How to Enable or Disable Microsoft Defender Antivirus Block at First Sight in Windows 10
Microsoft Defender Antivirus helps protect your PC against malware (malicious software) like viruses, spyware, and other potentially unwanted software. Malware can infect your PC without your knowledge: it might install itself from an email message, when you connect to the Internet, or when you install certain apps using a USB flash drive, CD, DVD, or other removable media. Some malware can also be programmed to run at unexpected times, not only when it's installed.
Block at First Sight is a feature of Microsoft Defender Antivirus cloud protection starting with Windows 10 Anniversary Update (version 1607) that provides a way to detect and block new malware within seconds. Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work.
See also: Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection | Microsoft Docs
How Block at First Sight works
When a Microsoft Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
If the cloud backend is unable to make a determination, the file will be locked by Microsoft Defender Antivirus while a copy is uploaded to the cloud. Only after the cloud has received the file will Microsoft Defender Antivirus release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file.
In many cases this process can reduce the response time to new malware from hours to seconds.
Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Microsoft Defender Antivirus on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
This tutorial will show you how to enable or disable the Block at First Sight cloud protection feature in Microsoft Defender Antivirus for all users in Windows 10.
You must be signed in as an administrator to be able to enable or disable Block at First Sight.
Contents
- Option One: To Turn On or Off Microsoft Defender Antivirus Block at First Sight in Settings
- Option Two: To Enable Microsoft Defender Antivirus Block at First Sight in Group Policy
- Option Three: To Disable Microsoft Defender Antivirus Block at First Sight in Group Policy
- Option Four: To Enable or Disable Microsoft Defender Antivirus Block at First Sight using a REG file
You can confirm that Block at First Sight is enabled in Windows Settings. The feature is automatically enabled, as long as Cloud-based protection and Automatic sample submission are both turned on.
If you enabled Block at First Site using Option Two or Option Four below, then the settings in this option will be grayed out.
1 Open Windows Security, and click/tap on the Virus & threat protection icon. (see screenshot below)
2 Click/tap on the Manage settings link under Virus & threat protection settings. (see screenshot below)
3 Do step 4 (on) or step 5 (off) below for what you want to do.
This is the default setting.
A) Turn on Real-time protection. (see screenshot below)
B) Turn on Cloud-delivered protection.
C) Turn on Automatic sample submission, and go to step 6 below.
A) Turn off Cloud-delivered protection. (see screenshot below)
B) Turn off Automatic sample submission, and go to step 6 below.
6 When finished, you can close Windows Security if you like.
This option will override Option One.
Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.
All editions can use Option Four below to enable Block at First Sight using a .reg file instead.
1 Open the Local Group Policy Editor.
2 Navigate to the location below in the left pane of Local Group Policy Editor. (see screenshot below)
Computer Configuration/Administrative Templates/Windows Components/Microsoft Defender Antivirus/MAPS
3 In the right pane of MAPS in Local Group Policy Editor, double click/tap on the Configure the ‘Block at First Sight’ feature policy to edit it. (see screenshot above)
A) Select (dot) Enabled, and click/tap on OK. (see screenshot below)
4 In the right pane of MAPS in Local Group Policy Editor, double click/tap on the Join Microsoft MAPS policy to edit it. (see screenshot below)
A) Select (dot) Enabled. (see screenshot below)
B) Select Advanced MAPS under Options, and click/tap on OK.
Advanced MAPS membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer.
5 In the right pane of MAPS in Local Group Policy Editor, double click/tap on the Send file samples when further analysis is required policy to edit it. (see screenshot below)
A) Select (dot) Enabled. (see screenshot below)
B) Select Send safe samples or Send all samples under Options for what you want, and click/tap on OK.
6 Navigate to the location below in the left pane of Local Group Policy Editor. (see screenshot below)
Computer Configuration/Administrative Templates/Windows Components/Microsoft Defender Antivirus/Real-time Protection
7 In the right pane of Real-time Protection in Local Group Policy Editor, double click/tap on the Turn off real-time protection policy to edit it. (see screenshot above)
A) Select (dot) Disabled, and click/tap on OK. (see screenshot below)
8 In the right pane of Real-time Protection in Local Group Policy Editor, double click/tap on the Scan all downloaded files and attachments policy to edit it. (see screenshot below)
A) Select (dot) Enabled, and click/tap on OK. (see screenshot below)
9 When finished, you can close the Local Group Policy Editor if you like.
You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.
All editions can use Option Four below to disable Block at First Sight using a .reg file instead.
1 Open the Local Group Policy Editor.
2 Navigate to the location below in the left pane of Local Group Policy Editor. (see screenshot below)
Computer Configuration/Administrative Templates/Windows Components/Microsoft Defender Antivirus/MAPS
3 In the right pane of MAPS in Local Group Policy Editor, double click/tap on the Configure the ‘Block at First Sight’ feature policy to edit it. (see screenshot above)
4 Select (dot) Disabled, and click/tap on OK. (see screenshot below)
5 When finished, you can close the Local Group Policy Editor if you like.
The downloadable .reg files below will add and modify the DWORD values in the registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
DisableIOAVProtection DWORD
(delete) = Default Not Configured
0 = Enable
DisableRealtimeMonitoring DWORD
(delete) = Default Not Configured
0 = Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
DisableBlockAtFirstSeen DWORD
(delete) = Default Not Configured
1 = Disable
0 = Enable
SpynetReporting DWORD
(delete) = Default Not Configured
2 = Advanced MAPS
SubmitSamplesConsent DWORD
(delete) = Default Not Configured
1 = Send safe samples
3 = Send all samples
1 Do step 2 (enable with "Send safe samples"), step 3 (enable with "Send all sample"), step 4 (disable), or step 5 (default Not Configured) below for what you would like to do.
