Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
microsoft-365-copilot-page | Microsoft 365 Copilot Page | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-page.md | In this dashboard, you can access essential resources to help your organization You can manage Copilot licenses, including assigning and unassigning licenses, for your users. -### Manage how your organization interacts with Copilot in Bing, Edge, and Windows +### Manage how your organization interacts with Copilot in Bing, Microsoft Edge, and Windows -Copilot with commercial data protection provides enhanced security for users accessing the generative AI capabilities of Copilot. This experience is on by default for users when they are signed in and using a Microsoft 365 E3, E5, A3, A5, Business Standard, or Business Premium license assigned by your organization. +Copilot with commercial data protection provides enhanced security for users accessing the generative AI capabilities of Copilot. This experience is on by default for [users with eligible licenses](/copilot/manage#commercial-data-protection-eligibility) assigned by your organization when they are signed in with their work or school (Entra ID) accounts. -Copilot in Bing, Edge and Windows is the public version of Copilot and doesnΓÇÖt require users to be signed in. You can reroute to the documentation available on the panel to turn off the public experience and still have access to the Copilot with commercial data protection experience. +Copilot in Bing, Edge, and Windows is the public version of Copilot and doesnΓÇÖt require users to be signed in. You can reroute to the documentation available on the panel to turn off the public experience and still have access to the Copilot with commercial data protection experience. -You'll soon have the ability to control access to Copilot for Microsoft 365 in Bing, Edge, and Windows using a PowerShell script. By running this script, you can manage access to Copilot for Microsoft 365 in Bing.com, Edge sidebar, Edge mobile app, Copilot in Windows, copilot.microsoft.com, and the Copilot app. However, this will not affect how users access Copilot in other Microsoft 365 apps. +You should use a PowerShell script to control access to Copilot for Microsoft 365 in Bing, Edge, and Windows. Running this script controls access to Copilot for Microsoft 365 in Bing.com, Edge sidebar, Edge mobile app, Copilot in Windows, copilot.microsoft.com, and the Copilot app. It doesnΓÇÖt change how users access Copilot in other Microsoft 365 apps. ->[!NOTE] -> The PowerShell script download link and run commands will be available in late February 2024. If you want to configure Copilot for Microsoft 365 in Bing, Edge, and Windows after late February, return to this page for further instructions. +To turn on or turn off Copilot for Microsoft 365 in Bing, Edge, and Windows, follow these steps: ++1. Download the [PowerShell script](https://download.microsoft.com/download/8/9/d/89d41212-7ece-414c-b6d3-f4ecb070c613/ConfigureM365Copilot.ps1). +2. Open an instance of the Windows PowerShell in admin mode. +3. Run the following command first: ΓÇÿSet-ExecutionPolicy unrestrictedΓÇÖ. +4. Run the PowerShell script. +5. Follow the instructions prompted by the script. +6. The cmdlet prompts you to sign in with your Entra ID account, which must be a Search Admin or Global Admin account. +7. To get the current status of Copilot for Microsoft 365 in Bing, Edge, and Windows in your tenant, run: ΓÇÿ*.\ConfigureM365Copilot.ps1*ΓÇÖ. +8. To turn on Copilot for Microsoft 365 in Bing, Edge, and Windows, run: ΓÇÿ*.\ConfigureM365Copilot.ps1 -enable $true*ΓÇÖ. +9. To turn off Copilot for Microsoft 365 in Bing, Edge, and Windows, run: ΓÇÿ*.\ConfigureM365Copilot.ps1 -enable $false*ΓÇÖ. +10. If you encounter a problem, try running the script again. If the problem persists, you can contact support. ### Manage plugins that work with Microsoft Copilot for Microsoft 365 |
admin | Microsoft 365 Copilot Usage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md | To ensure data quality, we perform daily data validation checks for the past thr | Uses eligible update channel | Yes/No field indicating if devices are configured to get the latest or monthly updates. | | Uses Teams Meetings | Indicates whether the user has attended at least one meeting using Teams in the past 30 days. | | Uses Teams chat | Indicates whether the user has participated in at least one chat using Teams in the past 30 days. |-| Uses Outlook Email | Indicates whether the user has sent at least one meeting using Outlook in the past 30 days. | +| Uses Outlook Email | Indicates whether the user has sent at least one email using Outlook in the past 30 days. | | Uses Office docs | Indicates whether the user has collaborated on at least one document or file using OneDrive or sharepoint in the past 30 days. | ## Interpret the Usage tab in Copilot for Microsoft 365 report Select **Choose columns** to add or remove columns from the table. You can also export the report data into an Excel .csv file by selecting the Export link. This exports the Copilot for Microsoft 365 usage data of all users and enables you to do simple sorting, filtering, and searching for further analysis. -To ensure data quality, we perform daily data validation checks for the past three days and will fill any gaps detected. You may notice differences in historical data during the process. +To ensure data quality, we perform daily data validation checks for the past three days and will fill any gaps detected. You may notice differences in historical data during the process. ## User last activity table |
business-premium | M365 Campaigns Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365-campaigns-setup.md | Campaigns and political parties in the USA are eligible for special pricing for - U.S. State-wide political campaigns (eg: campaigns seeking office for governor, state legislature, or attorney general) > [!IMPORTANT]- > Due to local regulations, we are unable to offer Microsoft 365 for Campaigns in the following states at this time: CO, DE, IL, OK, WI & WY. We encourage campaigns in those states to explore additional offerings at [Microsoft 365 for business](https://www.office.com/business). + > Due to local regulations, we are unable to offer Microsoft 365 for Campaigns in the following states at this time: CO, DE, IL, OK, WI & WY. We encourage campaigns in those states to explore additional offerings at [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business). If your campaign or political party qualifies, Microsoft 365 for Campaigns is the least expensive plan available through Microsoft. See [Microsoft 365 for Campaigns](https://m365forcampaigns.microsoft.com). |
enterprise | Configure Exchange Server For Hybrid Modern Authentication | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication.md | Requirements about linked mailboxes to be inserted. Run the commands that assign your on-premises web service URLs as Microsoft Entra SPNs. SPNs are used by client machines and devices during authentication and authorization. All the URLs that might be used to connect from on-premises to Microsoft Entra ID must be registered in Microsoft Entra ID (including both internal and external namespaces). -1. First, connect to Microsoft Entra ID with [these instructions](connect-to-microsoft-365-powershell.md) and run the following commands on your Microsoft Entra ID server: +1. First, run the following commands on your Microsoft Exchange Server: ```powershell Get-MapiVirtualDirectory | FL server,*url* Run the commands that assign your on-premises web service URLs as Microsoft Entr 2. Next, connect to Microsoft Entra ID with [these instructions](connect-to-microsoft-365-powershell.md). To consent to the required permissions, run the following command: ```powershell- Connect-MgGraph -Scopes Application.Read.All, Application.ReadWrite.All. + Connect-MgGraph -Scopes Application.Read.All, Application.ReadWrite.All ``` 3. For your Exchange-related URLs, type the following command: |
enterprise | Modern Desktop Deployment And Management Lab | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md | Title: Windows and Office 365 deployment lab kit +description: Learn about where to access the Windows and Office deployment lab kit. f1.keywords: - NOCSH ms.localizationpriority: medium - Ent_O365 - Strat_O365_Enterprise--description: Learn about where to access the Windows and Office Deployment Lab Kit. # Windows and Office 365 deployment lab kit -The Windows and Office 365 deployment lab kits are designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise or Windows 11 Enterprise and Microsoft 365 Apps. The labs in the kit cover using Microsoft Intune and Microsoft Configuration Manager. This kit is highly recommended for organizations preparing for desktop upgrades. As an isolated environment, the lab is also ideal for exploring deployment tool updates and testing your deployment-related automation. The following lab kits are available for free download: +The deployment lab kits for Windows and Office 365 can help you plan, test, and validate your deployment and management of desktops. The labs in the kit include Windows 11 Enterprise, Microsoft 365 Apps, and use of Microsoft Intune and Microsoft Configuration Manager. This kit is highly recommended for organizations preparing for desktop upgrades. As an isolated environment, the lab is also ideal for exploring deployment tool updates and testing your deployment-related automation. -[**Windows 11 lab**](https://info.microsoft.com/ww-landing-windows-11-office-365-lab-kit.html) +The following lab kits are available for free download: ++[**Windows 11 lab**](https://info.microsoft.com/ww-landing-windows-11-office-365-lab-kit.html) ## A complete lab environment -The lab provides you with an automatically provisioned virtual lab environment, including domain-joined desktop clients, a domain controller, an internet gateway, and a fully configured Configuration Manager instance. The labs include evaluation versions of the following products: +The lab provides you with an automatically provisioned virtual lab environment. It includes domain-joined desktop clients, a domain controller, an internet gateway, and a fully configured Configuration Manager instance. ++The labs include evaluation versions of the following products: -|Windows 11 Lab| +|Windows 11 lab| ||-|Windows 11 Enterprise, Version 23H2| -|Microsoft Configuration Manager, Version 2303| +|Windows 11 Enterprise, version 23H2| +|Microsoft Configuration Manager, version 2303| |Windows Assessment and Deployment Kit for Windows 11| |Windows Server 2022| -The labs are also designed to be connected to trials for: +The labs are designed for you to connect them to trials for the following - Microsoft 365 E5 - Microsoft 365 Apps for enterprise The labs are also designed to be connected to trials for: ## Step-by-step labs -Detailed lab guides take you through multiple deployment and management scenarios. The labs have been updated for the latest versions of Intune and Configuration Manager. Note: A new Windows 11 version of the lab is now available. The lab guides include the following scenarios: +Detailed lab guides take you through multiple deployment and management scenarios. The labs support the latest releases of Intune, Configuration Manager, and Windows 11. ++The following sections describe the scenarios supported by the lab guides. ### Plan and prepare infrastructure -- Cloud Management Gateway+- Cloud management gateway - Tenant attach and co-management - Endpoint analytics - Optimize update delivery Detailed lab guides take you through multiple deployment and management scenario ### Service Windows -- Servicing Windows using Group Policy+- Servicing Windows using group policy - Servicing Windows using Microsoft Intune - Servicing Windows with Configuration Manager -### Manage Windows +### Manage Windows -- Device Management for Windows 11 using Microsoft Intune -- Dynamic Management with Windows 11 +- Device management for Windows 11 using Microsoft Intune +- Dynamic management with Windows 11 - Deploying Windows apps (Win32) with Intune-- Remote Help+- Remote help ### Deploy Microsoft 365 Apps for enterprise - Cloud managed deployment - Locally managed deployment-- Microsoft 365 Apps deployment on Non-AD Joined Devices+- Microsoft 365 Apps deployment on non-Active Directory-joined devices - Enterprise managed deployment using Configuration Manager - Enterprise managed deployment using Microsoft Intune - Servicing Microsoft 365 Apps for enterprise using Configuration Manager - Servicing Microsoft 365 Apps for enterprise using Intune-- LOB Deployment and Management with Microsoft Intune+- Line of business (LOB) application deployment and management with Microsoft Intune - Deploy Microsoft Teams - Assignment filters ### Managing Microsoft Edge -- Deploy and Update Edge-- IE Mode-- Setup Enterprise New Tab Page+- Deploy and update Microsoft Edge +- Internet Explorer (IE) mode +- Setup enterprise new tab page ### Security and Compliance - BitLocker - Microsoft Defender Antivirus - Windows Hello for Business-- Windows Defender Credential Guard -- Microsoft Defender Application Guard -- Windows Defender Exploit Guard -- Windows Defender Application Control -- Microsoft Defender for Endpoint -+- Credential Guard +- Microsoft Defender Application Guard +- Windows Defender Exploit Guard +- Windows Defender Application Control +- Microsoft Defender for Endpoint > [!NOTE]-> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before May 5, 2024. +> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before May 5, 2024. For support with this lab, email the lab support alias `winlab_help@microsoft.com`. -## Additional guidance +## More guidance - [Windows client deployment resources and documentation](/windows/deployment) - [Desktop Deployment series videos from Microsoft Mechanics](https://www.aka.ms/watchhowtoshift) |
frontline | Deploy Dynamic Teams At Scale | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/deploy-dynamic-teams-at-scale.md | Last updated 01/29/2024 ## Overview +> [!NOTE] +> Mapping frontline attributes to the department and job titles in your organization to enable [targeted communications](set-up-targeted-communications.md) is currently in public preview. + Frontline teams are a collection of people, content, and tools within an organization for different frontline worker locations. Membership of frontline dynamic teams is determined and managed by a set of Microsoft Entra attributes. [Learn more about Microsoft Entra attributes](/azure/active-directory/external-identities/customers/how-to-define-custom-attributes). In the setup process, you define the following information with Microsoft Entra attributes: - Who your frontline workers are - What locations they work at+- (Preview) Department and job titles of your frontline workers (optional) You also determine team structure and team owners. Check out this [Microsoft Mechanics video](https://www.youtube.com/watch?v=gdkTn - Users must have a Microsoft 365 F3, F1, E3, or E5 license. If a user doesn't have one of these licenses, they'll need a Microsoft Entra ID P1 add-on license to use dynamic teams. [Learn more about frontline licensing](flw-licensing-options.md). - Ensure you can define your frontline workers and their work locations through data available in Microsoft Entra ID. If you don't have this data in Microsoft Entra ID, you can sync it through a [human capital management (HCM) connector](/azure/active-directory/app-provisioning/plan-cloud-hr-provision) or [use the PowerShell solution](deploy-teams-at-scale.md) to create static teams at scale.+- If you want to enable [targeted communications](set-up-targeted-communications.md) (Preview), ensure you can map the attributes of your frontline workers through data available in Microsoft Entra ID. If user profile information doesnΓÇÖt yet include job title or department, you can add it. [Learn more about how to add or update a userΓÇÖs profile information in Microsoft Entra ID](/entra/fundamentals/how-to-manage-user-profile-info). When evaluating the right solution for your organization, we recommend you do the following: When evaluating the right solution for your organization, we recommend you do th ## Set up your frontline dynamic teams 1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**.