Microsoft announced yesterday their intention to actively block and quarantine the binaries affected by the recent SolarWinds discovery. Detection was added to Microsoft’s Defender platform on December 13th which should have notified administrators of the threat, but no action was taken. As of 8:00 AM PST (11:00 AM EST), the Defender platform will begin actively blocking the affected binaries even if they are in use. This does have the potential to cause disruptions.
Microsoft has listed several steps that affected SolarWinds customers should take. Affected devices running SolarWinds Orion should immediately be isolated from the network for investigation. Identify all accounts in use on the device so that all local and network accounts can have their passwords reset or the account disabled. Investigate logs for signs of how the device may have been compromised and for any signs of lateral movement using any of the compromised accounts. If service disruption is absolutely not possible, Microsoft has also provided a GPO workaround to prevent Defender from removing the affected binaries. After the investigation and cleaning of the device, follow the advisory by SolarWinds for instructions on upgrading to new versions of the Orion software.