OfficeDocs-Support icon indicating copy to clipboard operation
OfficeDocs-Support copied to clipboard
verified publisher icon MicrosoftDocs

Poor recommendation!?

Open Rvvhub opened this issue 4 years ago • 6 comments

Hi there,

to me, this article is confusing and seems like poor advice.

  1. no collaboration tool should recommend users to exclude themselves from DLP. Companies spend lots of money and resources on protecting their data, including using DLP solutions, for very good reasons. Considering that, it is most awkward for a top-collaboration tool to recommend users to try and bypass DLP.

  2. the article recommends to add exclusions to the antivirus solution, but does not mention why, or for which antivirus solution. Note Windows Defender has built-in methods to handle 1st party software such as Teams, so it makes no sense at all to add any exclusions to Windows Defender. Adding pointless exclusions will not improve Teams, but it does impact the antivirus solution. Other enterprise antivirus solutions have similar built-in methods to deal with trusted, signed software, so just recommending these exclusions for any antivirus is not ok.

  3. at least for the Microsoft solutions, adding exclusions to Windows Defender does not affect Endpoint DLP. I expect the same is true for 3rd party DLP solutions.

  4. The recommended exclusions only apply to user-installs of Teams. If we really think these exclusions make sense, they should cover system-installs as well.

Note Teams itself just released a DLP solution into preview, making the article even more awkward: https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-teams-default-policy?view=o365-worldwide. Should customers bypass this as well?

Most importantly, imho, Teams should not be recommending these exclusions unless they are for a specific product/configuration that apparently cannot be fixed otherwise. For one thing, Teams should function well in a native Microsoft client without any exclusions. If it doesn't, something needs to be fixed. Let me know what you think. Note I already have a thread going on this with the MDE-folks, so please reach out if you are interested in their input.

Ruud

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Rvvhub avatar Jun 02 '21 06:06 Rvvhub

Just to add to this: I have confirmation of the WD team that 1st party apps do not need (and should not) add exclusions for executable files in Windows Defender.

Rvvhub avatar Jun 04 '21 10:06 Rvvhub

Hello @Rvvhub , it is not recommended to exclude teams from DLP or antivirus. The article only provides information which paths need to be excluded, if the customer NEED to do it. I am pretty sure there are a lot of scenarios where these could be required.

Just to add to this: I have confirmation of the WD team that 1st party apps do not need (and should not) add exclusions for executable files in Windows Defender. - it doesn't need, the article is not about Windows Defender. It just provides the paths of executable files of Teams.

Thank you

MaratMussabekov avatar Jun 18 '21 10:06 MaratMussabekov

Hi Marat, thanks for your response. My point is: many orgs read these articles as official Microsoft recommendations. And indeed, the article states that this is a (good) preventative measure. Note: apart from the fact that the WD team disapproves of this recommendation, I now have additional evidence that it is in fact really bad: a customer had taken the article as an official Microsoft recommendation and then found that a pentester could successfully break in via Teams without being detected by WD. I think the article is poor advice for any configuration, but it certainly is bad for any org using WD. If nothing else, the article should clarify the exclusions are never needed for WD.

Rvvhub avatar Jun 18 '21 12:06 Rvvhub

Hello @Rvvhub , yes, adding teams (in fact, not only teams, but any executable) to the exclusion list is not a good security decision. In the article it is not stated that it is recommended, it just provides paths for those who need it. And indeed, the article states that this is a (good) preventative measure. - i believe you are talking about sentence "This action specifically helps enhance performance and mitigate the effect on security.", i think it should be just deleted Note: apart from the fact that the WD team disapproves of this recommendation - article is not applicable to WD I think the article is poor advice for any configuration - it doesn't advise to do it (except the sentence I want to delete :) ) but it certainly is bad for any org using WD. - i wanted to add a note like "this is not recommended for WD", but then I realize that it could be misunderstand as "this is recommended for third-party antiviruses", so I just reworded the first sentence a little. please have a look at https://github.com/MicrosoftDocs/OfficeDocs-Support/pull/1613 if you think that some other corrections could improve the article, please let me know. Thank you

MaratMussabekov avatar Jun 22 '21 18:06 MaratMussabekov

Closing via #1613 Thank you

nam31 avatar Jun 25 '21 10:06 nam31

I respectfully disagree: as it is, the article reads like a clear instruction from Microsoft to exclude Teams from DLP and AV. This is due to the 1st sentence:

"Third-party antivirus and data loss prevention (DLP) applications can interfere with the Microsoft Teams app, and it can prevent the application from starting correctly. "

combined with this line:

"To prevent any interference of Teams, add the following items"

Unless there is factual proof of any AV interfering with Teams, I strongly recommend to remove the article. Without a solid technical reason, we might as well add similar articles for every single Microsoft executable ever created - clearly, not sensible and not desirable.

Note: at least 2 of my customers actually implemented the exclusions, exactly because they thought it was Microsoft advice.

Rvvhub avatar Jun 29 '21 06:06 Rvvhub