-2. In the table, choose **Setup**. +2. In the table, choose **Set up**. - :::image type="content" source="media/dtas-manage-setup.png" alt-text="Screenshot of the Manage frontline teams page, showing the Setup button." lightbox="media/dtas-manage-setup.png"::: + :::image type="content" source="media/dtas-manage-setup.png" alt-text="Screenshot of the Manage frontline teams page, showing the Set up button." lightbox="media/dtas-manage-setup.png"::: -3. Review the prerequisites information. +1. Review the setup and prerequisites information. -4. Select the Microsoft Entra attribute that defines your frontline workers. You can only choose one Microsoft Entra attribute, but you can define multiple values by separating them with commas. +1. On the Identify your frontline workers page, select the Microsoft Entra attribute that defines your frontline workers. You can only choose one Microsoft Entra attribute, but you can define multiple values by separating them with commas. - :::image type="content" source="media/dtas-frontline-attribute.png" alt-text="Screenshot of where to enter your Microsoft Entra attribute and values for frontline workers." lightbox="media/dtas-frontline-attribute.png"::: + :::image type="content" source="media/dtas-frontline-worker-attribute.png" alt-text="Screenshot showing where to enter your Microsoft Entra attribute and values to identify your frontline workforce." lightbox="media/dtas-frontline-worker-attribute.png"::: -5. Select the Microsoft Entra attribute that defines the location your frontline employees work in. You can only choose one location attribute. +1. On the Location page, select the Microsoft Entra attribute that defines the location your frontline employees work in. You can only choose one location attribute. - :::image type="content" source="media/dtas-location-attribute.png" alt-text="Screenshot of where to enter your Microsoft Entra attribute for frontline locations." lightbox="media/dtas-location-attribute.png"::: + :::image type="content" source="media/dtas-location-attribute.png" alt-text="Screenshot showing where to enter your Microsoft Entra attribute that identifies the location where your frontline employees work." lightbox="media/dtas-location-attribute.png"::: -6. Define your team structure by choosing a prefix. The prefix is applied using the "prefix-location" format for all your teams. +1. On the Team settings page, define a naming pattern for your teams by choosing a prefix. The prefix is applied using the "prefix-location" format to all your teams. - :::image type="content" source="media/dtas-prefix.png" alt-text="Screenshot of the prefix, team template, and team owner account fields." lightbox="media/dtas-prefix.png"::: + :::image type="content" source="media/dtas-team-settings.png" alt-text="Screenshot of team settings options showing the prefix, team template, and team owner fields." lightbox="media/dtas-team-settings.png"::: -7. Optionally, choose a team template. The team template you choose defines the channel structure for all your frontline teams. [Learn more about team templates](/microsoftteams/get-started-with-teams-templates-in-the-admin-console). +1. Optionally, choose a team template. The team template you choose defines the channel structure for all your frontline teams. [Learn more about team templates](/microsoftteams/get-started-with-teams-templates-in-the-admin-console). > [!NOTE] > Currently, only team templates that are set to the English (United States) locale are supported. Keep in mind that the locale doesn't affect translation of the template or data residency. The locale setting is used only to distinguish between templates that have the same name that are created in different languages. -8. Enter a user account object ID to be the team owner. This account will be the owner for all frontline teams. It's recommended to choose a shared account rather than an individual person. +1. Enter the object ID of the user account who you want as the team owner. This account will be the owner of all frontline teams. We recommend you choose a shared account rather than an individual person. 1. To get a user's object ID, go to the [Azure portal](https://portal.azure.com). 1. Select **Microsoft Entra ID**. 1. Select **Users**, and then choose your user. 1. Copy the user's object ID. -9. Review your settings, and then choose **Finish setup.** +1. (Preview) On the Map frontline attributes page, select the Microsoft Entra attributes that most accurately reflect the departments and job titles in your organization. You can set the **Department attribute**, **Job title attribute**, or both. ++ > [!NOTE] + > This step is optional. If you choose not to map frontline attributes, leave the values as **None**. You can always come back and map them later on the [Dynamic teams settings page](#edit-your-frontline-team-settings). ++ :::image type="content" source="media/dtas-frontline-attributes.png" alt-text="Screenshot showing where to map your Microsoft Entra attributes for Job title and Department." lightbox="media/dtas-frontline-attributes.png"::: ++ These attributes map departments and job titles in your organization, which allows you to deliver targeted communications features, such as [automatic tags](set-up-targeted-communications.md#automatic-tags), to your frontline. Your frontline workers can quickly and easily reach the right group of people through tags that are automatically created based on the attribute mappings. [Learn more about attribute mapping and targeted communications](set-up-targeted-communications.md). - >[!NOTE] - >Setup can take several hours to run. You can refresh the **Manage frontline teams** page to get the latest status of your setup. +1. Review your settings, and then choose **Finish setup.** - :::image type="content" source="media/dtas-setup-submitted.png" alt-text="Screenshot of the Manage frontline teams page with a banner showing that setup was submitted." lightbox="media/dtas-setup-submitted.png"::: + > [!NOTE] + > Setup can take several hours to run. Refresh the Manage frontline teams page to get the latest status. ++ :::image type="content" source="media/dtas-setup-submitted.png" alt-text="Screenshot of the Manage frontline teams page with a banner showing that setup is in progress." lightbox="media/dtas-setup-submitted.png"::: ## Deploy your frontline dynamic teams -1. After setup is completed, go to the **Manage frontline teams** page, and then select the **Deploy** button. +1. After setup is completed, go to the Manage frontline teams page, and then select the **Deploy** button. :::image type="content" source="media/dtas-deploy.png" alt-text="Screenshot of the Manage frontline teams page, showing the Deploy button." lightbox="media/dtas-deploy.png"::: -2. From here, you can review your settings and view the list of locations that don't yet have a frontline dynamic team created. +1. From here, you can review your settings and view the list of locations that don't yet have a frontline dynamic team created. -3. In the table, select the locations that you want to create teams for. +1. In the table, select the locations that you want to create teams for. :::image type="content" source="media/dtas-deploy-locations.png" alt-text="Screenshot of the table of locations." lightbox="media/dtas-deploy-locations.png"::: -4. Select **Deploy**. This process can take several hours depending on how many teams you're creating. After deployment is completed, you'll see the number updated in the **Frontline teams** card. On this card, you can download a CSV file with a list of your frontline teams. If any errors occurred, you can download the error CSV file on the **Last deployment health** card. +1. Select **Deploy**. This process can take several hours depending on how many teams you're creating. ++ After deployment is completed, you'll see the number of deployed frontline teams in the **Frontline teams** card. You can also download a CSV file with a list of those teams. - :::image type="content" source="media/dtas-view-errors.png" alt-text="Screenshot of where you can get the CSV file on the Manage frontline teams page." lightbox="media/dtas-view-errors.png"::: + :::image type="content" source="media/dtas-deploy-completed.png" alt-text="Screenshot of where you can get the CSV file on the Manage frontline teams page." lightbox="media/dtas-deploy-completed.png"::: -5. You can repeat this process for any frontline locations that don't have a team. + If an error occurred during the deployment process, you can download the error CSV file on the **Last deployment health** card. Use the information in it to help resolve the errors, and then rerun the deployment experience ++1. You can repeat this process for any frontline locations that don't have a team. ## Managing your frontline dynamic teams You can manage your teams when changes happen in your organization. 1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**. -2. In the table, choose **Deploy**. +1. In the table, choose **Deploy**. -3. Select the **Refresh location** button, and proceed when prompted by the dialog box. This process can take several hours depending on your number of new locations. +1. Select the **Refresh location** button, and then proceed when prompted by the dialog box. This process can take several hours depending on your number of new locations. :::image type="content" source="media/dtas-refresh-locations.png" alt-text="Screenshot of the Refresh location button." lightbox="media/dtas-refresh-locations.png"::: -4. After the refresh is completed, your setup status shows as **Complete**. You can proceed to [deploy your new teams](#deploy-your-frontline-dynamic-teams). Deployment can take several hours depending on how many new teams you're deploying. +1. After the refresh is completed, your setup status shows as **Complete**. You can proceed to [deploy your new teams](#deploy-your-frontline-dynamic-teams). Deployment can take several hours depending on how many new teams you're deploying. ### Edit your frontline team settings 1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), choose **Frontline deployment** > **Manage frontline teams**.-2. In the **Deployment settings** column, choose **Deploy frontline dynamic teams**. -3. Edit your settings on this page, and then select **Save**. Your settings might take several hours to update. See the following table for the effects of updating your settings. +1. In the **Deployment settings** column, choose **Deploy teams with dynamic membership**. +1. On the Dynamic teams settings page, edit your settings, and then select **Apply**. Your settings might take several hours to update. ++ :::image type="content" source="media/dtas-edit-settings.png" alt-text="Screenshot of the Dynamic teams settings page, showing options to edit frontline team settings" lightbox="media/dtas-edit-settings.png"::: ++ See the following table for the effects of updating your settings. |Setting |Effect on existing frontline teams |Effect on new frontline teams | |--|--||- |Define your frontline Microsoft Entra attribute. |All existing frontline teams will be members that have the new Microsoft Entra attribute defined. |All new frontline teams members will have the new Microsoft Entra attribute defined. | - |Choose the values applicable to your frontline Microsoft Entra attribute. |All existing frontline team membership will reflect your updated values. |All new teams will be populated with members who have the updated Microsoft Entra attributes that you defined. | + |Define your frontline worker attribute. |All existing frontline teams will be members that have the new Microsoft Entra attribute defined. |All new frontline teams members will have the new Microsoft Entra attribute defined. | + |Choose the values applicable to your frontline Microsoft Entra attribute. |All existing frontline team members will reflect your updated values. |All new teams will be populated with members who have the updated Microsoft Entra attributes that you defined. | + |(Preview) Map your frontline attributes for department and job title. |All existing frontline team members will reflect the Microsoft Entra attribute you defined for department and job title. |All new frontline team members will use the Microsoft Entra attribute you defined for department and job title.| |Define your frontline locations. | Existing teams will continue to persist. If a team is no longer tied to a location, there will be no users in that team, and users are put in their respective location teams. |You can create new frontline teams based on the locations defined by your new Microsoft Entra attribute. | |Set your team name prefix. |All existing team names will be updated to reflect the prefix and location name if that was changed. |All new teams will have the updated naming convention. | |Select your team template. |No updates to the team structure will occur. |All new teams will use the updated team template. | You can manage your teams when changes happen in your organization. The [Teams usage report](/microsoft-365/admin/activity-reports/microsoft-teams-usage-activity) in Teams admin center gives you an overview of usage activity in Teams. You can use the report to view usage details for your frontline teams, including active users, active channels, total organized meetings, last activity date, and other information. 1. In the left navigation of the [Teams admin center](https://admin.teams.microsoft.com), **choose Analytics & reports** > **Usage reports**.-2. On the **View reports** tab, under **Report**, select **Teams usage**. -3. Under **Date range**, select a date range of 7 days, 30 days, 90 days, or 180 days. Then, choose **Run report**. -4. In the upper-right corner, select **Export to Excel** > **Export table as CSV**. -5. Filter the spreadsheet based on your frontline team IDs. +1. On the **View reports** tab, under **Report**, select **Teams usage**. +1. Under **Date range**, select a date range of 7 days, 30 days, 90 days, or 180 days. Then, choose **Run report**. +1. In the upper-right corner, select **Export to Excel** > **Export table as CSV**. +1. Filter the spreadsheet based on your frontline team IDs. > [!NOTE] > To get a list of your frontline team IDs, in the Teams admin center, go to **Frontline deployment** > **Manage frontline teams**, and then in the **Frontline teams** section, select **Download CSV**. It can take time for channels to propagate in Teams. The General channel is crea You can delete a team by using the [Teams client](https://support.microsoft.com/office/delete-a-team-in-microsoft-teams-c386f91b-f7e6-400b-aac7-8025f74f8b41), [Teams admin center](/microsoftteams/archive-or-delete-a-team), [PowerShell](/powershell/module/teams/remove-team), or [Graph](/graph/api/group-delete). -Keep in mind that it can take up to 24 hours for a team and the Microsoft 365 group that's associated with the team to be fully deleted. +Keep in mind that it can take up to 24 hours for a team and the Microsoft 365 group associated with the team to be fully deleted. If you need to redeploy a frontline location team that was deleted, follow these steps: |
frontline | Manage Shifts Permissions Frontline Managers | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/manage-shifts-permissions-frontline-managers.md | + + Title: Manage Shifts permissions for frontline managers +++++audience: admin +++search.appverid: MET150 +searchScope: + - Microsoft Teams + - Microsoft Cloud for Healthcare + - Microsoft Cloud for Retail +description: Learn how to manage Shifts permissions for your frontline managers. You can use the shiftsRoleDefinition Graph API to control the Shifts settings that frontline managers can configure for their teams and whether they can create and manage schedule groups. +f1.keywords: +- NOCSH +ms.localizationpriority: high ++ - M365-collaboration + - m365-frontline + - teams-1p-app-admin + - highpri + - microsoftcloud-healthcare + - microsoftcloud-retail +appliesto: + - Microsoft Teams + - Microsoft 365 for frontline workers + Last updated : 02/28/2024+++# Manage Shifts permissions for frontline managers ++Frontline managers in Shifts are users that have [the team owner or schedule owner role](schedule-owner-for-shift-management.md). They create and manage schedules for their teams. By default, frontline managers can do the following in Shifts: ++- Configure [Shifts settings](https://support.microsoft.com/office/manage-settings-in-shifts-1aef353d-e2df-4661-abdd-4014cb57f17b) for their teams. For example, frontline managers can turn on time clock and set whether frontline workers on their team can swap shifts and request time off. +- Create and manage schedule groups for their teams in Shifts. Schedule groups are used to group frontline workers based on common characteristics within a team, such as departments or job types. ++Depending on the needs of your organization, you might need to restrict the Shifts capabilities that are available to frontline managers for managing their team schedules. This article describes how you can control permissions to these capabilities using the [shiftsRoleDefinition](/graph/api/resources/shiftsroledefinition?view=graph-rest-beta) Graph API. ++## Frontline manager capabilities in Shifts for managing their teams ++The following table lists the settings and schedule group capabilities that are available to frontline managers in Shifts for managing their teams, and indicates whether you can restrict the capability. ++|Setting/capability|Description|Use shiftsRoleDefinition Graph API to control permissions| +|||::| +|Team time zone|Set the team's time zone and closest city.|| +|Start of week|Set the day of the week for schedules to start.|| +|Copying shifts|Set whether shifts activities are automatically included when copying shifts.|| +|Open shifts|Turn on or turn off the ability to create and request open shifts.|Γ£ö∩╕Ź| +|Swap shifts|Turn on or off workers' ability to swap shifts with each other. |Γ£ö∩╕Ź| +|Offer shift|Turn on or off workers' ability to offer shifts to coworkers.|Γ£ö∩╕Ź| +|Time-off requests|Turn on or turn off workers' ability to request time off.|Γ£ö∩╕Å| +|Time-off reasons|Add and edit time-off reasons for the team.|Γ£ö∩╕Å| +|Time clock|Turn on or turn off time clock for the team.|Γ£ö∩╕Å| +|Time clock geolocation|Define time clock geolocation (takes precedence over time clock setting)|Γ£ö∩╕Å| +|Visibility of past shifts|Turn on or turn off workers' ability to see coworkers' past shifts.|| +|Visibility of time off|Turn on or turn off workers' ability to see each other's time-off details.|| +|Visibility of shifts details|Turn on or turn off workers' ability to see each other's shift details.|| +|Manage schedule groups|Add, rename, and delete schedule groups.|Γ£ö∩╕Å| +|Manage schedule group membership|Add and remove team members from schedule groups.