1. Expel Help Center
  2. Auto Remediations
  3. Block Bad Hashes

Microsoft Defender for Endpoint: Block Bad Hashes

This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your Microsoft Defender for Endpoint device so that you can enable the Block Bad Hashes auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

How It Works

If our SOC identifies a hash that must be blocked, Workbench completes the action automatically unless it is specifically called out as a "Never block" asset (these hashes must be added as context and then configured in Workbench; see Step 3).

Prerequisites

  • Your organization uses Microsoft Defender Antivirus in Active Mode and Cloud-based protection is enabled.
  • The Anti-malware client version must be 4.18.1901.x or later.
  • Devices are on Windows 10, version 1703 or later, or Windows Server 2016 and 2019.

Quick Links

  1. Allow Appropriate Permissions in Your EDR Console
  2. Update API Permissions
  3. Update Your Context
  4. Return to the Main Setup Guide

Step 1: Allow Appropriate Permissions in Your EDR Console

  1. Make sure you assign all API permissions in the Microsoft Defender for Endpoint Setup for Workbench guide.
  2. Select Settings > Endpoints > Advanced features.
  3. Turn on Allow or block file.
    atp3.png
  4. Select Save preferences.

Step 2: Update API Permissions

Option 1: Enable the Defender for Enterprise Application

  • Select Grant admin consent in the Expel Defender for Endpoint Integration > API permissions tab and consent to the new API permissions.

Option 2: Create a Custom Microsoft Entra ID Application

  1. Follow the previous API permissions steps.
  2. Add the following WindowsDefenderATP permissions:
    • Ti.ReadWrite
    • Ti.ReadWrite.All

  3. Grant admin consent.

    ATP_indicator_permissions2.png

Step 3: Update Your Context

If you do not want to specify any hashes for a "do not block" list, skip to Step 4.

Working with your engagement manager, add any hashes that should be on the "do not block" list as context for your environment. You will then be able to select those hashes as "Never block" assets when you enable the auto remediation in Workbench. 

Note

If our SOC identifies a hash that must be blocked, any hashes added as "Never block" assets are assigned to you as actions rather than being blocked automatically.

Step 4: Return to the Main Setup Guide

Your Microsoft Defender for Endpoint device is now ready for the Block Bad Hashes auto remediation. You should now do one of the following:

  • If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
  • If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.

Related articles