Windows Defender Antivirus policy

Windows Defender Antivirus policy is a security policy that enables management of Windows Defender Antivirus settings to protect your workload.

For more information on the Windows Defender Antivirus functionality, refer to https://www.acronis.com/en-us/support/documentation/CyberProtectionService/index.html#44150

The following example can be used when creating a protection plan with this protection policy:

Policy example

{
    # Put a unique ID of the policy here.
    'id': '',
    # Windows Defender policy type is 'policy.security.windows_defender'
    'type': 'policy.security.windows_defender',
    'parent_ids': [
        # Put the ID of total protection policy here.
    ],
    'origin': 'upstream',
    'enabled': True,
    'settings_schema': '2.0',
    'settings': {
        # Set to true to check for the latest virus and spyware definitions before running a scheduled scan.
        'check_for_signatures_before_running_scan': True,
        # Set to true to disable scanning of archive files.
        'disable_archive_scanning': False,
        # Set to true to enable automatic exclusions provided by the Windows Defender.
        # For the list of automatic exclusions, refer to https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#list-of-automatic-exclusions
        'disable_auto_exclusions': False,
        # Set to true to disable behavior monitoring.
        'disable_behavior_monitoring': False,
        # Set to true to disable full scan catch-up.
        'disable_catchup_full_scan': True,
        # Set to true to disable quick scan catch-up.
        'disable_catchup_quick_scan': True,
        # Set to true to disable email scanning.
        'disable_email_scanning': False,
        # Set to true to scan all downloaded files and attachments.
        'disable_io_antivirus_protection': False,
        # Set to true to disallow all users to view full history results.
        'disable_privacy_mode': True,
        # Set to true to disable real-time protection.
        'disable_realtime_monitoring': False,
        # Set to true to disable scanning of removable drive.
        'disable_removable_drive_scanning': False,
        # Set to true to disable creation of a system restore point.
        'disable_restore_point': True,
        # Set to true to disable the full scan mode on mapped network drives.
        'disable_scanning_mapped_network_drives_for_full_scan': True,
        # Set to true to disable scanning network files.
        'disable_scanning_network_files': True,
        # Set to true to disable the scanning of scripts during scans.
        'disable_script_scanning': False,
        # A list of file extensions to exclude from a scan.
        'exclusion_extension': [],
        # A list of paths to exclude from a scan.
        'exclusion_path': [],
        # A list of processes to exclude from a scan.
        'exclusion_process': [],
        # An action to execute when high level alert is triggered.
        'high_threat_default_action': 'QUARANTINE',
        # An action to execute when low level alert is triggered.
        'low_threat_default_action': 'QUARANTINE',
        # An option to participate in Microsoft Active Protection Service.
        'maps_reporting': 'DISABLED',
        # An action to execute when medium level alert is triggered.
        'moderate_threat_default_action': 'QUARANTINE',
        # Remove quarantined files after provided number of days.
        'quarantine_purge_items_after_delay': 30,
        # Set to true to select a random time for the scheduled start and scheduled update for definitions.
        'randomize_schedule_task_times': True,
        # Specifies scanning configuration for incoming and outgoing files on NTFS volumes. '0' means scan both incoming and outgoing files.
        'real_time_scan_direction': 0,
        # A day of week when Windows Defender Antivirus will remediate the threats.
        'remediation_schedule_day': 'never',
        # A time in RFC3339 format when Windows Defender Antivirus will remediate the threats.
        'remediation_schedule_time': '02:00:00',
        # A number of minutes of minutes before a detection in the additional action state changes to the cleared state.
        'reporting_additional_action_time_out': 0,
        # A number of minutes before a detection in the critically failed state changes to either the additional action state or the cleared state.
        'reporting_critical_failure_time_out': 0,
        # A number of minutes before a detection in the non-critically failed state changes to the cleared state.
        'reporting_non_critical_time_out': 0,
        # An option to limit CPU usage during the scan.
        'scan_avg_cpuload_factor': 30,
        # Set to true if scheduled scan should be started only when machine is on but not in use.
        'scan_only_if_idle_enabled': True,
        # A scan mode option.
        'scan_parameters': 'FULL_SCAN',
        # A number of days to keep items in the scan history folder.
        'scan_purge_items_after_delay': 0,
        # A day of week when to run a scheduled scan.
        'scan_schedule_day': 'fri',
        # A time in RFC3339 format when to run a scheduled quick scan.
        'scan_schedule_quick_scan_time': '10:00:00',
        # A time in RFC3339 format when to run a scheduled scan.
        'scan_schedule_time': '12:00:00',
        # An action to execute when severe level alert is triggered.
        'severe_threat_default_action': 'QUARANTINE',
        # A number of minutes that specifies a grace period for the definition update.
        'signature_au_grace_period': 0,
        # Set to true to initiate definition updates if no antimalware engine is present. If set to false, and if not antimalware engine is present, Windows Defender initiates definition updates on startup.
        'signature_disable_update_on_startup_without_engine': False,
        # An option to manage the sources for virus and spyware definition updates. Values must be pipe-separated.
        'signature_fallback_order': 'MicrosoftUpdateServer|MMPC',
        # A day of week when to check virus and spyware definition updates.
        'signature_schedule_day': 'everyday',
        # A time in RFC3339 format when to check virus and spyware definition updates.
        'signature_schedule_time': '12:00:00',
        # A number of days after which Windows Defender requires a catch-up definition update.
        'signature_update_catchup_interval': 1,
        # An interval in hours at which to check for definition updates.
        'signature_update_interval': 3,
        # An option to send file samples when a further analysis is required.
        'submit_samples_consent': 'NEVER_SEND',
        # A list of actions to execute for the IDs specified in the 'threat_id_default_action_ids' field. Acceptable values: 1 - Clean, 2 - Quarantine, 3 - Remove, 6 - Allow, 8 - UserDefined, 9 - NoAction, 10 - Block.
        'threat_id_default_action_actions': [],
        # A list of threat IDs for which the default action will be modified in the 'threat_id_default_action_actions' field.
        'threat_id_default_action_ids': [],
        # Set to true to disable Window Defender Antivirus GUI.
        'ui_lockdown': False,
        # An action to execute when an unknown threat was found.
        'unknown_threat_default_action': 'ANY'
    }
}