|| ++¹You manage these three capabilities through the `CanModifyShiftRequestsCapabilities` parameter. ++You can also use the [Create or replace schedule](/graph/api/team-put-schedule?view=graph-rest-1.0) Graph API to define Shifts settings and the [Create schedulingGroup](/graph/api/schedule-post-schedulinggroups?view=graph-rest-1.0) Graph API to manage schedule groups and membership. ++## Example scenario ++At Contoso Ltd, department managers report directly to the store manager. Store managers have more authority within the company than department managers, and roles are assigned as follows: ++- Store managers are team owners in Teams. +- Department managers are team members in Teams and schedule owners in Shifts. ++Contoso reviewed the Shifts capabilities of their frontline managers and determined the following requirements based on their business needs: ++- [Frontline managers shouldn't be able to choose whether their teams can use time clock in Shifts](#frontline-managers-shouldnt-be-able-to-choose-whether-their-teams-can-use-time-clock-in-shifts). +- [Department managers shouldn't be able to choose whether they can add and edit time-off reasons in Shifts](#department-managers-shouldnt-be-able-to-choose-whether-they-can-add-and-edit-time-off-reasons-in-shifts). ++### Frontline managers shouldn't be able to choose whether their teams can use time clock in Shifts ++Contoso decided not to use time clock in Shifts for now because they want their frontline workers to use the in-store stations to clock in and out of their shifts. This means that they need to: ++- Remove permissions for store managers (team owners) and department managers (schedule owners) to change the time clock setting in Shifts for their teams. +- Set the time clock setting in Shifts to **Off** for all teams. + +To do this: ++1. To prevent frontline managers from changing the time clock setting for their teams, use the [shiftsRoleDefinition](/graph/api/resources/shiftsroledefinition?view=graph-rest-beta) Graph API and remove the `CanModifyTimeClockCapabilities` parameter from the `allowedResourceActions` list for the team owner role and schedule owner role on every team using Shifts. ++ This example shows the permissions of the team owner role for the Contoso Chicago store (team ID fb963991-69a8-4d2c-8465-cd8e374891c4). ++ **Request**<br> + ```http + PATCH https://graph.microsoft.com/beta/teams/fb963991-69a8-4d2c-8465-cd8e374891c4/schedule/shiftsRoleDefinition/teamowner + Content-Type: application/json ++ { + "shiftsRoleDefinition": [ + { + "allowedResourceActions": [ + "CanModifyShiftRequestsCapabilities", + "CanModifyTimeOffRequestsCapabilities", + "CanModifySchedulingGroups", + "CanModifyTimeOffReasons" + ] + } + ] + } + ``` ++1. To turn off time clock in Shifts for all teams, use the [Create or replace schedule](/graph/api/team-put-schedule?view=graph-rest-1.0) Graph API and set the `timeClockEnabled parameter` to `false` for every team. ++ Here, time clock is turned off for the Contoso Chicago store (team ID fb963991-69a8-4d2c-8465-cd8e374891c4). ++ **Request**<br> + ```http + PUT https://graph.microsoft.com/v1.0/teams/fb963991-69a8-4d2c-8465-cd8e374891c4/schedule + Content-Type: application/json ++ { + "enabled": true, + "timeZone": "America/ChicagoΓÇ¥, + "timeClockEnabled": false + } + ``` ++Here's what the time clock setting in Shifts looks like for store managers and department managers at Contoso before and after removing their permissions to change it. After removing their permissions, the setting is unavailable in Shifts. +++### Department managers shouldn't be able to choose whether they can add and edit time-off reasons in Shifts ++At Contoso, adding and editing time-off reasons is the responsibility of the store manager. This means that they need to remove permissions for department managers (schedule owners) to add and edit time-off reasons in Shifts for all teams. ++To do this, use the [shiftsRoleDefinition](/graph/api/resources/shiftsroledefinition?view=graph-rest-beta) Graph API and remove the `CanModifyTimeOffReasons` parameter from the `allowedResourceActions` list for the schedule owner role on every team using Shifts. ++This example shows the permissions of the schedule owner role for the Contoso Chicago store (team ID fb963991-69a8-4d2c-8465-cd8e374891c4). ++**Request**<br> +```http +PATCH https://graph.microsoft.com/beta/teams/fb963991-69a8-4d2c-8465-cd8e374891c4/schedule/shiftsRoleDefinition/scheduleowner +Content-Type: application/json ++{ +"shiftsRoleDefinition": [ + { + "allowedResourceActions": [ + "CanModifyShiftRequestsCapabilities", + "CanModifyTimeOffRequestsCapabilities", + "CanModifySchedulingGroups" + ] + } + ] +} +``` ++Here's what the time-off reasons option in Shifts looks like for department managers at Contoso before and after removing their permissions to use it. After removing their permissions, the option is unavailable in Shifts. +++## Related articles ++- [Shifts for frontline workers](shifts-for-teams-landing-page.md) +- [Manage the Shifts app for your organization in Teams](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) |
frontline | Set Up Targeted Communications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/set-up-targeted-communications.md | -> This article describes a Microsoft Teams feature that hasn't yet been released. This feature is coming soon. +> This feature is currently in public preview. You can map your frontline attributes to enable targeted communications and view your mapped values in the Teams admin center. However, automatic tags isn't available in the Teams client yet. Soon, your users will be able to use automatic tags in Teams to reach groups of people by department or job title. ## Overview Streamline and simplify communications for your frontline. After you map your at > Mapping frontline attributes is part of the setup process when you deploy frontline dynamic teams. It's an optional step. If you want to allow your frontline to easily reach each other by department or job title, map your attributes to enable targeted communications. > > If you've already deployed your frontline dynamic teams and you want to enable targeted communications for those teams, go to the [Dynamic teams settings page](deploy-dynamic-teams-at-scale.md#edit-your-frontline-team-settings), and map your attributes.-- To use [automatic tags](#automatic-tags), tags must be turned on for your organization. In the Teams admin center, go to **Teams** > **Teams settings**. Under **Tagging**, check that the **Who can manage tags** setting is set to an option other than **Not enabled**. [Learn more about how to turn on tags for your organization](/microsoftteams/manage-tags).+- To use [automatic tags](#automatic-tags), tags must be turned on for your organization. In the Teams admin center, go to **Teams** > **Teams settings**. Under **Tagging**, check that the **Who can manage tags** setting is set to an option other than **Not enabled**. [Learn more about how to turn on tags for your organization](/microsoftteams/manage-tags). ## Set up targeted communications |
security | Adv Tech Of Mdav | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/adv-tech-of-mdav.md | + + Title: Advanced technologies at the core of Microsoft Defender Antivirus +description: Microsoft Defender Antivirus engines and advanced technologies ++++++ Last updated : 02/28/2024++ms.localizationpriority: medium ++f1.keyboards: NOSCH +audience: ITPro +++# Advanced technologies at the core of Microsoft Defender Antivirus ++**Applies to:**┬á ++- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)┬á +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)┬á +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)┬á +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)┬á┬á +- Microsoft Defender Antivirus┬á +- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)┬á ++Microsoft Defender Antivirus and the multiple engines that lead to the advanced detection and prevention technologies under the hood to detect and stop a wide range of threats and attacker techniques at multiple points, as depicted in the following diagram: +++Many of these engines are built into the client and provide advanced protection against most threats in real time.┬á ++These next-generation protection engines provide [industry-best](/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) detection and blocking capabilities and ensure that protection is:┬á ++- **Accurate**: Threats both common and sophisticated, many which are designed to try to slip through protections, are detected and blocked. +- **Real-time**: Threats are prevented from getting on to devices, stopped in real-time at first sight, or detected and remediated in the least possible time (typically within a few milliseconds). +- **Intelligent**: Through the power of the cloud, machine learning (ML), and Microsoft's industry-leading optics, protection is enriched and made even more effective against new and unknown threats. ++## Hybrid detection and protection ++Microsoft Defender Antivirus does hybrid detection and protection. What this means is, detection and protection occur on the client device first, and works with the cloud for newly developing threats, which results in faster, more effective detection and protection. ++When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources. ++| On the client | In the cloud | +||| +| **Machine learning (ML) engine**<br/>A set of light-weight machine learning models make a verdict within milliseconds. These models include specialized models and features that are built for specific file types commonly abused by attackers. Examples include models built for portable executable (PE) files, PowerShell, Office macros, JavaScript, PDF files, and more. | **Metadata-based ML engine** <br/>Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened [monotonic models](https://www.microsoft.com/en-us/security/blog/2019/07/25/new-machine-learning-model-sifts-through-the-good-to-unearth-the-bad-in-evasive-malware/), analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution. | +| **Behavior monitoring engine**<br/>The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules. | **Behavior-based ML engine**<br/>Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration. | +| **Memory scanning engine**<br/>This engine scans the memory space used by a running process to expose malicious behavior that could be hiding through code obfuscation. | **Antimalware Scan Interface (AMSI)-paired ML engine**<br/>Pairs of client-side and cloud-side models perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks. These models include a pair of models for each of the scripting engines covered, including PowerShell, JavaScript, VBScript, and Office VBA macros. Integrations include both dynamic content calls and/or behavior instrumentation on the scripting engines. | +| **AMSI integration engine**<br/>Deep in-app integration engine enables detection of fileless and in-memory attacks through [AMSI](/windows/desktop/AMSI/antimalware-scan-interface-portal), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side. | **File classification ML engine**<br/>Multi-class, deep neural network classifiers examine full file contents, provides an extra layer of defense against attacks that require more analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file. | +| **Heuristics engine**<br/>Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats. | **Detonation-based ML engine**<br/>Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks. | +| **Emulation engine**<br/>The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware. | **Reputation ML engine**<br/>Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Defender for Office 365 for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph. | +| **Network engine**<br/>Network activities are inspected to identify and stop malicious activities from threats. | **Smart rules engine**<br/>Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats. | ++For more information, see [Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK® Evaluations: Enterprise](https://www.microsoft.com/security/blog/2023/09/20/microsoft-365-defender-demonstrates-100-percent-protection-coverage-in-the-2023-mitre-engenuity-attck-evaluations-enterprise/). ++## How next-generation protection works with other Defender for Endpoint capabilities ++Together with [attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), which includes advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall, [next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) engines deliver Microsoft Defender for Endpoint's prebreach capabilities, stopping attacks before they can infiltrate devices and compromise networks.┬á ++As part of Microsoft's defense-in-depth solution, the superior performance of these engines accrues to the [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint) unified endpoint protection, where antivirus detections and other next-generation protection capabilities enrich endpoint detection and response, automated investigation and remediation, advanced hunting, threat and vulnerability management, managed threat hunting service, and other capabilities. ++These protections are further amplified through [Microsoft Defender XDR](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-xdr), Microsoft's comprehensive, end-to-end security solution for the modern workplace. Through [signal-sharing and orchestration of remediation across Microsoft's security technologies](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783), Microsoft Defender XDR secures identities, endpoints, email and data, apps, and infrastructure.┬á ++## Frequently asked questions ++### How many malware threats does Microsoft Defender Antivirus block per month?┬á ++[Five billion threats on devices every month](https://www.microsoft.com/en-us/security/blog/2019/05/14/executing-vision-microsoft-threat-protection/). ++### Do you all focus your detections/preventions in one specific geographic area?┬á ++No, we are in all the geographical regions (Americas, EMEA, and APAC).┬á ++### Do you all focus on specific industries?┬á ++We focus on every industry.┬á +┬á +### Do your detection/protection require a human analyst?┬á ++When you're pen-testing, you should demand where no human analysts are engaged on detect/protect, to see how the actual antivirus engine (prebreach) efficacy truly is, and a separate one where human analysts are engaged.┬áYou can add [Microsoft Defender Experts for XDR](/microsoft-365/security/defender/dex-xdr-overview) a managed extended detection and response service to augment your SOC. ++The ***continuous iterative enhancement*** each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent [top scores in industry tests](/microsoft-365/security/defender/top-scoring-industry-tests), but more importantly, translate to [threats and malware outbreaks](https://www.microsoft.com/en-us/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) stopped and [more customers protected](https://www.microsoft.com/en-us/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/).┬á +┬á |
security | Device Health Api Methods Properties | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/device-health-api-methods-properties.md | +ms.reviewr: mkaminska audience: ITPro - m365-security Retrieves a list of Microsoft Defender Antivirus device health details. This API Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages. > [!IMPORTANT]-> -> Currently, only the **Antivirus Health JSON Response** is generally available. **Antivirus Health API via files** is currently only available in public preview. -> -> **Advanced Hunting custom query** is currently only available in public preview, even if the queries are still visible. -> > For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). > > For information about using the **Device health and antivirus compliance** reporting tool in the Microsoft 365 Security dashboard, see: [Device health and antivirus report in Microsoft Defender for Endpoint](../device-health-reports.md). |
security | Behavior Monitor | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavior-monitor.md | + + Title: Behavior monitoring in Microsoft Defender Antivirus +description: Learn about Behavior monitoring in Microsoft Defender Antivirus and Defender for Endpoint. +++++audience: ITPro ++++ms.localizationpriority: medium Last updated : 02/29/2024+search.appverid: met150 +++# Behavior monitoring in Microsoft Defender Antivirus ++**Applies to:** +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Business](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-business) +- [Microsoft Defender for Individuals](https://www.microsoft.com/en-us/microsoft-365/microsoft-defender-for-individuals) +- Microsoft Defender Antivirus ++Behavior monitoring is a critical detection and protection functionality of Microsoft Defender Antivirus. ++Monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on signature-based detection (which identifies known malware patterns), behavior monitoring focuses on observing how software behaves in real-time. Here’s what it entails: ++1. Real-Time Threat Detection: ++- Continuously observe processes, file system activities, and interactions within the system. +- Defender Antivirus can identify patterns associated with malware or other threats. For example, it looks for processes making unusual changes to existing files, modifying or creating automatic startup registry (ASEP) keys, and other alterations to the file system or structure. ++2. Dynamic Approach: ++- Unlike static, signature-based detection, behavior monitoring adapts to new and evolving threats. ++- Microsoft Defender Antivirus uses predefined patterns, and observes how software behaves during execution. For malware that doesn’t fit any predefined pattern, Microsoft Defender Antivirus uses anomaly detection. ++- If a program shows suspicious behavior (for example, attempting to modify critical system files), Microsoft Defender Antivirus can take action to prevent further harm, and revert some previous malware actions. ++Behavior monitoring enhances Defender Antivirus’s ability to proactively detect emerging threats by focusing on real-time actions and behaviors rather than relying solely on known signatures. ++The following features depend on behavior monitoring. ++**Anti-malware** ++- Indicators, File hash, allow/block ++**Network Protection** ++- Indicators, IP address/URL, allow/block +- Web Content Filtering, allow/block ++> [!NOTE] +> Behavior monitoring is protected by tamper protection. ++To temporarily disable behavior monitoring in order to remove it out of the picture, you want to first enable Troubleshooting mode, disable Tamper Protection, and then disable behavior monitoring. ++## Change the behavior monitoring policy +The following table shows the different ways to configure behavior monitoring. ++| Management tool | Name | Links | +|:|:|:| +| Security Settings Management | Allow behavior monitoring | This article | +| Intune | Allow behavior monitoring | [Windows Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#real-time-protection) | +| CSP | AllowBehaviorMonitoring | [Defender Policy CSP](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#real-time-protection) | +| Configuration Manager