Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control 18.10.43.10.2 Misconfigured #28

Closed
natilik-mikeguy opened this issue Feb 8, 2024 · 2 comments
Closed

Control 18.10.43.10.2 Misconfigured #28

natilik-mikeguy opened this issue Feb 8, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@natilik-mikeguy
Copy link

Describe the Issue
Under the following file... https://github.com/ansible-lockdown/Windows-2022-CIS/blob/devel/tasks/section18.yml you have the following code:

- name: "18.10.43.10.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'"
  ansible.windows.win_regedit:
      path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
      name: DisableRealtimeMonitoring
      data: 1
      datatype: dword

I believe this is actually doing the opposite of what is intended. This was brought to my attention by an incident created in Microsoft Defender for Endpoint. It flagged a high severity incident that Ansible was disabling Defender protection.

Expected Behavior
I believe this should be setting the dword value to 0 as highlighted here...

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring

I can see the confusion with the use of Disabled/Enabled. But when Enabled (dword value 1) you are Enabling the Disabling of the setting. i.e. DisableRealtimeMonitoring = true.

Registry Hive | HKEY_LOCAL_MACHINE
Registry Path | Software\Policies\Microsoft\Windows Defender\Real-Time Protection
Value Name | DisableRealtimeMonitoring
Value Type | REG_DWORD
Enabled Value | 1
Disabled Value | 0

Control(s) Affected
18.10.43.10.2

Environment (please complete the following information):

Using git tag 2.0.0. Have checked latest devel and it is still the same.
@natilik-mikeguy natilik-mikeguy added the bug Something isn't working label Feb 8, 2024
@frederickw082922
Copy link
Contributor

frederickw082922 commented Feb 21, 2024
edited
Loading

Good day @natilik-mikeguy

Great catch and breakdown!! Thank you!!

We will update the Control in the next release!!

CC: @MrSteve81

frederickw082922 added a commit that referenced this issue Feb 21, 2024
@frederickw082922
#28 update reg value fix for 18.10.43.10.2
d063c40 
Signed-off-by: Frederick Witty <[email protected]>
@frederickw082922 frederickw082922 mentioned this issue Feb 22, 2024
Merged
@frederickw082922
Copy link
Contributor

Merged fix in #29

mfortin pushed a commit to mfortin/Windows-2022-CIS that referenced this issue Apr 16, 2024
@frederickw082922 @mfortin
ansible-lockdown#28 update reg value fix for 18.10.43.10.2
4fce28f 
Signed-off-by: Frederick Witty <[email protected]>
Signed-off-by: Mathieu Fortin <[email protected]>
mfortin pushed a commit to mfortin/Windows-2022-CIS that referenced this issue Apr 16, 2024
@frederickw082922 @mfortin
ansible-lockdown#28 update reg value fix for 18.10.43.10.2
fed12f5 
Signed-off-by: Frederick Witty <[email protected]>
Signed-off-by: Mathieu Fortin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@natilik-mikeguy @frederickw082922