Disclaimer: The views expressed in my posts on this site are mine & mine alone & don’t necessarily reflect the views of Microsoft. All posts are provided “AS IS” with no warranties & confers no rights. If I post any code, scripts or demos, they are provided for the purpose of illustration & are not intended to be used in a production environment. They are provided ‘as is’ without warranty of any kind, expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. I grant you a nonexclusive, royalty-free right to use & modify my sample code & to reproduce & distribute the object code form of the sample code, provided that you agree: (i) to not use my name, my companies name, logo, or trademarks to market your software product in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; and (iii) to indemnify, hold harmless, and defend me, Microsoft & our suppliers from & against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the sample code.
Published: Jan 14, 2022
Applies to:
Microsoft Defender Antivirus (MDAV formerly known as Windows Defender Antivirus (WDAV)) (AV, EPP) for these OS’es:
- Windows Server 2022
- Windows Server 2019
- Windows 11
- Windows 10, version 1909 (19H2, build 18363)
- Windows 10, version 1903 (19H1, build 18362)
- Windows 10, version 1809 (Redstone 5, RS5, build 17763)
- Windows 10, version 1803 (Redstone 4, RS4, build 17134)
- Windows 10, version 1709 (Redstone 3, RS3, Fall Creators update, build 16299)
- Windows 10, version 1703 (Redstone 2, RS2, Creators update, build 15063)
- Windows 10, version 1607 (Redstone 1, RS1, Anniversary update, build 14393)
- Windows Server 2016
- Windows 10, 2016 LTSB
- Windows 10, 2015 LTSB
- macOS
- Linux
System Center Endpoint Protection (SCEP) (AV, EPP) for these OS’es:
- Windows Server 2012 R2
- Windows 8.1
- Windows Server 2012
- Windows 8
- Windows Server 2008 R2 SP1
- Windows 7 SP1
- Windows Server 2008 SP2
- Windows Vista
Hi all,
In this post, I’ll be discussing on why you should revisit your antivirus suppressions.
Because you would be blinding yourself to attacks.
I was searching online (*) to see if there were any guidance on how long you should keep your antivirus suppressions.
*==with Bing, and the others didn’t show anything either
In 99.9999% of the cases, I noticed that when a ‘suppression’ is put in (be it in your AV, EDR or SIEM), it’s there forever. Which means, even if a false positive (fp) detection gets fixed, you will keep the suppression in place, thus removing the visibility to your SOC and Incident Response folks.
What should you do?
Step 1. Get the FP fixed Address false positives/negatives in Microsoft Defender for Endpoint
Step 2. If you are migrating from a 3rd party AV vendor to MDAV, you should review the suppressions in your SIEM.
Step 3. If you have suppressions that are over a week old, you should review and see if they are still applicable.
Thanks,
Yong
Twitter: @YongRheeMSFT
P.S. Other blog posts in the “Stop hurting yourself by” series.
Stop hurting yourself: Disabling built-in Windows services and features
https://yongrhee.wordpress.com/2020/04/07/stop-hurting-yourself-disabling-built-in-windows-services-and-features/
Stop hurting yourself: Adding antivirus exclusions? Are you opening too many holes in your defense? [Part 1 of 2]
https://yongrhee.wordpress.com/2020/05/30/stop-hurting-yourself-adding-antivirus-exclusions-are-you-opening-too-many-holes-in-your-defense-part-1-of-2/
Stop hurting yourself: Adding antivirus exclusions? Are you opening too many holes in your defense? Using the correct system env variables[Part 2 of 2]
https://yongrhee.wordpress.com/2020/06/07/stop-hurting-yourself-adding-antivirus-exclusions-are-you-opening-too-many-holes-in-your-defense-using-the-correct-system-env-variablespart-2-of-2/
Stop hurting yourself: Find the domain users with Local Admin rights with MTP’s or MDATP’s Advanced Hunting, and Enterprises lower your security exposure. [Part 1 of 2]
https://yongrhee.wordpress.com/2020/03/21/stop-hurting-yourself-find-the-domain-users-with-local-admin-rights-with-mtps-or-mdatps-advanced-hunting-and-enterprises-lower-your-security-exposure-part-1-of-2/
Stop hurting yourself: Find the domain users with Local Admin rights with MTP’s or MDATP’s Advanced Hunting, and Enterprises lower your security exposure. [Part 2 of 2]
https://yongrhee.wordpress.com/2020/03/21/stop-hurting-yourself-find-the-domain-users-with-local-admin-rights-with-mtps-or-mdatps-advanced-hunting-and-enterprises-lower-your-security-exposure-part-2-of-2/
Stop hurting yourself by: Not updating the drivers and firmware in Windows and Windows Server.
https://docs.microsoft.com/en-us/archive/blogs/yongrhee/stop-hurting-yourself-by-not-updating-the-drivers-and-firmwares-in-windows-and-windows-server
Stop hurting yourself by: Not applying the non-security updates for Windows and Windows Server.
https://docs.microsoft.com/en-us/archive/blogs/yongrhee/stop-hurting-yourself-by-not-applying-the-non-security-updates-for-windows-and-windows-server
Stop hurting yourself by: Disabling IPv6, why do you really do it?
https://docs.microsoft.com/en-us/archive/blogs/yongrhee/stop-hurting-yourself-by-disabling-ipv6-why-do-you-really-do-it-2
Stop hurting yourself by: Setting the Account lockout to 3
https://docs.microsoft.com/en-us/archive/blogs/yongrhee/stop-hurting-yourself-by-setting-the-account-lockout-to-3
WMI: Stop hurting yourself by using “for /f %%s in (‘dir /s /b *.mof *.mfl’) do mofcomp %%s”
https://docs.microsoft.com/en-us/archive/blogs/yongrhee/wmi-stop-hurting-yourself-by-using-for-f-s-in-dir-s-b-mof-mfl-do-mofcomp-s
Yong Rhee's blog 