Tenant Attach | Turn on behavior monitoring | [Windows Antivirus policy settings from Microsoft Defender Antivirus for tenant attached devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows-tenant-attach#real-time-protection) | +| Group Policy | Turn on behavior monitoring | [Download Group Policy Settings Reference Spreadsheet for Windows 11 2023 Update (23H2)](https://www.microsoft.com/download/details.aspx?id=105668) | +| PowerShell | Set-Preference -DisableBehaviorMonitoring | [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring) | +| WMI | boolean DisableBehaviorMonitoring; | [MSFT\_MpPreference class](/previous-versions/windows/desktop/defender/msft-mppreference) | ++If you use Microsoft Defender for Business, see [Review or edit your next-generation protection policies in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-next-generation-protection). ++## Modify the behavior monitoring settings by using PowerShell +Use the following command to modify the behavior monitoring settings: ++`Set-MpPreference -DisableBehaviorMonitoring [true|false]` ++- `True` disables Behavior monitoring. +- `False` enables Behavior monitoring. ++For more information, see [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring). ++## Query the behavior monitoring status from PowerShell ++`Get-MpComputerStatus | ft BehaviorMonitorEnabled` ++If the value returned is `true`, behavior monitoring is enabled. ++## Query the behavior monitoring status by using Advanced Hunting +You can use Advanced Hunting (AH) to query the status of behavior monitoring. ++Requires Microsoft Defender XDR, Microsoft Defender for Endpoint Plan 2, or Microsoft Defender for Business. ++``` +let EvalTable = DeviceTvmSecureConfigurationAssessment +| where ConfigurationId in ("scid-91") +| summarize arg_max(Timestamp,IsCompliant, IsApplicable) by DeviceId, ConfigurationId,tostring(Context) +| extend Test = case( +ConfigurationId == "scid-91" , "BehaviorMonitoring", +"N/A"), +Result = case(IsApplicable == 0,"N/A",IsCompliant == 1 , "Enabled", "Disabled") +| extend packed = pack(Test,Result) +| summarize Tests = make_bag(packed) by DeviceId +| evaluate bag_unpack(Tests); +let DefUpdate = DeviceTvmSecureConfigurationAssessment +| where ConfigurationId == "scid-2011" +// | where isnotnull(Context) +| extend Definition = parse_json(Context[0][0]) +| extend LastUpdated = parse_json(Context[0][2]) +| project DeviceId,Definition,LastUpdated; +let DeviceInformation = DeviceInfo +| where isnotempty(OSPlatform) +| summarize arg_max(Timestamp,*) by DeviceId, DeviceName +| project DeviceId, DeviceName, MachineGroup; +let withNames = EvalTable +| join kind = inner DeviceInformation on DeviceId +| project-away DeviceId1 +| project-reorder DeviceName, MachineGroup; +withNames | join kind = fullouter DefUpdate on DeviceId +| project-away DeviceId1 +| sort by BehaviorMonitoring asc +``` ++## Troubleshooting high CPU usage +Detections related to behavior monitoring start with "[Behavior](/microsoft-365/security/defender/malware-naming#type)". ++When investigating high CPU usage in `MsMpEng.exe`, you can temporarily disable behavior monitoring to see if the issues continue. ++You can use Performance analyzer for Microsoft Defender Antivirus to find **\path\process**, **process** and/or **file extensions** that are contributing to the high cpu utilization. You can then add these items to [Contextual Exclusion](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md). ++For more information, see [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md). ++If you're seeing high CPU usage caused by behavior monitoring, continue troubleshooting the issue by reverting each of the following items in order. Re-enable behavior monitoring after reverting each item to identify where the problem might be. ++1. **platform update** +2. **engine update** +3. **security intelligence update**. ++If you're still encountering high CPU usage issues, contact Microsoft support and have your Client Analyzer data ready. + +If behavior monitoring isn't causing the issue, use [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md) to collect log information. Collect two different logs using `a -c` and `a -a`. Have this information ready when you contact Microsoft support. ++For more information, see [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md). |
security | Configure Cloud Block Timeout Period Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md | ms.localizationpriority: medium -+ Previously updated : 02/16/2024 Last updated : 02/18/2024 - m365-security - tier2 search.appverid: met150 # Configure the cloud block timeout period **Applies to:**-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- [Microsoft Defender for Business +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) - Microsoft Defender Antivirus **Platforms** - Windows+- Windows Server When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](cloud-protection-microsoft-defender-antivirus.md). The default period that the file is [blocked](configure-block-at-first-sight-mic [Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period. +## Specify the extended timeout period using Microsoft Defender for Endpoint with Endpoint security policies ++To specify the cloud block timeout period with the Endpoint security policies in Defender for Endpoint: ++1. Go to the Microsoft Defender for Endpoint portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. +2. Select **Endpoints** > **Configuration management** > **Endpoint security policies**. +3. Select **Create new Policy**. +4. Under **Select Platform** choose: "Windows 10, Windows 11, and Windows Server". +5. Under **Select Template** choose: "Microsoft Defender Antivirus". +6. Select **Create policy**. +7. Enter a name and description and select **Next**. +8. From the **Defender** dropdown go to **Cloud Extended Timeout** and toggle it on. +9. Specify the extended time, in seconds, from 1 second to 50 seconds. Whatever you specify is added to the default 10 seconds. +10. Select **Next** and **Save** to finish configuring your policy. + ## Specify the extended timeout period using Microsoft Intune You can specify the cloud block timeout period with an [endpoint security policy in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). |
security | Defender Endpoint Subscription Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md | For example, suppose that you want to use a tag called `VIP` for all the devices 1. Create a device tag called `VIP`, and apply it to all the devices that should receive Defender for Endpoint Plan 2 capabilities. Use one of the following methods to create your device tag: - - [Add and manage device tags using the Microsoft Defender portal](machine-tags.md#add-and-manage-device-tags-using-the-portal). + - [Add device tags using the portal](machine-tags.md#add-device-tags-using-the-portal). - [Add device tags by setting a registry key value](machine-tags.md#add-device-tags-by-setting-a-registry-key-value). - [Add or remove machine tags by using the Defender for Endpoint API](add-or-remove-machine-tags.md). - [Add device tags by creating a custom profile in Microsoft Intune](machine-tags.md#add-device-tags-by-creating-a-custom-profile-in-microsoft-intune). |
security | Experts On Demand | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/experts-on-demand.md | - Title: Experts on Demand- -description: You can partner with Microsoft Defender Experts who can be engaged directly from within the Microsoft Defender portal for their response ------ - m365-security-compliance - - m365-initiative-defender-endpoint - - tier1 - Previously updated : 09/26/2022---# Ask Defender Experts ---**Applies to:** -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)--> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) --> [!NOTE] -> As of August 2022, the Experts on Demand option to **Consult a threat expert** has been rebranded to **Ask Defender Experts**. This documentation is still here to support the legacy Microsoft Threat Experts service, however, if you're interested to explore the service beyond your current license, refer to [Microsoft Defender Experts for Hunting](/microsoft-365/security/defender/defender-experts-for-hunting). Microsoft Defender Experts for Hunting subscription includes [Experts on Demand](/microsoft-365/security/defender/onboarding-defender-experts-for-hunting). --Customers can engage our security experts directly from within Microsoft Defender portal to get their response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to more threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: --- Get more clarification on alerts including root cause or scope of the incident-- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker-- Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques--> [!NOTE] -> Experts on Demand is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/). --## Ask Defender Experts about suspicious cybersecurity activities in your organization --You can partner with Microsoft Defender Experts who can be engaged directly from within the Microsoft Defender portal for their response. Experts provide insights to better understand complex threats, defender expert notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard. --> [!NOTE] -> -> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. -> - You need to have the **[Manage security settings](../defender-endpoint/user-roles.md)** permission in the Microsoft Defender portal to be able to submit the **Ask Defender Experts** inquiry. --1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request. --2. From the upper right-hand menu, click the **?** icon. Then, select **Ask Defender Experts** --The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request. --3. In the next field, provide enough information to give Microsoft Defender Experts enough context to start the investigation. --4. Enter the email address that you'd like to use to correspond with Microsoft Defender Experts. Ensure that the email address is for an account with a mailbox attached to it. If not, include an email address with a mailbox attached. --> [!NOTE] -> If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager. --Watch this video for a quick overview of the Microsoft Services Hub. --> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f] --## Sample investigation topics that you can Ask Defender Experts --### Alert information --- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?-- We've observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?-- I receive an odd alert today for abnormal number of failed logins from a high profile user's device. I can't find any further evidence around these sign-in attempts. How can Defender for Endpoint see these attempts? What type of sign-ins are being monitored?-- Can you give more context or insights about this alert: "Suspicious behavior by a system utility was observed".--### Possible device compromise --- Can you help answer why we see "Unknown process observed?" This message or alert is seen frequently on many devices. We appreciate any input to clarify whether this message or alert is related to malicious activity.-- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?--### Threat intelligence details --- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Endpoint Attack Notifications alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?-- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Defender for Endpoint provides against this threat actor?--### Defender Experts' alert communications --- Can your incident response team help us address the Endpoint Attack Notifications that we got?-- I received this Endpoint Attack Notifications from Microsoft Security Experts. We don't have our own incident response team. What can we do now, and how can we contain the incident?-- I received an Endpoint Attack Notifications from Microsoft Defender Experts. What data can you provide to us that we can pass on to our incident response team?-- > [!NOTE] - > Experts on Demand is a managed cybersecurity hunting service and not an incident response service. However, you can engage with your own incident response team to address issues that require an incident response. If you don't have your own incident response team and would like Microsoft's help, you can engage with the CSS Cybersecurity Incident Response Team (CIRT). They can open a ticket to help address your inquiry. --## Scenario --### Receive a progress report about your managed hunting inquiry --Response from Microsoft Defender Experts varies according to your inquiry. They'll email a progress report to you about your **Ask Defender Experts** inquiry within two days, to communicate the investigation status from the following categories: --- More information is needed to continue with the investigation-- A file or several file samples are needed to determine the technical context-- Investigation requires more time-- Initial information was enough to conclude the investigation--It's crucial to respond in quickly to keep the investigation moving. --## Next steps -- To proactively hunt threats across endpoints, refer to [Endpoint Attack Notification](../defender-endpoint/endpoint-attack-notifications.md).-- To proactively hunt threats across endpoints, Office 365, cloud applications, and identity, refer to [Microsoft Defender Experts for Hunting](../defender/defender-experts-for-hunting.md).- |
security | Machine Tags | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md | Add tags on devices to create a logical group affiliation. Device tags support p You can add tags on devices using the following ways: - Using the portal-- Setting a registry key value+- Using dynamic rules for device tagging +- Setting a registry key value (Windows) +- Using Defender for Endpoint security settings management (macOS / Linux) +- Creating a configuration profile (macOS / Linux) +- Creating a custom profile in Microsoft Intune (Windows 10 or later) +- Using App configuration policy in Intune (iOS / Android) > [!NOTE]-> There may be some latency between the time a tag is added to a device and its availability in the devices list and device page. +> There might be some latency between the time a tag is added to a device and its availability in the devices list and device page. To add device tags using API, see [Add or remove device tags API](api/add-or-remove-machine-tags.md). -## Add and manage device tags using the portal +## Add device tags using the portal 1. Select the device that you want to manage tags on. You can select or search for a device from any of the following views: You can also delete tags from this view. :::image type="content" source="images/new-tag-label-display.png" alt-text="Adding tags on device2" lightbox="images/new-tag-label-display.png"::: +## Add device tags using dynamic rules for device tagging ++You can create and manage rules that automatically assign and remove tags from devices based on user-defined criteria directly in the Microsoft Defender portal. Please refer to following documents for details ++- [Manage your devices with ease using dynamic rules for device tagging in Microsoft Defender](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/manage-your-devices-with-ease-using-dynamic-rules-for-device/ba-p/4024988) +- [Asset rule management - Dynamic rules for devices](/microsoft-365/security/defender/configure-asset-rules) + ## Add device tags by setting a registry key value > [!NOTE] Use the following registry key entry to add a tag on a device: > > If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key. +## Add device tags using the Defender for Endpoint security settings management ++> [!NOTE] +> Applicable only on the following devices: +> +> - macOS +> - Linux ++You can use Defender for Endpoint security settings management to define and apply device tags for macOS and Linux. You can perform this task by creating Endpoint detection and response security policy. Please refer to following documentation for details. ++- [Manage endpoint security policies on devices onboarded to Microsoft Defender for Endpoint](/mem/intune/protect/mde-security-integration) +- [Manage endpoint security policies in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/manage-security-policies) ++## Add device tags by creating a configuration profile ++> [!NOTE] +> Applicable only on the following devices: +> +> - macOS +> - Linux ++You can use configuration profile to set device tag for macOS and Linux. Please refer to following documentation for details. ++- **For macOS**, create configuration profile (.plist file) and deploy it manually or through management tool including Intune. See the guidance in [Set preferences for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-preferences). To deploy configuration profile with Intune, follow the guidance in [Use custom settings for macOS devices in Microsoft Intune](/mem/intune/configuration/custom-settings-macos). ++- **For Linux**, create configuration profile (.json file) and deploy it manually or through management tool. See the guidance in [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences) + ## Add device tags by creating a custom profile in Microsoft Intune +> [!NOTE] +> Applicable only on the following devices: +> +> - Windows 10 +> - Windows 11 + You can use Microsoft Intune to define and apply device tags. You can perform this task by creating a device configuration profile using custom settings in Intune. For more information, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure). -- In the [Create the profile](/mem/intune/configuration/custom-settings-configure) procedure, for step 3, choose either [macOS](/mem/intune/configuration/custom-settings-macos) or [Windows 10 and later](/mem/intune/configuration/custom-settings-windows-10), depending on the devices you want to tag.