Create indicators for files

Applies to:

Tip

Want to experience Defender for Endpoint? Sign up for a free trial.

Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.

There are three ways you can create indicators for files:

  • By creating an indicator through the settings page
  • By creating a contextual indicator using the add indicator button from the file details page
  • By creating an indicator through the Indicator API

Note

For this feature to work on Windows Server 2016 and Windows Server 2012 R2, those devices must be onboarded using the instructions in Onboard Windows servers. Custom file indicators with the Allow, Block and Remediate actions are now also available in the enhanced antimalware engine capabilities for macOS and Linux.

Before you begin

Understand the following prerequisites before you create indicators for files:

This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including .exe and .dll files. Coverage is extended over time.

Important

In Defender for Endpoint Plan 1 and Defender for Business, you can create an indicator to block or allow a file. In Defender for Business, your indicator is applied across your environment and cannot be scoped to specific devices.

Create an indicator for files from the settings page

  1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules).

  2. Select the File hashes tab.

  3. Select Add item.

  4. Specify the following details:

    • Indicator: Specify the entity details and define the expiration of the indicator.
    • Action: Specify the action to be taken and provide a description.
    • Scope: Define the scope of the device group (scoping isn't available in Defender for Business).

    Note

    Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2

  5. Review the details in the Summary tab, then select Save.

Create a contextual indicator from the file details page

One of the options when taking response actions on a file is adding an indicator for the file. When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.

Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.

Alerting on file blocking actions (preview)

Important

Information in this section (Public Preview for Automated investigation and remediation engine) relates to prerelease product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The current supported actions for file IOC are allow, audit and block, and remediate. After choosing to block a file, you can choose whether triggering an alert is needed. In this way, you'll be able to control the number of alerts getting to your security operations teams and make sure only required alerts are raised.

In Microsoft Defender XDR, go to Settings > Endpoints > Indicators > Add New File Hash.

Choose to Block and remediate the file.

Choose if to Generate an alert on the file block event and define the alerts settings:

  • The alert title
  • The alert severity
  • Category
  • Description
  • Recommended actions

The Alert settings for file indicators

Important

  • Typically, file blocks are enforced and removed within a couple of minutes, but can take upwards of 30 minutes.
  • If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
  • In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
  • If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling EnableFileHashComputation may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.

For more information about the EnableFileHashComputation group policy, see Defender CSP.

For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see Configure file hash computation feature on Linux and Configure file hash computation feature on macOS.

Advanced hunting capabilities (preview)

Important

Information in this section (Public Preview for Automated investigation and remediation engine) relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Currently in preview, you can query the response action activity in advance hunting. Below is a sample advance hunting query:

search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
Timestamp > ago(30d)
| where AdditionalFields contains "EUS:Win32/CustomEnterpriseBlock!cl"

For more information about advanced hunting, see Proactively hunt for threats with advanced hunting.

Below are other thread names that can be used in the sample query from above:

Files:

  • EUS:Win32/CustomEnterpriseBlock!cl
  • EUS:Win32/CustomEnterpriseNoAlertBlock!cl

Certificates:

  • EUS:Win32/CustomCertEnterpriseBlock!cl

The response action activity can also be viewable in the device timeline.

Policy conflict handling

Cert and File IoC policy handling conflicts follow this order:

  1. If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policies, then Block.
  2. Else, if the file is allowed by the Microsoft Defender Antivirus exclusions, then Allow.
  3. Else, if the file is blocked or warned by a block or warn file IoCs, then Block/Warn.
  4. Else, if the file is blocked by SmartScreen, then Block.
  5. Else, if the file is allowed by an allow file IoC policy, then Allow.
  6. Else, if the file is blocked by attack surface reduction rules, controlled folder access, or antivirus protection, then Block.
  7. Else, Allow (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it).

Note

In situations when Microsoft Defender Antivirus is set to Block, but Defender for Endpoint indicators for file hash or certificates are set to Allow, the policy defaults to Allow.

If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure (meaning longer) hash is applied. For example, an SHA-256 file hash IoC policy takes precedence over an MD5 file hash IoC policy if both hash types define the same file.

Warning

Policy conflict handling for files and certs differ from policy conflict handling for domains/URLs/IP addresses.

Microsoft Defender Vulnerability Management's block vulnerable application features uses the file IoCs for enforcement and follows the conflict handling order described earlier in this section.

Examples

Component Component enforcement File indicator Action Result
Attack surface reduction file path exclusion Allow Block Block
Attack surface reduction rule Block Allow Allow
Windows Defender Application Control Allow Block Allow
Windows Defender Application Control Block Allow Block
Microsoft Defender Antivirus exclusion Allow Block Allow

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.