Identification
ATP
To detect if Windows ATP is running on the machine:
Process
MsSense.exe
Service
Display Name: Windows Defender Advanced Threat Protection Service
Name: Sense
Registry
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
File Paths
C:\Program Files\Windows Defender Advanced Threat Protection\
ASR Rules are stored here:
Rule name
GUID
File & folder exclusions
Minimum OS supported
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
3B576869-A4EC-4529-8536-B80A7769E899
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
D3E037E1-3EB8-44C8-A917-57927947596D
Not supported
Windows 10, version 1709 (RS3, build 16299) or greater
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
01443614-cd74-433a-b99e-2ecdc07bfc25
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
c1db55ab-c21a-4637-bb3f-a12568109d35
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
d1e49aac-8f56-4280-b9ba-993a6d77406c
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
26190899-1602-49e8-8b27-eb1d0a1ce869
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Supported
Windows 10, version 1709 (RS3, build 16299) or greater
To check if certain rules are enabled or not:
0 = Off
1 = Block
2 = Audit
ATA
Check for ATA admins:
Last updated