EDR Block Mode – Notes from the Field
Recently Microsoft announced that Microsoft Defender for Endpoint now has the EDR block mode.
From the earliest days of Microsoft Defender for Endpoint (the WDATP days), there was a conflict between the Microsoft Defender Anti-Virus (MDAV) and a primary third-party Anti-Virus. The problems were to keep the Microsoft Defender Anti-Virus (MDAV) alongside the third-party Anti-Virus or to disable the MDAV.
This was and still a confusing step when you’re putting Microsoft Defender for Endpoint on devices with existing third-party Anti-Virus. From my experience, I can share that the best scenario is:
When using Third-party AV alongside Microsoft Defender Anti-Virus and you’ve got MDE (EDR), it will be better to keep the third-party AV as primary and put the MDAV in a passive mode.
Note: Microsoft Defender Anti-Virus (MDAV) in passive mode still can get updates, but it won’t run any scan or take AV ownership.
Why it’s important to highlight the situation of primary and secondary AV? because it was a challenge when have got got a scenario with Microsoft Defender for Endpoint sensor, and Microsoft Defender AV and third-party AV.
Now you can put the Microsoft Defender AV in passive mode and can get the big value from the Microsoft Defender for Endpoint, including the latest feature – the EDR Block Mode.
EDR Block Mode
Microsoft for Endpoint EDR in block mode is a new capability that turns EDR detections into blocks and containment malicious behaviors. This capability uses Microsoft Defender for Endpoint industry-leading visibility and detection capability to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus solution might miss.
Through built-in machine learning models in Microsoft Defender for Endpoint, EDR in block mode extends behavioral blocking and containment, which uses machine learning-driven protection engines that specialize in identifying threats by analyzing behavior.
The ability of these components is to detect and stop threats in real-time, or even after they have started running, and to allow companies to prevent cyberattacks, maintain security posture, and decrease the manual steps and time to respond to threats.
EDR Block mode is part of the behavioral blocking and containment components. It’s completely the other components such as Attack surface reduction, the Client behavioral blocking, and rapid protection.
Behavioral blocking and containment capabilities, including EDR Block mode, can block attacker techniques such as the following attacks:
Credential dumping from LSASS
- Pass-the-hash attacks
- Installation of a root certificate
- Cross-process injection
- Tampering with antivirus
- Contacting C2 download payloads
- Process hollowing
- User Account Control bypass
- Coin mining
- Boot record modification
- Exploitation attempt for various vulnerabilities
When EDR in block mode identifies malicious behaviors or artifacts, it prevents related running processes, blocking the attack from progressing.
These blocks are reported in Microsoft Defender Security Center. Security teams can view the threat and remediation status details and use Microsoft Defender for Endpoint capabilities to further investigate and hunt for similar threats as necessary.
EDR Block Mode – Notes from the field
Like any other security tool, I didn’t make any assumptions with the new Microsoft Defender for Endpoint feature and tested the EDR block mode with real malware.
The LAB is based on the Microsoft Defender for Endpoint Evaluation Lab that includes: Windows 10 machine with simulation scenario (Evaluation Lab) and with the Macfee Protection for Windows 10. The Microsoft Defender AV is configured in a passive mode.
Besides, I downloaded a few malware from Any.Run (the Cloud-based malware analysis service) – make sure to work on a lab environment only and not on a production!!!
Once the malware exploded at the device, the MDE starts to alert and provides useful information about the malware and malware actions. The malware was a Vigorf based doc file with an addon.
From the Microsoft Defender Security Center blade, you can view the alert story and all actions related to the relevant malware and the status of the malware, including artifacts such as URLs, the root cause, incident, related files, and the EDR block mode in status.
Another view from the Threat Protection report with the Alert status.
Note: When EDR in block mode is turned on, and Microsoft Defender Antivirus is not used as the primary antivirus solution, it can still detect and remediate malicious items.
Once the Microsoft Defender for Endpoint identified the malware and prevents the malware from running on the device, we can investigate and remediate it as required.
TIP: Because of my curiosity, I did malware analysis to check and compare the malware artifacts against MDE, and the result is the same. A quick run with strings and olevba showed me the first artifacts and ASCII parameters behind the scene.
Enable EDR Block
When turned on, Microsoft Defender for Endpoint leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors observed through post-breach endpoint detection and response (EDR) capabilities.
This feature does not change how Microsoft Defender for Endpoint performs detection, alert generation, and incident correlation.
Requirements for EDR in block mode
| Requirement | Details |
|---|---|
| Permissions | Global Administrator or Security Administrator role assigned in Azure Active Directory. See Basic permissions. |
| Operating system | One of the following versions: – Windows 10 (all releases) – Windows Server 2016 or later |
| Windows E5 enrollment | Windows E5 is included in the following subscriptions: – Microsoft 365 E5 – Microsoft 365 E3 together with the Identity & Threat Protection offering |
| Cloud-delivered protection | Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. |
| Microsoft Defender Antivirus antimalware client | Make sure your client is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. In the AMProductVersion line, you should see 4.18.2001.10 or above. |
| Microsoft Defender Antivirus engine | Make sure your engine is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. In the AMEngineVersion line, you should see 1.1.16700.2 or above. |
To Enable EDR in block mode, Go to Settings > Advanced features. Switch the toggle for “Enable EDR in block mode” to On.
You can check the EDR Block mode status for all devices from the Threat & Vulnerability Management dashboard and Security recommendations.
Notes
In Passive Mode, Microsoft Defender Antivirus is not used as the antivirus app, and Microsoft Defender Antivirus does not remediate threats.
Files are scanned, and reports are provided for threat detections shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
When EDR in block mode is turned on, and Microsoft Defender Antivirus is not used as the primary antivirus solution, it can still detect and remediate malicious items.
When EDR in a block is disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned, and threats are not remediated.
Very well articulated and illustrated with example. Thanks Elli.
Thank you for full explanation with test data.