A) Click/tap on the Download button below to download the file below, and go to step 6 below.
EnableBlockAtFirstSight_AdvancedMAPS_SendSafeSamples.reg
Download
A) Click/tap on the Download button below to download the file below, and go to step 6 below.
EnableBlockAtFirstSight_AdvancedMAPS_SendAllSamples.reg
Download
A) Click/tap on the Download button below to download the file below, and go to step 6 below.
Disable_BlockAtFirstSight.reg
Download
This is the default setting to set all Block at First Sight group polices back to "Not Configured".
This will have the settings in Option One above to no longer be grayed out.A) Click/tap on the Download button below to download the file below, and go to step 6 below.
Default_NotConfigured_BlockAtFirstSight.reg
Download
6 Save the .reg file to your desktop.
7 Double click/tap on the downloaded .reg file to merge it.
8 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
9 If you like, you can now delete the downloaded .reg file.
That's it,
Shawn Brink
Related Tutorials
- How to Turn On or Off Microsoft Defender Antivirus in Windows 10
- How to Enable or Disable Real-time Protection for Microsoft Defender Antivirus in Windows 10
- How to Turn On or Off Windows 10 Limited Periodic Scanning with Windows Defender
- How to Add or Remove Exclusions for Windows Defender in Windows 10
- How to Enable or Disable Scan Archive Files by Windows Defender in Windows 10
- Enable or Disable Scan Mapped Network Drives with Windows Defender in Windows 10
- Enable or Disable Scan Removable Drives during Windows Defender Full Scan in Windows 10
- How to Enable or Disable Windows Defender Exploit Guard Controlled Folder Access in Windows 10
- Hide or Show Virus and Threat Protection in Windows Defender Security Center in Windows 10
- How to Turn On or Off Windows Defender Block Suspicious Behaviors in Windows 10
- How to Enable or Disable Scan Network Files with Windows Defender Antivirus in Windows 10
Enable or Disable Microsoft Defender Antivirus Block at First Sight
-
New #1
Until I saw your gray out screenshot, I hadn't realized mine was, nice thing about Defender--set & forget:):
Of course I had used the GPEdit version when I found out about it, as it makes it harder for anyone(and any, hopefully, malware) to change.
-
New #2
Just a heads-up but the new guide from Microsoft (the same page that you link to) now also says to set File Blocking Level to High (or High+), and to increase the time it waits for the cloud analysis to complete (detonation, etc.)
So probably the registry items that GPedit.msc sets have also changed. Maybe update the .reg file ?
- - - Updated - - -
For reference, after following the guide, but setting the level to blocking level to High+ (user cannot allow a harmful operation).
Code:Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine] "MpBafsExtendedTimeout"=dword:00000032 "MpCloudBlockLevel"=dword:00000004 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] "DisableIOAVProtection"=dword:00000000 "DisableRealtimeMonitoring"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet] "SubmitSamplesConsent"=dword:00000003 "SpynetReporting"=dword:00000002 "DisableBlockAtFirstSeen"=dword:00000000
-
New #3
Hello @Henk Poley,
Thank you for the addition.
Changing the Select cloud protection level policy below is optional. If you don't want to use the default Windows Defender Antivirus blocking level, then you could change this policy to increase the blocking level. However, increasing the blocking level will also increase the chance of false positives, and as you mentioned "High +" and "Zero tolerence" will not let users to allow a blocked item.
-
New #4
Hi.. so one of my programs was blocked by capture on first sight. I was a program that I am writing.. Now I cannot run it. I turned off the cloud based and automatic sample options.. still won't run. Where is the option to enable my file again?
Thanks.
-
New #5
Hello @rgalka, and welcome to Ten Forums.
You might see if adding the file as an exclusion for Windows Defender Antivirus may allow it to run.
Add or Remove Windows Defender Exclusions in Windows 10
-
New #6
Hi.. thanks for replying...
So I added program to exception list... blocked form outgoing firewall, renamed the program.. installed in another location.. each thing one at a time.. program still won't run...
I know It was blocked by capture on first sight because it took me to the block on first sight web page.. but only once.
It seems to be something more than just the file name since renaming it got the same result.. nothing.. not running in task manager...
-
New #7
You might also check your protection history to see if it may be listed there, and either clear filters or check blocked actions to hopefully remove it as blocked.
View Protection History of Windows Defender Antivirus in Windows 10
-
New #8
No nothing there for today. But thanks.
I get the capture thing for the cloud based security, but seems we are missing a released option for a false capture.
-
-
Enable or Disable Microsoft Defender Antivirus Block at First Sight
How to Enable or Disable Microsoft Defender Antivirus Block at First Sight in Windows 10Published by Shawn BrinkCategory: Security System
01 Nov 2022
QuoteTutorial Categories
Related Discussions