+- In the [Create the profile](/mem/intune/configuration/custom-settings-configure) procedure, for step 3, choose [Windows 10 and later](/mem/intune/configuration/custom-settings-windows-10). ++- In the [OMA-IRU settings](/mem/intune/configuration/custom-settings-windows-10) section, for **Data type**, choose **String**. For **OMA-URI**, type (or paste) `./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group`. ++++## Add device tags by creating app configuration policy in Microsoft Intune ++> [!NOTE] +> Applicable only on the following devices: +> +> - iOS +> - Android ++You can use Microsoft Intune to define and apply tag for mobile devices. You can perform this task by creating a app configuration profile in Intune. For more information, please refer to following information. ++- [Tag mobile devices with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-mobile-device-tagging-for-ios-and-android/ba-p/3897368) -- **For Windows 10 or later**, in the [OMA-IRU settings](/mem/intune/configuration/custom-settings-windows-10) section, for **Data type**, choose **String**. For **OMA-URI**, type (or paste) `./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group`.+- **For iOS**, follow the guidance in [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features). +- **For Android**, follow the guidance on [Configure Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure). -- **For macOS**, follow the guidance in [Use custom settings for macOS devices in Microsoft Intune](/mem/intune/configuration/custom-settings-macos). [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Coinminer Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/coinminer-malware.md | + + Title: Coin miners ++description: Learn about coin miners, how they can infect devices, and what you can do to protect yourself. +keywords: security, malware, coin miners, protection, cryptocurrencies ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Coin miners ++Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by reconfiguring malware. ++## How coin miners work ++Many infections start with: ++- Email messages with attachments that try to install malware. ++- Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to install coin miners. ++- Websites taking advantage of computer processing power by running scripts while users browse the website. ++Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources. ++Coin miners aren't inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners aren't wanted in enterprise environments because they eat up precious computing resources. ++Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people's computing resources. ++### Examples ++DDE exploits, which have been known to distribute ransomware, are now delivering miners. ++For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit. ++The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version of the miner XMRig, which then mines Monero cryptocurrency. ++## How to protect against coin miners ++**Enable potentially unwanted applications (PUA) detection**. Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection. ++Since coin miners are becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md). ++For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/). |
security | Exploits Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/exploits-malware.md | + + Title: Exploits and exploit kits ++description: Learn about how exploits use vulnerabilities in common software to give attackers access to your computer and install other malware. +keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Exploits and exploit kits ++Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device. ++## How exploits and exploit kits work ++Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations. ++Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting various software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java. ++The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads. ++The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage. ++![example of how exploit kits work.](../../../media/security-intelligence-images/exploit-kit.png) ++*Figure 1. Example of how to exploit kits work* ++Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware. ++Examples of exploit kits: ++- Angler / [Axpergle](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Axpergle) ++- [Neutrino](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/NeutrinoEK) ++- [Nuclear](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Neclu) ++To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/) ++## How we name exploits ++We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java. ++A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778. +The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability. ++You can read more on the [CVE website](https://cve.mitre.org/). ++## How to protect against exploits ++The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities, so make sure these updates are applied to all devices. ++For more general tips, see [prevent malware infection](prevent-malware-infection.md). |
security | Fileless Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/fileless-threats.md | + + Title: Fileless threats ++description: Learn about the categories of fileless threats and malware that live off the land +keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Fileless threats ++What exactly are fileless threats? The term "fileless" suggests that a threat doesn't come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no one definition for fileless malware. The term is used broadly, and sometimes to describe malware families that do rely on files to operate. ++Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft. Some parts of the attack chain may be fileless, while others may involve the file system in some form. ++For clarity, fileless threats are grouped into different categories. ++![Comprehensive diagram of fileless malware.](../../../media/security-intelligence-images/fileless-malware.png)<br> +*Figure 1. Comprehensive diagram of fileless malware* ++Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. ++Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are subcategories of the execution vector. ++Finally, classify the host of the infection. For example, a Flash application may contain a variety of threats such as an exploit, a simple executable, and malicious firmware from a hardware device. ++Classifying helps you divide and categorize the various kinds of fileless threats. Some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. ++From this categorization, you can glean three main types of fileless threats based on how much fingerprint they may leave on infected machines. ++## Type I: No file activity performed ++A fully fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? One example is where a target machine receives malicious network packets that exploit the EternalBlue vulnerability. The vulnerability allows the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there's no file or any data written on a file. ++A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls. ++Infections of this type can be particularly difficult to detect because most antivirus products don't have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It's not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks. ++## Type II: Indirect file activity ++There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. For example, with the [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run the command periodically. ++It's possible to carry out such installation via command line without requiring a backdoor to already be on the file. The malware can be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file in a central storage area managed by the CIM Object Manager, and usually contains legitimate data. Even though the infection chain does technically use a physical file, it's considered a fileless attack because the WMI repository is a multi-purpose data container that can't be detected and removed. ++## Type III: Files required to operate ++Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. ++![Image of Kovter's registry key.](../../../media/security-intelligence-images/kovter-reg-key.png)<br> +*Figure 2. Kovter's registry key* ++When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts. ++Kovter is considered a fileless threat because the file system is of no practical use. The files with random extensions contain junk data that isn't usable in verifying the presence of the threat. The files that store the registry are containers that can't be detected and deleted if malicious content is present. ++## Categorizing fileless threats by infection host ++Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware doesn't get the upper hand in the arms race. ++### Exploits ++**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file. ++**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. ++### Hardware ++**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. Software residing and running in the chipset of a device is called firmware. Although a complex task, the firmware can be infected by malware. ++**CPU-based** (Type I): Modern CPUs are complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/), bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies' purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. ++Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been researched and proved possible in the past. It has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution. ++**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. For example, the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/) allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. ++**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. The BIOS is an important component that operates at a low level and executes before the boot sector. It's possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). ++**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although few are known to date. ++### Execution and injection ++**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory, or injected into other legitimate running processes. ++**Macro-based** (Type III: Office documents): The [VBA language](/office/vba/Library-Reference/Concepts/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe) and implemented in a scripting language. There's no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. ++**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros, they are textual files (not binary executables) and run within the context of the interpreter (like wscript.exe, powershell.exe), which is a clean and legitimate component. Scripts are versatile and can be run from a file (by double-clicking them) or executed directly on the command line of an interpreter. Running on the command line allows malware to encode malicious scripts as autostart services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. ++**Disk-based** (Type II: Boot Record): The Boot Record is the first sector of a disk or volume, and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code. When the machine is booted, the malware immediately gains control. The Boot Record resides outside the file system, but it's accessible by the operating system. Modern antivirus products have the capability to scan and restore it. ++## Defeating fileless malware ++At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. ++To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) ++## Additional resources and information ++Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection). |
security | Macro Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/macro-malware.md | + + Title: Macro malware ++description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats. +keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word ++ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Macro malware ++Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive. However, macro malware uses this functionality to infect your device. ++## How macro malware works ++Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more. ++Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. In recent versions of Microsoft Office, macros are disabled by default. Now, malware authors need to convince users to turn on macros so that their malware can run. They try to scare users by showing fake warnings when a malicious document is opened. ++We've seen macro malware download threats from the following families: ++* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) +* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789) +* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) +* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) +* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) +* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) ++## How to protect against macro malware ++* Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros: + * [Enable or disable macros](https://support.office.com/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12) in Office documents ++* Don't open suspicious emails or suspicious attachments. ++* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads. ++* Enterprises can prevent macro malware from running executable content using [ASR rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) ++For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). ++For more general tips, see [prevent malware infection](prevent-malware-infection.md). |
security | Phishing Trends | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/phishing-trends.md | + + Title: Phishing trends and techniques ++description: Learn about how to spot phishing techniques +keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Phishing trends and techniques ++Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information. ++Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices. ++## Invoice phishing ++In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds. ++## Payment/delivery scam ++You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them. ++## Tax-themed phishing scams ++A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts. ++## Downloads ++An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you. ++## Phishing emails that deliver other threats ++Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](/security/compass/human-operated-ransomware) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. ++We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. ++## Spear phishing ++Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target. ++Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer. ++The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks. ++## Whaling ++Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. ++## Business email compromise ++Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company's network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers. ++## More information about phishing attacks ++For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/): ++- [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) +- [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc) +- [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc) |
security | Phishing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/phishing.md | + + Title: How to protect against phishing attacks ++description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself. +keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# How to protect against phishing attacks ++Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals. ++Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets. ++Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate. ++## Learn the signs of a phishing scam ++The best protection is awareness and education. Don't open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL. ++Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information. They should also instruct employees to report the threat to the company's security operations team immediately. ++Here are several telltale signs of a phishing scam: ++- The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to. ++ ![example of hovering over a url.](../../../media/security-intelligence-images/url-hover.png) ++- There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. ++- **Items in the email address will be changed** so that it's similar enough to a legitimate email address, but has added numbers or changed letters. ++- The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect. ++- The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails won't ask you to do this. ++- The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information. ++- The **sender address doesn't match the signature** on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john<span></span>@example.com. ++- There are **multiple recipients** in the "To" field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients. ++- The greeting on the message itself **doesn't personally address you**. Apart from messages that mistakenly address a different person, greetings that misuse your name or pull your name directly from your email address tend to be malicious. ++- The website looks familiar but there are **inconsistencies or things that aren't quite right**. Warning signs include outdated logos, typos, or ask users to give additional information that isn't asked by legitimate sign-in websites. ++- The page that opens is **not a live page**, but rather an image that is designed to look like the site you're familiar with. A pop-up might appear that requests credentials. ++If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate. ++## Software solutions for organizations ++- [Microsoft Edge](/microsoft-edge/deploy/index) and [Windows Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container isolates that device from the rest of your network which will prevent access to your enterprise data. ++- [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that improves your protection. ++- Use [Microsoft Defender for Office 365](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. ++## What to do if you've been a victim of a phishing scam ++If you think you've been a victim of a phishing attack: ++1. Contact your IT admin if you are on a work computer +2. Immediately change all passwords associated with the accounts +3. Report any fraudulent activity to your bank and credit card company ++### Reporting spam ++- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**. ++- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**. ++- **Microsoft 365**: Use the [Submissions portal in Microsoft 365 Defender](/microsoft-365/security/office-365-security//submissions-admin) to submit the junk or phishing sample to Microsoft for analysis. For more information, see [How do I report a suspicious email or file to Microsoft?](/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft). ++- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved. ++### If you're on a suspicious website ++- **Microsoft Edge**: While you're on a suspicious site, select the **More (...) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website. ++- **Internet Explorer**: While you're on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website. ++## More information about phishing attacks ++- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing) +- [Phishing trends](phishing-trends.md) |
