0
(0)

Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.

These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as autostart extensibility points, or ASEPs), and other changes to the file system or file structure.

Enable and configure always-on protection in Group Policy

You can use Local Group Policy Editor to enable and configure Microsoft Defender Antivirus always-on protection settings.

To enable and configure always-on protection:

  1. Open Local Group Policy Editor, as follows:
    1. In your Windows 10 or Windows 11 taskbar search box, type gpedit.
    2. Under Best match, select Edit group policy to launch Local Group Policy Editor.

      GPEdit taskbar search result.

  2. In the left pane of Local Group Policy Editor, expand the tree to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
  3. Configure the Microsoft Defender Antivirus antimalware service policy setting.

    In the Microsoft Defender Antivirus details pane on right, double-click Allow antimalware service to start up with normal priority, and set it to Enabled.

    Then select OK.

  4. Configure the Microsoft Defender Antivirus real-time protection policy settings, as follows:
    1. In the Microsoft Defender Antivirus details pane, double-click Real-time Protection. Or, from the Microsoft Defender Antivirus tree on left pane, select Real-time Protection.
    2. In the Real-time Protection details pane on right, double-click the policy setting as specified in Real-time protection policy settings (later in this article).
    3. Configure the setting as appropriate, and select OK.
    4. Repeat the previous steps for each setting in the table.
  5. Configure the Microsoft Defender Antivirus scanning policy setting, as follows:
    1. From the Microsoft Defender Antivirus tree on left pane, select Scan.
    2. In the Scan details pane on right, double-click Turn on heuristics, and set it to Enabled.
    3. Select OK.
  6. Close Local Group Policy Editor.

Real-time protection policy settings

REAL-TIME PROTECTION POLICY SETTINGS
Setting Default setting
Turn on behavior monitoringThe antivirus engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. Enabled
Scan all downloaded files and attachmentsDownloaded files and attachments are automatically scanned. This scan operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. Enabled
Monitor file and program activity on your computerThe Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). Enabled
Turn on raw volume write notificationsInformation about raw volume writes will be analyzed by behavior monitoring. Enabled
Turn on process scanning whenever real-time protection is enabledYou can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. Enabled
Define the maximum size of downloaded files and attachments to be scannedYou can define the size in kilobytes. Enabled
Configure local setting override for turn on behavior monitoringConfigure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Enabled
Configure local setting override for scanning all downloaded files and attachmentsConfigure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Enabled
Configure local setting override for monitoring file and program activity on your computerConfigure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Enabled
Configure local setting override to turn on real-time protectionConfigure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Enabled
Configure local setting override for monitoring for incoming and outgoing file activityConfigure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Enabled
Configure monitoring for incoming and outgoing file and program activitySpecify whether monitoring should occur on incoming, outgoing, both, or neither direction. This action is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. Enabled (both directions)

Disable real-time protection in Group Policy

 Warning

Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.

The main real-time protection capability is enabled by default, but you can disable it by using Local Group Policy Editor.

To disable real-time protection in Group policy

  1. Open Local Group Policy Editor.
    1. In your Windows 10 or Windows 11 taskbar search box, type gpedit.
    2. Under Best match, select Edit group policy to launch Local Group Policy Editor.
  2. In the left pane of Local Group Policy Editor, expand the tree to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Real-time Protection.
  3. In the Real-time Protection details pane on right, double-click Turn off real-time protection.
  4. In the Turn off real-time protection setting window, set the option to Enabled.
  5. select OK.
  6. Close Local Group Policy Editor.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 21 times, 1 visits today)