Categories
2016 2019 antivirus Defender Exchange Server

Unable To Update Defender Preferences

I was trying to add Microsoft Defender exceptions via PowerShell to a clients server (Windows Server 2016 if that matters) the other day and it was always failing – the error was:

PS> Add-MpPreference -ExclusionExtension .config
Add-MpPreference : Failed to modify preferences.
At line:1 char:1
+ Add-MpPreference -ExclusionExtension .config
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference],
   CimException
    + FullyQualifiedErrorId : HRESULT 0x8007007e,Add-MpPreference

This was returning “Failed to modify preferences” on the Add-MpPreference cmdlet and the error code 0x80070073

To fix I needed to uninstall Windows Defender and reboot and then reinstall it.

This was the following cmdlets, with the reboot indicated between them:

Uninstall-WindowsFeature -Name Windows-Defender
#Reboot here
Install-WindowsFeature -Name Windows-Defender
Install-WindowsFeature -Name Windows-Defender-GUI
#Reboot here (again)

Once this was done I was able to add Defender exceptions. The addition of exceptions also failed when done via the Defender Settings application as well (it asks you to authenticate and fails). This also worked after the uninstall/reinstall:

Categories
android Apple ATP Defender email EOP exchange exchange online Exchange Online Protection EXO iOS iPhone Office 365 Advanced Threat Protection phish phishing spam

Exchange Online Warning On Receipt Of New Email Sender

Released recently to no fanfare at all, Microsoft now has a SafetyTip that appears if you receive email from a first time recipient.

Most often phish emails will come from an address you have never received email from before, and sometimes this email will try to impersonate people you communicate with or are internal to your organization. Warning for attempted spoofed domains or users is part of Microsoft Defender for Office 365 (previously known as Advanced Threat Protection for Office 365) and the functionality to warn based on similar sender is also part of this product if you enable the “mailbox intelligence” option. But the option to warning for a new sender is available for all Exchange Online users without ATP licences.

The user sees the SafetyTip above the email body as shown below once this new feature is enabled:

New Sender Safety Tip

To turn on this option you enable a custom message header in a transport rule and then within 30 minutes or so, every new sender under the scope of the rule is warned when they receive email from a new sender. This also includes senders that have not send a lot of message to you, as I see that this Safety Tip appear on subsequent messages from the same sender. Not sure yet when this stops appearing for slightly less new senders!

To enable this feature create the following transport rule, restricting the scope of the rule to some users only to start with and then when happy with the functionality changing the rule to apply to all users.

First Contact Safety Tip Transport Rule

Open Exchange Online Control Panel (at the time of writing this is in the old UX for this, so these screenshots represent the classic view – this will change at some point in the future) and select Mail Flow > Rules

Click the + icon > Modify Messages and fill in the name “Enable First Contact Safety Tip”

Select under Apply this rule if… The sender is located > Outside the organization

Select under Do the following… Set the message header to this value and click the first option for Enter text and copy and paste the following string X-MS-Exchange-EnableFirstContactSafetyTip

Click the second option for Enter text and enter any value you like. I have had reports that only “enable” works but that is not my experience and I had this working with the value AnythingYouLike!

I turn off the audit option and then save the rule as shown:

New Transport Rule for First Contact Safety Tip

To set the rule for a pilot program, click More options and then the newly displayed add condition button and then select that the rule should only apply if the recipient is and select a few names from your global address list.

Pilot Program for First Contact Safety Tip

Within 30 minutes and then the next new sender and Outlook, Outlook Web Access and Outlook Mobile will display the new safety tip

Categories
Azure Defender malware

Installing and Updating Microsoft AntiMalware in Azure

The Microsoft AntiMalware agent is a virtual machine extension in Azure that adds support for build in antimalware management within your virtual machines hosted in Azure. The agent can be added easily when you are creating a new VM, which we will show first below using the resource manager model, but also can be added after the virtual machine creation and updated with changes as you need. We will show how to do that in the section part of this article.

Adding AV protection to new VM

The addition of malware protection to your new virtual machine happens during the VM creation process. To add it create a new VM in the Azure portal and from the Settings blade choose Extensions
Click Add Extension:

image
Click Add extension and then choose Microsoft Antimalware

image
From the Install Extension blade enter your exclusions, scan times etc. as required:

image

To enable antimalware with the default configuration, click Create on the Add Extension blade without inputting any configuration setting values. To enable antimalware with a custom configuration, input the supported values for the configuration settings provided on the Install Extension blade and click OK. Monitoring the antimalware is done via Windows Event Logs and is enabled automatically to your selected storage account.

Before you click OK, click Automation Options and grab the scripts needed to modify this extension later.  Copy the Template text into Wordpad (not Notepad) and then copy paste again into Notepad if you want to just quickly edit it. Or use an editor of your choice, but make sure the line breaks etc. remain the same as directly pasting into Notepad breaks the line breaks!

Click the PowerShell tab (shown) and copy the code from here. This code is used to upload the template that you just downloaded with changes to allow you to adjust the settings on the Microsoft Antimalware settings on your virtual machine later. See more on that below.

image

Once you have downloaded or copied the code close the Template blade and click OK on the Install extension blade.

