Turn on block at first sight

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender Antivirus

Platforms

• Windows

This article describes an antivirus/antimalware feature known as "block at first sight", and describes how to enable block at first sight for your organization.

What is "block at first sight"?

Block at first sight is a threat protection feature of next-generation protection that detects new malware and blocks it within seconds. Block at first sight is enabled when certain security settings are enabled:

• Cloud protection is turned on;
• Sample submission is configured for samples to be sent automatically; and
• Microsoft Defender Antivirus is up to date on devices.

In most enterprise organizations, the settings needed to enable block at first sight are configured with Microsoft Defender Antivirus deployments. See Turn on cloud protection in Microsoft Defender Antivirus.

How it works

When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.

Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection.

A few things to know about block at first sight

• Block at first sight can block non-portable executable files (such as JS, VBS, or macros) and executable files, running the latest Defender antimalware platform on Windows or Windows Server.

• Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file.

• If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs more analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or not a threat.

• In many cases, this process can reduce the response time for new malware from hours to seconds.

• You can specify how long a file should be prevented from running while the cloud-based protection service analyzes the file. And, you can customize the message displayed on users' desktops when a file is blocked. You can change the company name, contact information, and message URL.

Turn on block at first sight with Microsoft Intune

1. In the Microsoft Intune admin center (https://endpoint.microsoft.com), go to Endpoint security > Antivirus.

2. Select an existing policy, or create a new policy using the Microsoft Defender Antivirus profile type. In our example, we selected Windows 10, Windows 11, or Windows Server for the platform.

   

3. Set Allow cloud protection to Allowed. Turns on Cloud Protection.

   

4. Scroll down to Submit Samples Consent, and select one of the following settings:

   • Send all samples automatically
   • Send safe samples automatically

5. Apply the Microsoft Defender Antivirus profile to a group, such as All users, All devices, or All users and devices.

Turn on block at first sight with Group Policy

1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.

2. Using the Group Policy Management Editor go to Computer configuration > Administrative templates > Windows Components > Microsoft Defender Antivirus > MAPS.

3. In the MAPS section, double-click Configure the 'Block at First Sight' feature, and set it to Enabled, and then select OK.

   Important

   Setting to Always prompt (0) will lower the protection state of the device. Setting to Never send (2) means block at first sight will not function.

4. In the MAPS section, double-click Send file samples when further analysis is required, and set it to Enabled. Under Send file samples when further analysis is required, select Send all samples, and then select OK.

5. Redeploy your Group Policy Object across your network as you usually do.

Confirm block at first sight is enabled on individual client devices

You can confirm that block at first sight is enabled on individual client devices using the Windows Security app. Block at first sight is automatically enabled as long as Cloud-delivered protection and Automatic sample submission are both turned on.

1. Open the Windows Security app.

2. Select Virus & threat protection, and then, under Virus & threat protection settings, select Manage Settings.

   

3. Confirm that Cloud-delivered protection and Automatic sample submission are both turned on.

Turn off block at first sight

Turn off block at first sight with Microsoft Intune

1. Go to the Microsoft Intune admin center (https://endpoint.microsoft.com) and sign in.

2. Go to Endpoint security > Antivirus, and then select your Microsoft Defender Antivirus policy.

3. Under Manage, choose Properties.

4. Next to Configuration settings, choose Edit.

5. Set Allow cloud protection to Not allowed. Turns off Cloud Protection.

6. Review and save your settings.

Turn off block at first sight with Group Policy

1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then select Edit.

2. Using the Group Policy Management Editor go to Computer configuration and select Administrative templates.

3. Expand the tree through Windows components > Microsoft Defender Antivirus > MAPS.

4. Double-click Configure the 'Block at First Sight' feature and set the option to Disabled.

   Note

   Disabling block at first sight does not disable or alter the prerequisite group policies.

Not an enterprise admin or IT Pro?

If you are not an enterprise admin or an IT Pro, but you have questions about block at first sight, this section is for you. Block at first sight is a threat protection feature that detects and blocks malware within seconds. Although there isn't a specific setting called "Block at first sight," the feature is enabled when certain settings are configured on your device.

How to manage block at first sight on or off on your own device

If you have a personal device that is not managed by an organization, you might be wondering how to turn block at first sight on or off. You can use the Windows Security app to manage block at first sight.

1. On your Windows 10 or Windows 11 computer, open the Windows Security app.

2. Select Virus & threat protection.

3. Under Virus & threat protection settings, select Manage settings.

4. Take one of the following steps:

   • To enable block at first sight, make sure that both Cloud-delivered protection and Automatic sample submission are both turned on.

   • To disable block at first sight, turn off Cloud-delivered protection or Automatic sample submission.

     Caution

     Turning off block at first sight lowers the level of protection for your device. We do not recommend permanently disabling block at first sight.

See also

• Microsoft Defender Antivirus in Windows 10
• Enable cloud-delivered protection
• Stay protected with Windows Security
• Onboard non-Windows devices