security | Prevent Malware Infection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/prevent-malware-infection.md | + + Title: Prevent malware infection ++description: Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer. +keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 08/18/2023+++# Prevent malware infection ++Attackers are always looking for new ways to infect computers. Follow the tips below to stay protected and minimize threats to your data and accounts. ++## Keep software up to date ++[Exploits](exploits-malware.md) typically use vulnerabilities in software. It's important to keep your software, apps, and operating systems up to date. ++To keep Microsoft software up to date, ensure that [automatic Microsoft Updates](https://support.microsoft.com/help/12373/windows-update-faq) are enabled. Also, upgrade to the latest version of Windows to benefit from the latest built-in security enhancements. ++## Be wary of links and attachments ++Email, SMS messages, Microsoft Teams chat, and other messaging tools are a few of the most common ways attackers can infect devices. Attachments or links in messages can open malware directly or can stealthily trigger a download. ++- Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) has built-in anti-malware, link protection, and spam filtering. Microsoft Outlook contains additional security configurations and settings you can enable. See [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2) ++- Some attackers try to get you to share information about your login information, passwords, and more. Be aware of some of the common tactics attackers use to try to trick you. For more information, see [phishing](phishing.md). ++## Watch out for malicious or compromised websites ++When you visit malicious or compromised sites, your device can get infected with malware automatically or you can get tricked into downloading and installing malware. See [exploits and exploit kits](exploits-malware.md) as an example of how some of these sites can automatically install malware to visiting computers. ++To identify potentially harmful websites, keep the following in mind: ++- The initial part (domain) of a website address should represent the company that owns the site you're visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names that swap the letter O with a zero (0) or the letters L and I with a one (1). If `example.com` is spelled `examp1e.com`, the site you're visiting is suspect. ++- Sites that aggressively open popups and display misleading buttons often trick users into accepting content through constant popups or mislabeled buttons. ++To block malicious websites, use a modern web browser like [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge?ocid=cx-wdsi-articles) that identifies phishing and malware websites and checks downloads for malware. ++If you encounter an unsafe site, click **More [...] > Send feedback** on Microsoft Edge. You can also [report unsafe sites directly to Microsoft](https://www.microsoft.com/wdsi/support/report-unsafe-site). ++### Pirated material on compromised websites ++Using pirated content isn't only illegal, it can also expose your device to malware. Sites that offer pirated software and media are also often used to distribute malware when the site is visited. Sometimes pirated software is bundled with malware and other unwanted software when downloaded, including intrusive browser plugins and adware. ++Users don't openly discuss visits to these sites, so any untoward experience are more likely to stay unreported. ++To stay safe, download movies, music, and apps from official publisher websites or stores. ++## Don't attach unfamiliar removable drives ++Some types of malware spread by copying themselves to USB flash drives or other removable drives. There are malicious individuals that intentionally prepare and distribute infected drives by leaving them in public places for unsuspecting individuals. ++Only use removable drives that you're familiar with or that come from a trusted source. If a drive has been used in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including Office and PDF documents and executable files. ++## Use a non-administrator account ++At the time they're launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting account privileges, you can prevent malware from making consequential changes any devices. ++By default, Windows uses [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can override this restriction when prompted. As a result, it's quite easy for an admin user to inadvertently allow malware to run. ++To help ensure that everyday activities don't result in malware infection and other potentially catastrophic changes, it's recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges. ++Whenever necessary, log in as an administrator to install apps or make configuration changes that require admin privileges. ++[Read about creating user accounts and giving administrator privileges](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) ++## Other safety tips ++To further ensure that data is protected from malware and other threats: ++- Backup files. Follow the 3-2-1 rule: make **3 copies**, store in at least **2 locations**, with at least **1 offline copy**. Use [OneDrive](https://onedrive.live.com/about) for reliable cloud-based copies that allow access to files from multiple devices and helps recover damaged or lost files, including files locked by ransomware. ++- Be wary when connecting to public Wi-Fi hotspots, particularly those that don't require authentication. ++- Use [strong passwords](https://support.microsoft.com/help/12410/microsoft-account-help-protect-account) and enable multi-factor authentication. ++- Don't use untrusted devices to log on to email, social media, and corporate accounts. ++- Avoid downloading or running older apps. Some of these apps might have vulnerabilities. Also, older file formats for Office 2003 (.doc, .pps, and .xls) allow macros or run. This could be a security risk. ++## Software solutions ++Microsoft provides comprehensive security capabilities that help protect against threats. We recommend: ++- [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up to date to get the latest protections. ++- [Microsoft Edge](/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites. ++- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) is built into Windows and helps provide real-time protection against viruses, malware, and other attacks. ++- [Microsoft Safety Scanner](../safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool doesn't replace your antimalware product. + +- [Microsoft Defender](https://support.microsoft.com/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693) is the simple way to protect your digital life and all of your devices. It's included as part of your Microsoft 365 Family, or Personal, subscription at no extra cost. ++### Use Zero Trust +Businesses should move to a [Zero Trust security strategy](/security/zero-trust/zero-trust-overview). Zero Trust isn't a product or a service, but an approach in designing and implementing the following set of security principles: ++- Verify explicitly +- Use least privilege access +- Assume breach ++### Software solutions for business ++- [Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-overview) is a security solution designed especially for the small- and medium-sized business (up to 300 employees). With this endpoint security solution, your company's devices are better protected from ransomware, malware, phishing, and other threats. + +- [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. ++- [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. ++- [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection. ++- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. ++- [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account. ++## What to do with a malware infection ++Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and automatically remove threats that it detects. ++In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). |
security | Rootkits Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/rootkits-malware.md | + + Title: Rootkits ++description: Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove. +keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Rootkits ++Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it's undetected. During this time, it steals information and resources. ++## How rootkits work ++Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can't trust any information that device reports about itself. ++If asked a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn't want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device. ++Many modern malware families use rootkits to try to avoid detection and removal, including: ++* [Alureon](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon) ++* [Cutwail](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail) ++* [Datrahere](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo) ++* [Rustock](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock) ++* [Sinowal](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSinowal) ++* [Sirefef](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef) ++## How to protect against rootkits ++Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place. ++* Apply the latest updates to operating systems and apps. ++* Educate your employees so they can be wary of suspicious websites and emails. ++* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. ++For more general tips, see [prevent malware infection](prevent-malware-infection.md). ++### What if I think I have a rootkit on my device? ++Microsoft security software includes many technologies designed specifically to remove rootkits. If you think you have a rootkit, you might need an extra tool that helps you boot to a known trusted environment. ++[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from the Windows Security app and has the latest antimalware updates from Microsoft. It's designed to be used on devices that aren't working correctly because of a possible malware infection. ++[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that affect system integrity. ++### What if I can't remove a rootkit? ++If the problem persists, we strongly recommend reinstalling the operating system and security software. Then restore your data from a backup. |
security | Supply Chain Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/supply-chain-malware.md | + + Title: Supply chain attacks ++description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself +keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Supply chain attacks ++Supply chain attacks are an emerging threats that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. ++## How supply chain attacks work +++Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. ++Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they're released to the public. The malicious code then runs with the same trust and permissions as the app. ++The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country/region where it was the top utility app. ++### Types of supply chain attacks ++* Compromised software building tools or updated infrastructure ++* Stolen code-sign certificates or signed malicious apps using the identity of dev company ++* Compromised specialized code shipped into hardware or firmware components ++* Pre-installed malware on devices (cameras, USB, phones, etc.) ++To learn more about supply chain attacks, read this blog post called [attack inception: compromised supply chain within a supply chain poses new risks](https://www.microsoft.com/security/blog/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/). ++## How to protect against supply chain attacks ++* Deploy strong code integrity policies to allow only authorized apps to run. ++* Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities. ++### For software vendors and developers ++* Maintain a highly secure build and update infrastructure. + * Immediately apply security patches for OS and software. + * Implement mandatory integrity controls to ensure only trusted tools run. + * Require multi-factor authentication for admins. ++* Build secure software updaters as part of the software development lifecycle. + * Require SSL for update channels and implement certificate pinning. + * Sign everything, including configuration files, scripts, XML files, and packages. + * Check for digital signatures, and don't let the software updater accept generic input and commands. ++* Develop an incident response process for supply chain attacks. + * Disclose supply chain incidents and notify customers with accurate and timely information ++For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md). |
security | Support Scams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/support-scams.md | + + Title: Tech Support Scams ++description: Microsoft security software can protect you from tech support scams that claims to scan for malware or viruses and then shows you fake detections and warnings. +keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Tech support scams ++Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for unnecessary technical support services. These services supposedly fix contrived device, platform, or software problems. ++## How tech support scams work ++Scammers might call you directly on your phone and pretend to be representatives of a software company. They might even spoof the caller ID so that it displays a legitimate support phone number from a trusted company. They can then ask you to install applications that give them remote access to your device. If the attackers use remote access, these experienced actors can misrepresent normal system output as signs of problems. ++Scammers might also initiate contact by displaying fake error messages on websites you visit, displaying support numbers and enticing you to call. They can also put your browser on full screen and display pop-up messages that won't go away, essentially locking your browser. These fake error messages aim to trick you into calling an indicated technical support hotline. Microsoft error and warning messages never include phone numbers. ++When you engage with the scammers, they can offer fake solutions for your "problems" and ask for payment in the form of a one-time fee or subscription to a purported support service. ++**For more information, view [known tech support scam numbers and popular web scams](https://support.microsoft.com/help/4013405/windows-protect-from-tech-support-scams).** ++## How to protect against tech support scams ++Share and implement the general tips on how to [prevent malware infection](prevent-malware-infection.md). ++It's also important to keep the following in mind: ++- Microsoft doesn't send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to fix your computer. +- Any communication with Microsoft has to be initiated by you. +- Don't call the number in the pop-ups. Microsoft's error and warning messages never include a phone number. +- Download software only from official vendor websites or the Microsoft Store. Be wary of downloading software from third-party sites, as some of them might have been modified without the author's knowledge to bundle support scam malware and other threats. +- Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites. +- Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. ++## What to do if information has been given to a tech support person ++- Uninstall applications that scammers asked to be install. Consider resetting the device to a factory state. +- Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all security updates as soon as they're available. +- Change passwords. +- Monitor anomalous sign in activity. Use Windows Firewall to block traffic to services that you wouldn't normally access. +- Contact your bank or other financial institutions if you paid them. ++### Reporting tech support scams ++Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams: ++<b>www.microsoft.com/reportascam</b> ++You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality. |
security | Trojans Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/trojans-malware.md | + + Title: Trojan malware ++description: Trojans are a type of threat that can infect your device. This article describes how trojans work and how to remove them. +keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Trojans ++Trojans are a common type of malware, which, unlike viruses, can't spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them. ++Trojans often use the same file names as real and legitimate apps. It's easy to accidentally download a trojan thinking that it's a legitimate app. ++## How trojans work ++Trojans can come in many different varieties, but generally they do the following tasks: ++- Download and install other malware, such as viruses or [worms](worms-malware.md). ++- Use the infected device for select fraud. ++- Record keystrokes and websites visited. ++- Send information about the infected device to a malicious hacker including passwords, sign in details for websites, and browsing history. ++- Give a malicious hacker control over the infected device. ++## How to protect against trojans ++Use the following free Microsoft software to detect and remove it: ++- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows. ++- [Microsoft Safety Scanner](../safety-scanner-download.md) ++For more general tips, see [prevent malware infection](prevent-malware-infection.md). |