Click OK on the Extensions blade. Click OK to create your virtual machine.

Adding Microsoft Antimalware To existing virtual machines

To customise the Microsoft Antimalware extension on an existing virtual machine or to install it on a virtual machine where it does not exist becuase it was not added when the server was initially provisioned. Both of these scenarios, updating settings and adding new are covered in this section.

Both of these scenarios require scripting and cannot be configured in the portal, unlike the install during virtual machine provisioning.

Adding Microsoft Antimalware to an existing virtual machine

The first thing that you need to do to add Microsoft Antimalware is the template. If you ran through the above steps you would have downloaded the template as an additional step in the creation process. If you did not grab a copy of the template then it looks similar to this. The template provided by Microsoft takes input from the PowerShell that you also downloaded. In its simplist form it can be reduced to the following:

{
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": "true",
"ScheduledScanSettings": {
"isEnabled": "false",
"day": "7",
"time": "120",
"scanType": "Quick"
},

"Exclusions": {
"Extensions": "",
"Paths": "",
"Processes": ""
}
}

To customise this template just each of the values and save the file to the filesystem. If you use the above template without change then you get the default settings for the extension, so the “blank” template is actually functional. In the template Paths is a semicolon delimited list of file paths or locations to exclude from scanning, where each path is escaped, so for example c:\\temp\\blog would be the value if you wanted to exclude c:\temp\blog and all subdirectories from being scanned. Extensions is again a semicolon separated list starting with the dot, so “.ci;.edb;.log;” would be a valid string. Processes is again semicolon separated list of processes. RealtimeProtectionEnabled and isEnabled are true or false and day is 1=Sunday and 7=Saturday etc. Time is the number of hours past midnight, so 180 is 3am

We will take the default template and use it to add the extension to an existing virtual machine that does not have the extension.

To add the extension to an existing virtual machine we need to login to Azure using PowerShell. This starts with Login-AzureRmAccount cmdlet. Once you are logged in, if you have more than one subscription, use Select-AzureRmSubscription to select the subscription that contains your virtual machine.

To check if Microsoft Antimalware is already enabled on a virtual machine run the following PowerShell:

$resourceGroupName = "<name of resource group>"
$vmname = "<name of vm>"
Get-AzureRmVMExtension -ResourceGroupName $resourceGroupName –VMName $VMName -Name "IaaSAntimalware"

If some JSON is returned, then the Microsoft Antimalware extension (IaaSAntimalware) is enabled on this virtual machine. Note that PublicSettings “AntimalwareEnabled:” shows if the extension is actually running on the virtual machines, and not just that the extension exists on the virtual machine. If an error is returned then the extension is not enabled on the virtual machine.

To add the extension to an existing virtual machine you either need the full template JSON file above, if you want lots of customization, or if you want to do it simply then you can use a very small bit of JSON:

‘{ "AntimalwareEnabled": true,"RealtimeProtectionEnabled": true}’;

The above JSON enables the AV software and turns on real time protection. If you want more control, use the full JSON file above, with your customizations, saved to the filesystem.

The code to use the above JSON or the JSON file is:

# Use this "-SettingString $SettingsString" value for simple setup
$SettingsString = ‘{ "AntimalwareEnabled": true,"RealtimeProtectionEnabled": true}’;
# Use this "-SettingString $MSAVConfigfile" to configure from JSON file
$MSAVConfigfile = Get-Content "C:\Scripts\IaaSAntimalware.json" -Raw

The code to add the extension is as follows. To run the below you need to set the $location variable to the same location string as the virtual machine. To get this you can run:

$location = (Get-AzureRmVM -VMName $VMName -resourceGroupName $resourceGroupName).location

You also need the available version numbers for the extension, and to use the latest version of the extension. To work this out you need the following script snippet:

$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version
$typeHandlerVer = $allVersions[($allVersions.count)–1]
$typeHandlerVerMjandMn = $typeHandlerVer.split(".")
$typeHandlerVerMjandMn = $typeHandlerVerMjandMn[0] + "." + $typeHandlerVerMjandMn[1]

So to actually set the extension on the virtual machine, run the following:

Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $VMName -Name "IaaSAntimalware" -Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" -TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $SettingsString -Location $location

Customizing Microsoft Antimalware deployments in Azure

Once the extension is enabled you can customize the settings by uploading a config file or settings string with adjusted settings. For example is I took a copy of my above config file and changed time so the value was now 180 (instead of 120 as shown) and I set an Extensions and Paths value in the file, then I would update my virtual machine using the following:

$MSAVConfigfile = Get-Content "C:\temp\blog\Antimalware Azure\antimalware-edit.json" -Raw
Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $VMName -Name "IaaSAntimalware" -Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" -TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $MSAVConfigfile -Location $location

The other values have not changed from the above, so you still need to work out $typeHandlerVerMjandMn, $location etc.

Once you have applied the settings then you can use Get-AzureRmVMExtension -ResourceGroupName $resourceGroupName –VMName $VMName -Name “IaaSAntimalware” to check the settings have applied – it usually takes a minute or two for the correct data to be returned to show the change in place.