WNDF-AV-000032 - Windows Defender AV must be configured to block executable content from email client and webmail.

Information

This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
Executable files (such as .exe, .dll, or .scr)
Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
Script archive files

Solution

Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> 'Configure Attack Surface Reduction rules' to 'Enabled'. Click 'Show...'. Set the Value name to 'BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' and the Value to '1'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Defender_Antivirus_V1R9_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, CAT|II, CCI|CCI-001170, Rule-ID|SV-92661r1_rule, STIG-ID|WNDF-AV-000032, Vuln-ID|V-77965

Plugin: Windows

Control ID: 1dd067a0932352b0b03d45e80c366dc26556dcf28bdf2376b877015ebd53e4ab