, especially with cloud platforms. OneDrive, OneNote, SharePoint, and Sharefile can all host malicious files. Google and Amazon Web Services (AWS) also can host malicious sites. Repositories such as GitHub have recently been used to launch ransomware attacks.Sites like these appeal to attackers because we trust them and tend to be less paranoid about the links they deliver. Until recently it took a long time to remove malicious files from these locations. In the last few weeks, Microsoft has removed Office 365 locations from the top 15 malware sites as noted on URLHaus.Can you block such locations without causing issues with business needs at the firm? Some employees should have no need to go to certain sites, but others will have these needs. Depending on your organization you may wish to set up your browsing protections such that only specific websites needed for business are allowed for browsing. Others may need to set up a nuanced approach whereby only some users are allowed to have full access for internet locations and others are more restricted. Network administrators cannot blindly block Microsoft 365, Google or AWS locations as businesses depend on them, but you should ensure that there are no exclusions or exceptions in your antivirus platforms or your firewall/unified threat management solutions that would lessen the ability to protect your network. Setting up alerts for disabled antivirus softwareAttackers will often try to disable your antivirus software to avoid detection. If a local administrator account is compromised or the attacker has used vulnerabilities to gain access in your network, they can then silently disable Defender. You should review your configurations to determine if you would be alerted if antivirus protection were disabled.One of the best ways to do this is to disable local admin merge and enable Tamper Protection in Windows Security. Configuring merge policy in Microsoft Defender is available in Defender for Endpoint version 100.67.60 or higher. You can set a combination of administrator- and user-defined exclusions (merge) or only administrator-defined exclusions (admin_only) to restrict local users from defining their own exclusions. In Group Policy, follow the policy path steps of:Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Defender Antivirus (on older platforms or servers) or Microsoft Defender antivirus Susan BradleyGroup Policy settings to avoid disabling of DefenderAs Microsoft notes in the screen above:This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and exclusions. If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.If you are using Intune or Registry settings, enter:HKLMSoftwarePoliciesMicrosoftWindows Defender!DisableLocalAdminMergeFor workstations and servers that use Microsoft Defender as your antivirus, protect the security settings by ensuring that you’ve set up Tamper Protection. It will protect you from malicious programs disabling virus and threat protection, disabling real-time protection, turning off behavior monitoring, disabling antivirus (such as IOfficeAntivirus (IOAV)), disabling cloud-delivered protection, and removing security intelligence updates. Tamper Protection locks Defender antivirus to its secure, default values and prevents your security settings from being changed. Once only an E5 offering, Tamper Protection is now default on Windows 10.Group Policy exclusions for antivirus scansAnother item to review is Group Policy exclusions for antivirus scans. If you’ve set up these values years ago and never revisited them, you may be excluding folders from scanning that should not be excluded. Attackers can review the registry keys and Group Policy settings during reconnaissance to know ahead of time which locations are excluded from scans and thus stage their scripts and attack sequences in these “safe” locations. Always do periodic reviews of these folder locations to ensure that no new files have been added to these locations. These are often database installation locations that may have new or increasing data files but should not have new files introduced. Bottom line: Know that attackers are using cloud locations to launch attacks. Start investigating now so you can better protect your network. Related content brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence how-to Download the Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and steve_zurier May 06, 2024 1 min Zero Trust Access Control Network Security news Germany blames Russian hackers for months-long cyber espionage The attacks by Russia-backed Fancy Bear used an Outlook exploit to compromise several German officials’ accounts. By Shweta Sharma May 06, 2024 4 mins Advanced Persistent Threats Hacker Groups feature AI governance and cybersecurity certifications: Are they worth it? Organizations have started to launch AI certifications in governance and cybersecurity but given how immature the space is and how fast it's changing, are these certifications worth pursuing? By Maria Korolov May 06, 2024 12 mins Certifications IT Training Careers PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe