Wiki source code of Konfigurationsprofil-Einstellungen

Last modified by Jannis Klein on 2024/08/13 08:20

version	line-number	content
1.1	1	{{aagon.priorisierung}}
	2	10
	3	{{/aagon.priorisierung}}
	4
	5	{{aagon.floatingbox/}}
	6
2.1	7	= Real-time Protection =
1.1	8
2.1	9	This setting allows you to control the behaviour of real-time protection.
1.1	10
	11	{{aagon.infobox}}
2.1	12	If Microsoft Defender tamper protection is enabled, the real-time protection settings cannot be disabled.
1.1	13	{{/aagon.infobox}}
	14
2.1	15	= Exclusions =
1.1	16
2.1	17	If you find that a particular item is repeatedly mistakenly detected as a threat by the Windows Defender scanner, you can add it to an exclusion.
1.1	18
2.1	19	You can then use //Exclusions// on the //Configuration Profiles// tab in the ribbon bar to decide which item to add to the exclusion. You can choose to exclude files, file extensions, entire directories and/or processes. This step also allows you to use wildcards when defining the exclusion list:
1.1	20
2.1	21	\|Placeholder\|Use
	22	\|*
	23	\\(asterisk)\|(((
	24	For filenames and file extensions, the asterisk replaces any number of characters and applies only to files in the last directory specified in the exclusion.
1.1	25
2.1	26	For folder exclusions, the asterisk replaces a single folder.
1.1	27	)))
2.1	28	\|?
	29	\\(questition mark)\|(((
	30	For file names and file extensions, the question mark replaces a single character and applies only to files in the last directory defined in the exclusion.
1.1	31
2.1	32	For folder exclusions, the question mark replaces a single character in a folder name. After matching the number of folders with wildcards and named folders, any subfolders are also included.
1.1	33	)))
2.1	34	\|Environment variables\|The defined variable is filled as a path when the exclusion is evaluated.
1.1	35
2.1	36	You can also add any number of exclusions to a configuration profile and attach an exclusion to any number of configuration profiles.
1.1	37
	38	{{aagon.infobox}}
2.1	39	Note that these exclusions only apply to general items such as files, file types, directories and processes of all types and should not be confused with the exclusions for the ASR rules!
1.1	40	{{/aagon.infobox}}
	41
2.1	42	= Actions for threats =
1.1	43
2.1	44	This is where you define the actions to be taken when a threat is detected on the Client. For the four different threat levels (Severe, High, Medium, Low) you can choose between the maintenance actions Quarantine, Remove and Ignore.
1.1	45
	46	{{aagon.infobox}}
2.1	47	If Defender tamper protection is enabled, these settings cannot be disabled.
1.1	48	{{/aagon.infobox}}
	49
2.1	50	= Cloud Based Protection =
1.1	51
2.1	52	This protection feature causes files unknown to Defender to be pre-scanned by Microsoft. So if an unknown threat, such as a new virus, appears on the client, Defender will upload the possible threat to Microsoft for further investigation, leaving the decision on whether to proceed to Microsoft.
1.1	53
	54	{{aagon.infobox}}
2.1	55	If Defender tamper protection is enabled, these settings cannot be disabled.
1.1	56	{{/aagon.infobox}}
	57
	58	= SmartScreen =
	59
2.1	60	This feature helps protect you from malware and phishing websites when you use applications and data, and when you use Microsoft Edge. SmartScreen automatically alerts you when a threat is detected, blocks access to a webpage or file, or blocks an application from running with a warning message.
1.1	61
2.1	62	= Controlled folder access =
1.1	63
2.1	64	Here you can define untrusted and trusted directories. Add entire directories that you consider untrustworthy. However, if individual applications are safe, you can explicitly classify them as trusted. These will then be excluded from the monitored directory. The latter can be set to Block, Monitor mode, Block changes to disks only and Monitor disks only.
1.1	65
	66	{{aagon.infobox}}
2.1	67	If you have enabled //monitored folder// access, you may receive an alert message with ID 1127 "Controlled Folder Access (CFA) prevented an untrusted process from making changes to memory" after the ACMP Agent's computer scanner has passed. You will no longer receive alerts if you add ACMPClientService.exe to //Trusted Applications//.
1.1	68	{{/aagon.infobox}}
	69
	70
	71	= UI =
	72
2.1	73	Here you can specify elements of the graphical user interface on the client, such as preventing or allowing General and Defender pop-ups or other notifications. You can also control which individual Windows security modules are displayed in the GUI.
1.1	74
	75	(% style="text-align:center" %)
	76	[[image:https://manual.aagon.com/acmp/de/61/konfigurationsprofil-einstellungen_ui_zoom60.png\|\|alt="Konfigurationseinstellungen"]]
2.1	77	Configuration Profile settings
1.1	78
2.1	79	== Headless UI mode ==
1.1	80
2.1	81	When this setting is enabled, all graphical elements on the client related to Defender are disabled. This means, for example, that virus and threat protection notifications are not displayed.
