• United States



Contributing Writer

How to configure Microsoft Defender for cloud-based attacks

Nov 03, 20214 mins
Anti MalwareCloud SecurityWindows Security

Malware delivered through cloud services such as OneDrive or SharePoint will try to disable and evade Defender. These simple settings will help prevent that.

Antivirus / virus alert / warning / security threats / protection from attack
Credit: Thinkstock

Attackers are now using more “interesting” platforms and methods to gain access to our networks, especially with cloud platforms. OneDrive, OneNote, SharePoint, and Sharefile can all host malicious files. Google and Amazon Web Services (AWS) also can host malicious sites. Repositories such as GitHub have recently been used to launch ransomware attacks.

Sites like these appeal to attackers because we trust them and tend to be less paranoid about the links they deliver. Until recently it took a long time to remove malicious files from these locations. In the last few weeks, Microsoft has removed Office 365 locations from the top 15 malware sites as noted on URLHaus.

Can you block such locations without causing issues with business needs at the firm? Some employees should have no need to go to certain sites, but others will have these needs. Depending on your organization you may wish to set up your browsing protections such that only specific websites needed for business are allowed for browsing. Others may need to set up a nuanced approach whereby only some users are allowed to have full access for internet locations and others are more restricted.

Network administrators cannot blindly block Microsoft 365, Google or AWS locations as businesses depend on them, but you should ensure that there are no exclusions or exceptions in your antivirus platforms or your firewall/unified threat management solutions that would lessen the ability to protect your network.

Setting up alerts for disabled antivirus software

Attackers will often try to disable your antivirus software to avoid detection. If a local administrator account is compromised or the attacker has used vulnerabilities to gain access in your network, they can then silently disable Defender. You should review your configurations to determine if you would be alerted if antivirus protection were disabled.

One of the best ways to do this is to disable local admin merge and enable Tamper Protection in Windows Security. Configuring merge policy in Microsoft Defender is available in Defender for Endpoint version 100.67.60 or higher. You can set a combination of administrator- and user-defined exclusions (merge) or only administrator-defined exclusions (admin_only) to restrict local users from defining their own exclusions.

In Group Policy, follow the policy path steps of:

  1. Computer Configuration
  2. Administrative Templates
  3. Windows Components
  4. Windows Defender Antivirus (on older platforms or servers) or Microsoft Defender antivirus
configureav Susan Bradley

Group Policy settings to avoid disabling of Defender

As Microsoft notes in the screen above:

This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and exclusions. If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.

If you are using Intune or Registry settings, enter:

HKLMSoftwarePoliciesMicrosoftWindows Defender!DisableLocalAdminMerge

For workstations and servers that use Microsoft Defender as your antivirus, protect the security settings by ensuring that you’ve set up Tamper Protection. It will protect you from malicious programs disabling virus and threat protection, disabling real-time protection, turning off behavior monitoring, disabling antivirus (such as IOfficeAntivirus (IOAV)), disabling cloud-delivered protection, and removing security intelligence updates. Tamper Protection locks Defender antivirus to its secure, default values and prevents your security settings from being changed. Once only an E5 offering, Tamper Protection is now default on Windows 10.

Group Policy exclusions for antivirus scans

Another item to review is Group Policy exclusions for antivirus scans. If you’ve set up these values years ago and never revisited them, you may be excluding folders from scanning that should not be excluded. Attackers can review the registry keys and Group Policy settings during reconnaissance to know ahead of time which locations are excluded from scans and thus stage their scripts and attack sequences in these “safe” locations. Always do periodic reviews of these folder locations to ensure that no new files have been added to these locations. These are often database installation locations that may have new or increasing data files but should not have new files introduced.

Bottom line: Know that attackers are using cloud locations to launch attacks. Start investigating now so you can better protect your network.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author