security | Understanding Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/understanding-malware.md | + + Title: Understanding malware & other threats ++description: Learn about the most prevalent viruses, malware, and other threats. Understand how they infect systems, how they behave, and how to prevent and remove them. +keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Understanding malware & other threats ++Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your computer and ask for ransom, and more. ++Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. ++As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), businesses can stay protected with next-generation protection and other security capabilities. ++For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. ++There are many types of malware, including: ++- [Coin miners](coinminer-malware.md) +- [Exploits and exploit kits](exploits-malware.md) +- [Macro malware](macro-malware.md) +- [Phishing](phishing.md) +- [Ransomware](/security/compass/human-operated-ransomware) +- [Rootkits](rootkits-malware.md) +- [Supply chain attacks](supply-chain-malware.md) +- [Tech support scams](support-scams.md) +- [Trojans](trojans-malware.md) +- [Unwanted software](unwanted-software.md) +- [Worms](worms-malware.md) ++## Additional resources and information ++- Keep up with the latest malware news and research. Check out our [Microsoft security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. ++- Learn more about [Windows security](../../index.yml). ++- Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection). + |
security | Unwanted Software | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/unwanted-software.md | + + Title: Unwanted software ++description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself. +keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Unwanted software ++Unwanted software are programs that alter the Windows experience without your consent or control. This can take the form of modified browsing experience, lack of control over downloads and installation, misleading messages, or unauthorized changes to Windows settings. ++## How unwanted software works ++Unwanted software can be introduced when a user searches for and downloads applications from the internet. Some applications are software bundlers, which means that they're packed with other applications. As a result, other programs can be inadvertently installed when the original application is downloaded. ++Here are some indications of unwanted software: ++- There are programs that you didn't install and that may be difficult to uninstall ++- Browser features or settings have changed, and you can't view or modify them ++- There are excessive messages about your device's health or about files and programs ++- There are ads that can't be easily closed ++Some indicators are harder to recognize because they're less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser. ++## How to protect against unwanted software ++To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites. ++Use [Microsoft Edge](/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](/microsoft-edge/deploy/index) (also used by Internet Explorer). ++Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. ++Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. ++For more general tips, see [prevent malware infection](prevent-malware-infection.md). ++### What should I do if my device is infected? ++If you suspect that you have unwanted software, you can [submit files for analysis](https://www.microsoft.com/wdsi/filesubmission). ++Some unwanted software adds uninstallation entries, which means that you can **remove them using Settings**. +1. Select the Start button +2. Go to **Settings > Apps > Apps & features**. +3. Select the app you want to uninstall, then select **Uninstall**. ++If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date, and then uninstall the most recent apps that you didn't install. ++You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome. ++In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). |
security | Worms Malware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/worms-malware.md | + + Title: Worms ++description: Learn about how worms replicate and spread to other computers or networks. Read about the most popular worms and steps you can take to stop them. +keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning ++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 03/18/2022+++# Worms ++A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities. ++## How worms work ++Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. ++Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics. ++* **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page. ++* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We've seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues. ++* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. ++Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software. ++* [**WannaCrypt**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom%3AWin32%2FWannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware). ++This image shows how a worm can quickly spread through a shared USB drive. ++![Worm example.](../../../media/security-intelligence-images/worm-usb-flight.png) ++### *Figure worm spreading from a shared USB drive* ++## How to protect against worms ++Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. ++Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. ++In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). ++For more general tips, see [prevent malware infection](/microsoft-365/security/intelligence/prevent-malware-infection). |
security | Next Generation Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-generation-protection.md | Last updated 07/05/2023 - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Business](../defender-business/index.yml) -**Platforms** -- Windows+Microsoft Defender for Endpoint includes next-generation protection to catch and block all types of emerging threats. The majority of modern malware is polymorphic, meaning it constantly mutates to evade detection. As soon as one variant is identified, another takes its place. This rapid evolution underscores the need for agile and innovative security solutions. -Microsoft Defender for Endpoint includes next-generation protection to reinforce the security perimeter of your network. Next-generation protection was designed to catch all types of emerging threats. In addition to Microsoft Defender Antivirus, your next-generation protection services include the following capabilities: +Next-generation protections, such as Microsoft Defender Antivirus blocks malware using local and cloud-based machine learning models, behavior analysis, and heuristics. Microsoft Defender Antivirus uses predictive technologies, machine learning, applied science, and artificial intelligence to detect and block malware at the first sign of abnormal behavior. ++Microsoft Defender Antivirus provides anomaly detection, a layer of protection for malware that doesnΓÇÖt fit any predefined pattern. Anomaly detection monitors for process creation events or files that are downloaded from the internet. Through machine learning and cloud-delivered protection, Microsoft Defender Antivirus can stay one step ahead of attackers. Anomaly detection is on by default and can help block attacks such as [3CX Security Alert for Electron Windows App](https://www.3cx.com/blog/news/desktopapp-security-alert/). Microsoft Defender Antivirus started blocking this malware four days before the attack was registered in VirusTotal. ++In addition to Microsoft Defender Antivirus, your next-generation protection services include the following capabilities: - [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md), which includes always-on scanning using file and process behavior monitoring and other heuristics (also known as *real-time protection*). It also includes detecting and blocking apps that are deemed unsafe, but might not be detected as malware. - [Cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats. Microsoft Defender for Endpoint includes next-generation protection to reinforce Next-generation protection is included in both [Defender for Endpoint Plan 1 and Plan 2](microsoft-defender-endpoint.md). Next-generation protection is also included in [Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-overview) and [Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-overview). + To configure next-generation protection services, see [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md). -If you're looking for antivirus-related information for other platforms, see one of the following articles: +If you're looking for Microsoft Defender Antivirus-related information for other platforms, see one of the following articles: - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) |
security | Respond File Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md | To stop blocking a file, remove the indicator. You can do so via the **Edit Indi You can also edit indicators from the **Settings** page, under **Rules** \> **Indicators**. Indicators are listed in this area by their file's hash. -## Consult a threat expert --Select Ask Defender Experts to get more insights from Microsoft experts on a potentially compromised device, or already compromised devices. Microsoft Defender Experts are engaged directly from within the Microsoft Defender portal for timely and accurate response. Experts provide insights on a potentially compromised device and help you understand complex threats and targeted attack notifications. They can also provide information about the alerts or a threat intelligence context that you see on your portal dashboard. --See [Ask Defender Experts](experts-on-demand.md) for details. - ## Check activity details in Action center The **Action center** provides information on actions that were taken on a device or file. You can view the following details: |
security | Safety Scanner Download | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/safety-scanner-download.md | + + Title: Microsoft Safety Scanner Download ++description: Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers. +keywords: security, malware +++ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium ++++audience: ITPro ++- m365-security +- tier2 ++search.appverid: met150 Last updated : 02/06/2023++++# Microsoft Safety Scanner Download ++Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats. ++- **[Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733)** ++- **[Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)** ++> [!NOTE] +> Safety Scanner is exclusively SHA-2 signed. Your devices must be updated to support SHA-2 in order to run Safety Scanner. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). ++## Important information ++- The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/wdsi/definitions). ++- Microsoft Safety Scanner only scans when manually triggered. Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run Safety Scanner again. We recommend that you always download the latest version of this tool before each scan. ++- Safety Scanner is a portable executable and doesn't appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. ++- This tool doesn't replace your antimalware product. For real-time protection with automatic updates, use [Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you're having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). ++## System requirements ++Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. For details, refer to the [Microsoft Lifecycle Policy](/lifecycle/). ++## How to run a scan ++1. Download this tool and open it. +2. Select the type of scan that you want to run and start the scan. +3. Review the scan results displayed on screen. For detailed detection results, view the log at **%SYSTEMROOT%\debug\msert.log**. ++To remove this tool, delete the executable file (msert.exe by default). ++For more information about the Safety Scanner, see the support article on [how to troubleshoot problems using Safety Scanner](https://support.microsoft.com/kb/2520970). ++## Related resources ++- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner) +- [Microsoft Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security) +- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) +- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) +- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) +- [Microsoft antimalware and threat protection solutions](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) |
security | Sandbox Mdav | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/sandbox-mdav.md | + + Title: Run Microsoft Defender Antivirus in a sandbox environment +description: This article describes how to run Microsoft Defender Antivirus in a sandbox to further strengthen against tampering. ++ms.localizationpriority: medium ++++ Last updated : 02/26/2024+++++- m365-security +- tier2 +- mde-ngp +search.appverid: met150 +f1.keywords: NOCSH +audience: ITPro +++# Run Microsoft Defender Antivirus in a sandbox ++**Applies to:** ++- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) ++**Platforms:** ++- Windows ++> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) ++This article describes how to run Microsoft Defender Antivirus in a sandbox environment for enhanced protection against tampering. ++Microsoft Defender Antivirus with its built-in antivirus capabilities can run within a sandbox on Windows as of October 26, 2018. It was the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security. ++## Prerequisites ++Before you begin, you must meet the following requirements: ++- Microsoft Defender Antivirus (active mode) +- Windows 11 or Windows 10 version 1703 or newer +- Windows Server 2022 or Windows Server 2019 or Windows Server 2016 or newer ++## Why run Microsoft Defender Antivirus in a sandbox? ++Security researchers, both inside and outside of Microsoft, have previously identified ways that an attacker can take advantage of vulnerabilities in Microsoft Defender AntivirusΓÇÖs content parsers that could enable arbitrary code execution. To inspect the whole system for malicious content and artifacts, the antivirus runs with high privileges (Local System, NT Authority\SYSTEM), making it a target for attacks. ++Whereas escalation of privilege from a sandbox is so much difficult on the latest versions of Windows 10 or newer and, running Microsoft Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of MicrosoftΓÇÖs continued investment to stay ahead of attackers through security innovations. ++## Implementing sandbox for Microsoft Defender Antivirus ++Modern anti-malware products inspect many inputs, for example, files on disk, streams of data in memory and behavioral events in real-time. Many of these capabilities require full access to the resources in question. The first major sandboxing effort was related to layering Microsoft Defender AntivirusΓÇÖs inspection capabilities into the components that absolutely must run with full privileges and the components that can be sandboxed. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost. ++Resource usage is also another problem that requires significant investments, both privileged process and sandbox process need to have access to Security Intelligence updates, other detections and remediation metadata. To avoid duplication and preserve strong security guarantees that are to avoid unsafe ways to share state or to introduce significant runtime cost of passing data/content between the processes, we use a model where most protection data is hosted in memory-mapped files that are read-only at runtime. This means protection data can be hosted into multiple processes without any overhead. ++## Enable sandboxing for Microsoft Defender Antivirus ++You can follow these steps to enable sandboxing by setting a machine-wide environment variable: ++1. Run the following command as an admin in PowerShell or CMD: ++ ```powershell + setx /M MP_FORCE_USE_SANDBOX 1 + ``` ++ :::image type="content" source="medilet details to enable sanbox."::: ++2. Restart the device. Once you've restarted, you'll see a new process besides MsMpEng.exe that is `MsMpEngCP.exe` in the following folders: + + |Path|Process|Description| + |||| + |C:\ProgramData\Microsoft\Windows Defender\Scans |MsMpEngCP.exe | Anti-malware Service Executable Content Process | + |C:\Users\All Users\Microsoft\Windows Defender\Scans |MsMpEngCP.exe | Anti-malware Service Executable Content Process | ++ >[!NOTE] + > CP in `MsMpEngCP.exe` is the content process. ++### Disable sandboxing ++To disable sandboxing for Microsoft Defender Antivirus, run the following command as an admin in PowerShell or CMD: ++```powershell +setx /M MP_FORCE_USE_SANDBOX 0 +``` ++## FAQs ++### What happens when sandbox is disabled? ++Microsoft Defender Antivirus performs an in-proc fallback that hosts content scanning in the privileged/parent process to provide protection. ++### How is the content process strengthened? ++The content processes, which run with low privileges, also aggressively use all available mitigation policies to reduce the surface attack. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded. ++**Performance of MDAV with sandbox enabled** ++Performance is often the main concern raised around sandboxing, especially given that anti-malware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesnΓÇÖt degrade, we had to minimize the number of interactions between the sandbox and the privileged process. At the same time, only perform these interactions in key moments where their cost wouldn't be significant, for example, when I/O is being performed. ++Microsoft Defender Antivirus makes an orchestrated effort to avoid unnecessary I/O, for example, minimizing the amount of data read for every inspected file is paramount in maintaining good performance, especially on older hardware (rotational disk, remote resources). Thus, it was crucial to maintain a model where the sandbox can request data for inspection as needed, instead of passing the entire content. ++**Reliability of MDAV with sandbox enabled** ++> [!NOTE] +> Passing handles to the sandbox (to avoid the cost of passing the actual content) isnΓÇÖt an option because there are many scenarios, such as real-time inspection, AMSI, etc., where thereΓÇÖs no ΓÇÿsharableΓÇÖ handle that can be used by the sandbox without granting significant privileges, which decreases the security. ++Another significant concern around sandboxing is related to the inter-process communication mechanism to avoid potential problems like deadlocks and priority inversions. The communication shouldn't introduce any potential bottlenecks, either by throttling the caller or by limiting the number of concurrent requests that can be processed. Moreover, the sandbox process shouldnΓÇÖt trigger inspection operations by itself. All inspections should happen without triggering more scans. This requires fully controlling the capabilities of the sandbox and ensuring that no unexpected operations can be triggered. Low-privilege AppContainers are the perfect way to implement strong guarantees because the capabilities-based model will allow fine-grained control on specifying what the sandbox process can do. ++**Remediation of MDAV with sandbox enabled** ++Lastly, a significant challenge from the security perspective is related to content remediation or disinfection. Given the sensitive nature of the action (attempts to restore a binary to the original preinfection content), we needed to ensure that this happens with high privileges in order to mitigate cases in which the content process (sandbox) could be compromised and disinfection could be used to modify the detected binary in unexpected ways. ++### What to do while troubleshooting the MsMpEng.CP.exe process, if it starts and stops after a few minutes? ++Collect the [support diagnostic logs](collect-diagnostic-data.md) and any relevant dumps/crash information if there are associated Windows Error Reporting (WER) events around the time the process stops. |