1.1	82
2.1	83	= Scan settings =
1.1	84
2.1	85	Allows you to configure various scanning options.
1.1	86
2.1	87	== General Scan settings ==
1.1	88
2.1	89	Here you can configure various scan settings.
1.1	90
2.1	91	== Scan settings for Data ==
1.1	92
2.1	93	In addition to scanning archive files, such as ZIP folders, you can also set the maximum scan size for files and attachments that are scanned by default during a download.
1.1	94
2.1	95	== Quick Scan settings ==
1.1	96
2.1	97	Set the interval and time for the daily quick scan.
1.1	98
2.1	99	== Scheduled System scan ==
1.1	100
2.1	101	A scheduled System Scan allows you to run a full Client virus scan at a time of your choosing.
	102	By default, the Full System Scan feature is not enabled. If you enable the scan, the settings you have previously specified will take effect. The settings include the time of the scan and the level of CPU usage.
1.1	103
	104	{{aagon.infobox}}
2.1	105	The system scan settings do not affect the scheduled scans in the Defender module, which can be linked to the configuration profiles.
1.1	106	{{/aagon.infobox}}
	107
2.1	108	= Update settings =
1.1	109
2.1	110	This configuration allows you to define general update settings, as well as the exact update sources and time intervals for updates.
1.1	111
2.1	112	== General Update settings ==
1.1	113
2.1	114	Here you can configure various update settings, as well as the timing of out-of-date security information.
1.1	115
2.1	116	== Update source ==
1.1	117
2.1	118	These settings allow you to specify file shares and a custom order of update sources.
1.1	119
2.1	120	== Update scheduling ==
1.1	121
2.1	122	Set the days of the week, times and intervals for scheduled security information updates.
1.1	123
2.1	124	= Attack Surface Reduction =
1.1	125
2.1	126	Attack surface reduction (ASR) rules allow you to target specific software behaviour to reduce the potential attack surface for threats.
	127	These rules prevent risky software behaviour, such as launching executables and scripts that attempt to download and execute files, performing suspicious application behaviour, or executing suspicious files and scripts in general. You can enable 15 different rules to either monitor or immediately block the process.
1.1	128
2.1	129	\|Rules for reducing the attack surface\|Description
	130	\|Block executable content from email client and web email\|Prevents .exe, .dll or SCR file types and PowerShell .ps, Visual Basic .vbs or JavaScript.js script files from running from emails that are opened while using Microsoft Outlook or Outlook.com.
	131	\|Prevent all Office applications from creating child processes\|(((
	132
1.1	133
2.1	134	Prevents Office (Word, Excel, PowerPoint, OneNote and Access) from creating child processes. This prevents malware from hijacking Office applications to run VBA macros.
	135	)))
	136	\|Prevent Office applications from creating executable content\|Prevents malicious code from being written to the hard drive by preventing Office applications (including Word, Excel and PowerPoint) from creating potentially malicious executable content.
	137	\|Prevent Office applications from inserting code into child processes\|(((
	138	Prevents Office applications from being exploited externally by adding malicious code through code injection.
1.1	139
2.1	140	This applies to Word, Excel and PowerPoint.
1.1	141	)))
2.1	142	\|Block potentially hidden scripts from running\|Detects and blocks suspicious properties in an obfuscated script. Script obfuscation is used to hide intellectual property or reduce script load times.
	143	\|Block Win32 API calls to Office macros\|Prevents VBA macros from calling Win32 APIs. Office VBA allows Win32 API calls. Malware can abuse this feature, for example by calling Win32 APIs to execute malicious shellcode without writing anything directly to the hard disk.
	144	\|Block executable files from running unless they meet a distribution, age, or trusted list criterion\|(((
	145	This rule blocks the launching of .exe, .dll or SCR file types unless they meet the prevalence or age criteria, or are included in a trusted list or exclusion list. To allow specific processes of these file types, use the Exclusions ASR rule.
1.1	146
	147	{{aagon.infobox}}
2.1	148	This rule can only be used if cloud-based protection is enabled!
1.1	149	{{/aagon.infobox}}
	150	)))
2.1	151	\|Block Windows credential stealing for local security authorities\|(((
	152	Prevents credential theft by locking down the Local Security Authority Subsystem Service (LSASS).
1.1	153
2.1	154	LSASS authenticates users logging on to a Windows computer. Microsoft Defender Credential Guard normally attempts to extract credentials from LSASS during this process. However, some organisations may not be able to enable Credential Guard on all computers. These compatibility issues can occur with custom smart card drivers or other programs that load into the Local Security Authority (LSA).
