F
FronzJ
Guest
Scans on our Win10 workstations don’t seem to be following the rules set in the policy. Currently, the policy is applying correctly, shows in Group Policy, and the registry, but is not following the scheduled scan settings. I did some research on scheduled scans with Windows Defender on Win10, here is what I found.
Apparently, Quick Scans are set to automatically run on a daily basis, determined by the Automatic Maintenance schedule that is built into Win10. The Automatic Maintenance window says that if the computer is in use at the time of the scheduled maintenance, or if the computer isn’t on, then the maintenance (and thus the quick scan) will take place the next time that the computer is idle.
Some people claim a scheduled full scan is not necessary, since Windows is already configured to automatically run daily quick scans. However, I found this:
“It certainly is true that real-time protection mitigates the need for scheduling Full Scans – but the new Windows Defender actually uses a much more powerful “on-access” real-time protection – a kernel-mode mini-filter driver (WdFilter.sys) that continuously scans file-system activity. On the other hand, it’s entirely possible for hidden malware to fly in under this on-access radar, because this form of real-time protection has to be very quick in order to keep it from bogging down the system – and consequently it never takes the time to scan the contents of archived files. So a Full Scan is still very useful because it does unpack those container files in search of any hidden (but inactive) malware that might have gotten through your primary line of defense.”
If a full scan is desired, the option I found are either run a manual scan from the user interface, or create a new scheduled task to trigger a full scan. It’s advised not to modify the existing scheduled task because it is a system task, and could have negative system consequences.
Configure Scheduled Full Scan (I did this on my Win10 computer, and it does work, but obviously not very easily managed centrally)
https://www.winhelp.us/kaseke/configure-windows-defender-in-windows-8.html
References:
Automatic Maintenance and Daily Quick Scans
http://answers.microsoft.com/en-us/...n/f399bb87-37c9-4a74-bb35-1d7e3d3c2436?auth=1 (long threat, but a lot of good info)
http://answers.microsoft.com/en-us/...ndows-10/c53a0110-04eb-431e-9bc5-9d6db0ffcff7
Detailed Windows Defender vs third-party security tools write up
http://answers.microsoft.com/en-us/...rd-party/37c133c8-c779-4336-b48a-4390dbcc5ba1
All that being said, it appears that the Configuration Manager policy that we have set, is in fact configuring Local Group Policy. All of the correct settings are in there (Wed, 11am, randomize, etc) I’m just not sure why Defender isn’t listening to those settings. The only thing I can think of is that Defender doesn’t listen to those settings because of the above.
Any help or advice you can offer would be very much appreciated.
Continue reading...
Apparently, Quick Scans are set to automatically run on a daily basis, determined by the Automatic Maintenance schedule that is built into Win10. The Automatic Maintenance window says that if the computer is in use at the time of the scheduled maintenance, or if the computer isn’t on, then the maintenance (and thus the quick scan) will take place the next time that the computer is idle.
Some people claim a scheduled full scan is not necessary, since Windows is already configured to automatically run daily quick scans. However, I found this:
“It certainly is true that real-time protection mitigates the need for scheduling Full Scans – but the new Windows Defender actually uses a much more powerful “on-access” real-time protection – a kernel-mode mini-filter driver (WdFilter.sys) that continuously scans file-system activity. On the other hand, it’s entirely possible for hidden malware to fly in under this on-access radar, because this form of real-time protection has to be very quick in order to keep it from bogging down the system – and consequently it never takes the time to scan the contents of archived files. So a Full Scan is still very useful because it does unpack those container files in search of any hidden (but inactive) malware that might have gotten through your primary line of defense.”
If a full scan is desired, the option I found are either run a manual scan from the user interface, or create a new scheduled task to trigger a full scan. It’s advised not to modify the existing scheduled task because it is a system task, and could have negative system consequences.
Configure Scheduled Full Scan (I did this on my Win10 computer, and it does work, but obviously not very easily managed centrally)
https://www.winhelp.us/kaseke/configure-windows-defender-in-windows-8.html
References:
Automatic Maintenance and Daily Quick Scans
http://answers.microsoft.com/en-us/...n/f399bb87-37c9-4a74-bb35-1d7e3d3c2436?auth=1 (long threat, but a lot of good info)
http://answers.microsoft.com/en-us/...ndows-10/c53a0110-04eb-431e-9bc5-9d6db0ffcff7
Detailed Windows Defender vs third-party security tools write up
http://answers.microsoft.com/en-us/...rd-party/37c133c8-c779-4336-b48a-4390dbcc5ba1
All that being said, it appears that the Configuration Manager policy that we have set, is in fact configuring Local Group Policy. All of the correct settings are in there (Wed, 11am, randomize, etc) I’m just not sure why Defender isn’t listening to those settings. The only thing I can think of is that Defender doesn’t listen to those settings because of the above.
Any help or advice you can offer would be very much appreciated.
Continue reading...