1.1	155
	156	{{aagon.infobox}}
2.1	157	In some applications, the code lists all running processes and attempts to open them with full privileges. This rule denies the action to open the application's process and logs the details to the security event log. This rule can generate a lot of noise. If you have an application that simply enumerates LSASS but has no real impact on functionality, there is no need to add it to the exclude list. This event log entry alone does not necessarily indicate a malicious threat.
1.1	158	{{/aagon.infobox}}
	159	)))
2.1	160	\|Block process creation via PSExec and WMI commands\|Blocks the execution of processes created via PsExec and WMI. Both PsExec and WMI can execute code remotely, so there is a risk that malware could exploit this functionality for command and control purposes or to spread an infection across the corporate network.
	161	\|Block untrusted and unsigned processes running from USB\|(((
	162	This rule allows administrators to prevent unsigned or untrusted executable files from being run from USB removable media, including SD cards. Blocked file types include executable files (such as .exe, .dll, or SCR).
	163	)))
	164	\|Prevent Office communications application from creating child processes\|This rule prevents Outlook from creating child processes while allowing legitimate Outlook functions to run. This rule protects against social engineering attacks and prevents code from being used to exploit Outlook vulnerabilities. It also protects against Outlook rule and form exploits that attackers can use if a user's credentials are compromised.
	165	\|Prevent Adobe Reader from creating child processes\|(((
	166	This rule prevents attacks by preventing Adobe Reader from creating processes.
1.1	167
2.1	168	By preventing the creation of child processes by Adobe Reader, it prevents the propagation of malware that attempts to use it as an attack vector.
1.1	169	)))
2.1	170	\|Use advanced ransomware protection\|(((
	171	This rule provides additional protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware.
1.1	172
	173	{{aagon.infobox}}
2.1	174	The following files will not be blocked by this rule: Files that have been determined not to be suspicious via the Microsoft Cloud; validly signed files; and files that are persistent enough not to be considered ransomware.
1.1	175	{{/aagon.infobox}}
	176
	177	{{aagon.infobox}}
2.1	178	This rule can only be used if cloud-based protection is enabled!
1.1	179	{{/aagon.infobox}}
	180	)))
2.1	181	\|Prevent JavaScript and VBScript from launching downloaded executables\|(((
	182	This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the web.
1.1	183
2.1	184	Although not common, business applications sometimes use scripts to download and launch installers.
1.1	185	)))
2.1	186	\|Block persistence via WMI event subscription\|(((
	187	This rule prevents malware from using WMI to persist on a device.
1.1	188
	189	{{aagon.infobox}}
2.1	190	File and folder exclusions do not apply to this attack surface reduction rule.
1.1	191	{{/aagon.infobox}}
	192
2.1	193	Fileless threats use various tactics to stay hidden, avoid being seen in the file system, and maintain regular execution control. Some threats may abuse the WMI repository and event model to stay hidden.
1.1	194	)))
	195
2.1	196	== ASR rule exclusions ==
1.1	197
2.1	198	If you have an ASR rule enabled but want to allow certain files and directories that it would normally block, you can create exclusions for ASR rules. Add folders or files via the appropriate exclusion field to allow them despite the rule being enabled.
1.1	199
	200	{{aagon.infobox}}
2.1	201	Please note that these exclusions are specific to ASR rules and should not be confused with the general exclusions!
1.1	202	{{/aagon.infobox}}
	203
2.1	204	= Linking scheduled scans to Configuration Profiles =
1.1	205
2.1	206	You can link scheduled scans to configuration profiles. You create different scan jobs by selecting //Scan Collections// from the //Configuration Profiles// tab in the ribbon bar.
1.1	207
2.1	208	In the dialogue box, specify the interval and the configuration profiles to which the scan will be linked. You will see all the links from the scheduled scans and the selected configuration profile in the workspace under //Linked Scheduled Scans//.
1.1	209
	210	{{aagon.infobox}}
2.1	211	You can link a scheduled scan to any number of definitions.
1.1	212	{{/aagon.infobox}}
	213
	214	{{aagon.infobox}}
2.1	215	In Windows Server 2016, you may receive the 'Detection of interactive services' notification for each full system scan, such as scheduled scans. It is not possible to manually disable this on Server 2016. If you are sure you want to disable these notifications, you can create a client command in ACMP. To do this, from the Client Script page, select //Commands// > //Windows// //OS// > //Control// //NT// //Service//. Select //UI0Detect //as the service name and set the startup type to //Disabled//.
1.1	216	{{/aagon.infobox}}
	217
	218	(% style="text-align:center" %)
	219	[[image:https://manual.aagon.com/acmp/de/61/hmfile_hash_947866c1.png\|\|alt="Client Command NT Dienste steuern"]]
2.1	220	Client Command NT Control Services