security | Troubleshoot Reporting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md | Last updated 04/08/2021 **Applies to:**-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)+- [Microsoft Defender for Business +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) - Microsoft Defender Antivirus **Platforms** - Windows+- Windows Server > [!IMPORTANT] > On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Intune family of products](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune), which allows finer control over security features and updates. |
security | Use Powershell Cmdlets Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus.md | ms.localizationpriority: medium Previously updated : 09/06/2022- Last updated : 02/18/2024+ audience: ITPro search.appverid: met150 # Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus **Applies to:**+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Business - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - Microsoft Defender Antivirus **Platforms** - Windows -You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it in the [PowerShell documentation](/powershell/scripting/overview). +You can use PowerShell to perform various functions in Microsoft Defender Antivirus. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it in the [PowerShell documentation](/powershell/scripting/overview). -For a list of the cmdlets and their functions and available parameters, see the [Defender Antivirus cmdlets](/powershell/module/defender) topic. +For a list of the cmdlets and their functions and available parameters, see the [Microsoft Defender Antivirus cmdlets](/powershell/module/defender) topic. PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. > [!NOTE] > PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](/configmgr), [Group Policy Management Console](use-group-policy-microsoft-defender-antivirus.md), or [Microsoft Defender Antivirus Group Policy ADMX templates](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). -Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. +Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Microsoft Defender for Endpoint security settings management, Microsoft Intune, Microsoft Configuration Manager Tenant Attach, or Group Policy can overwrite changes made with PowerShell. You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-microsoft-defender-antivirus.md). |
security | Directory Service Accounts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/directory-service-accounts.md | - Title: Configure Directory Services account in Microsoft Defender for Identity -description: Learn how to configure the Microsoft Defender for Identity Directory Services account in Microsoft Defender XDR Previously updated : 08/15/2021----------# Microsoft Defender for Identity Directory Services account in Microsoft Defender XDR --**Applies to:** --- Microsoft Defender XDR-- Defender for Identity--This article explains how to configure the [Microsoft Defender for Identity](/defender-for-identity) Directory Services account in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center). --> [!IMPORTANT] -> As part of the convergence with Microsoft Defender XDR, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features. --## Configure Directory Services account --To connect the [sensor](sensor-health.md#add-a-sensor) with your Active Directory domains, you'll need to configure Directory Services accounts. --1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, go to **Settings** and then **Identities**. -- :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the Settings page" lightbox="../../media/defender-identity/settings-identities.png"::: --1. Select **Directory Service accounts**. You'll see which accounts are associated with which domains. -- :::image type="content" source="../../media/defender-identity/directory-service-accounts.png" alt-text="The Directory Service accounts menu item" lightbox="../../media/defender-identity/directory-service-accounts.png"::: --1. If you select an account, a pane will open with the settings for that account. -- :::image type="content" source="../../media/defender-identity/account-settings.png" alt-text="The Account settings page" lightbox="../../media/defender-identity/account-settings.png"::: --1. To add a new Directory Services account, select **Create new account** and fill in the **Account name**, **Domain**, and **Password**. You can also choose if it's a **Group managed service account** (gMSA), and if it belongs to a **Single label domain**. -- :::image type="content" source="../../media/defender-identity/new-directory-service-account.png" alt-text="The Create new account option" lightbox="../../media/defender-identity/new-directory-service-account.png"::: --1. Select **Save**. --## See also --- [Microsoft Defender for Identity sensor health and settings](sensor-health.md) |
security | Entity Tags | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/entity-tags.md | - Title: Microsoft Defender for Identity entity tags in Microsoft Defender XDR -description: Learn how to apply Microsoft Defender for Identity entity tags in Microsoft Defender XDR Previously updated : 06/08/2021----------# Defender for Identity entity tags in Microsoft Defender XDR --**Applies to:** --- Microsoft Defender XDR-- Defender for Identity--This article explains how to apply [Microsoft Defender for Identity](/defender-for-identity) entity tags in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center). --> [!IMPORTANT] -> As part of the convergence with Microsoft Defender XDR, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features. --## Entity tags --In Microsoft Defender XDR, you can set three types of Defender for Identity entity tags: **Sensitive tags**, **Honeytoken tags**, and **Exchange server tags**. --To set these tags, in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, go to **Settings** and then **Identities**. ---The tag settings will appear under **Entity tags**. ---To set each type of tag, follow the instructions below. --## Sensitive tags --The **Sensitive tag** is used to identify high value assets. The lateral movement path also relies on an entity's sensitivity status. Some entities are considered sensitive automatically by Defender for Identity. For a list of those assets, see [Sensitive entities](/defender-for-identity/manage-sensitive-honeytoken-accounts#sensitive-entities). --You can also manually tag users, devices, or groups as sensitive. --1. Select **Sensitive**. You will then see the existing sensitive **Users**, **Devices**, and **Groups**. -- :::image type="content" source="../../media/defender-identity/sensitive-entities.png" alt-text="The Devices tab in the Sensitive entities menu item" lightbox="../../media/defender-identity/sensitive-entities.png"::: --1. Under each category, select **Tag...** to tag that type of entity. For example, under **Groups**, select **Tag groups.** A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box. -- :::image type="content" source="../../media/defender-identity/add-groups.png" alt-text="The option to add a group" lightbox="../../media/defender-identity/add-groups.png"::: --1. Select your group, and click **Add selection.** -- :::image type="content" source="../../media/defender-identity/add-selection.png" alt-text="The Add selection option" lightbox="../../media/defender-identity/add-selection.png"::: --## Honeytoken tags --Honeytoken entities are used as traps for malicious actors. Any authentication associated with these honeytoken entities triggers an alert. --You can tag users or devices with the **Honeytoken** tag in the same way you tag sensitive accounts. --1. Select **Honeytoken**. You'll then see the existing honeytoken **Users** and **Devices**. -- ![Honeytoken entities.](../../media/defender-identity/honeytoken-entities.png) --1. Under each category, select **Tag...** to tag that type of entity. For example, under **Users**, select **Tag users.** A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box. -- :::image type="content" source="../../media/defender-identity/add-users.png" alt-text="The option to add users" lightbox="../../media/defender-identity/add-users.png"::: --1. Select your user, and click **Add selection.** -- :::image type="content" source="../../media/defender-identity/add-selected-user.png" alt-text="The option to add a selected user" lightbox="../../media/defender-identity/add-selected-user.png"::: --## Exchange server tags --Defender for Identity considers Exchange servers as high-value assets and automatically tags them as **Sensitive**. You can also manually tag devices as Exchange servers. --1. Select **Exchange server**. You'll then see the existing devices labeled with the **Exchange server** tag. -- :::image type="content" source="../../media/defender-identity/exchange-servers.png" alt-text="The Exchange server menu item" lightbox="../../media/defender-identity/exchange-servers.png"::: --1. To tag a device as an Exchange server, select **Tag devices**. A pane will open with the devices that you can select to tag. To search for a device, enter its name in the search box. -- :::image type="content" source="../../media/defender-identity/add-devices.png" alt-text="The option to add a device" lightbox="../../media/defender-identity/add-devices.png"::: --1. Select your device, and click **Add selection.** -- :::image type="content" source="../../media/defender-identity/select-device.png" alt-text="The selection of a device" lightbox="../../media/defender-identity/select-device.png"::: --## See also --- [Manage Defender for Identity security alerts](manage-security-alerts.md) |
security | Exclusions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/exclusions.md | - Title: Microsoft Defender for Identity detection exclusions in Microsoft Defender XDR -description: Learn how to configure Microsoft Defender for Identity detection exclusions in Microsoft Defender XDR. Previously updated : 11/02/2021---------# Configure Defender for Identity detection exclusions in Microsoft Defender XDR --**Applies to:** --- Microsoft Defender XDR-- Defender for Identity--This article explains how to configure [Microsoft Defender for Identity](/defender-for-identity) detection exclusions in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center). --> [!IMPORTANT] -> As part of the convergence with Microsoft Defender XDR, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features. ---For example, a **DNS Reconnaissance** alert could be triggered by a security scanner that uses DNS as a scanning mechanism. Creating an exclusion helps Defender for Identity ignore such scanners and reduce false positives. --> [!NOTE] -> Of the most common domains with [Suspicious communication over DNS](/defender-for-identity/exfiltration-alerts#suspicious-communication-over-dns-external-id-2031) alerts opened on them, we observed the domains that customers most excluded from the alert. These domains are added to the exclusions list by default, but you have the option to easily remove them. --## How to add detection exclusions --1. In [Microsoft Defender XDR](https://security.microsoft.com/), go to **Settings** and then **Identities**. -- :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the Name column" lightbox="../../media/defender-identity/settings-identities.png"::: --1. You'll then see **Excluded entities** in the left-hand menu. -- :::image type="content" source="../../media/defender-identity/excluded-entities.png" alt-text="The Excluded entities pane" lightbox="../../media/defender-identity/excluded-entities.png"::: --You can then set exclusions by two methods: **Exclusions by detection rule** and **Global excluded entities**. --## Exclusions by detection rule --1. In the left-hand menu, select **Exclusions by detection rule**. You'll see a list of detection rules. -- :::image type="content" source="../../media/defender-identity/exclusions-by-detection-rule.png" alt-text="The Exclusions by detection rule option in the Excluded entities item in the left pane" lightbox="../../media/defender-identity/exclusions-by-detection-rule.png"::: --1. For each detection you want to configure, do the following steps: -- 1. Select the rule. You can search for detections using the search bar. Once selected, a pane will open with the detection rule details. -- :::image type="content" source="../../media/defender-identity/detection-rule-details.png" alt-text="The details of a detection rule" lightbox="../../media/defender-identity/detection-rule-details.png"::: -- 1. To add an exclusion, select the **Excluded entities** button, and then choose the exclusion type. Different excluded entities are available for each rule. They include users, devices, domains and IP addresses. In this example, the choices are **Exclude devices** and **Exclude IP addresses**. -- :::image type="content" source="../../media/defender-identity/exclude-devices-or-ip-addresses.png" alt-text="The option to exclude devices or IP addresses" lightbox="../../media/defender-identity/exclude-devices-or-ip-addresses.png"::: -- 1. After choosing the exclusion type, you can add the exclusion. In the pane that opens, select the **+** button to add the exclusion. -- :::image type="content" source="../../media/defender-identity/add-exclusion.png" alt-text="The option to add an exclusion" lightbox="../../media/defender-identity/add-exclusion.png"::: -- 1. Then add the entity to be excluded. Select **+ Add** to add the entity to the list. -- :::image type="content" source="../../media/defender-identity/add-excluded-entity.png" alt-text="The option to add entity that is to be excluded" lightbox="../../media/defender-identity/add-excluded-entity.png"::: -- 1. Then select **Exclude IP addresses** (in this example) to complete the exclusion. -- :::image type="content" source="../../media/defender-identity/exclude-ip-addresses.png" alt-text="The option to exclude IP addresses" lightbox="../../media/defender-identity/exclude-ip-addresses.png"::: -- 1. Once you've added exclusions, you can export the list or remove the exclusions by returning to the **Excluded entities** button. In this example, we've returned to **Exclude devices**. To export the list, select the down arrow button. -- :::image type="content" source="../../media/defender-identity/return-to-exclude-devices.png" alt-text="The Return to Exclude devices option" lightbox="../../media/defender-identity/return-to-exclude-devices.png"::: -- 1. To delete an exclusion, select the exclusion and select the trash icon. -- :::image type="content" source="../../media/defender-identity/delete-exclusion.png" alt-text="The Delete an exclusion option" lightbox="../../media/defender-identity/delete-exclusion.png"::: --## Global excluded entities --You can now also configure exclusions by **Global excluded entities**. Global exclusions allow you to define certain entities (IP addresses, subnets, devices, or domains) to be excluded across all of the detections Defender for Identity has. So for example, if you exclude a device, it will only apply to those detections that have device identification as part of the detection. --1. In the left-hand menu, select **Global excluded entities**. You'll see the categories of entities that you can exclude. -- :::image type="content" source="../../media/defender-identity/global-excluded-entities.png" alt-text="The Global excluded entities submenu item" lightbox="../../media/defender-identity/global-excluded-entities.png"::: --1. Choose an exclusion type. In this example, we selected **Exclude domains**. -- :::image type="content" source="../../media/defender-identity/exclude-domains.png" alt-text="The Domains tab" lightbox="../../media/defender-identity/exclude-domains.png"::: --1. A pane will open where you can add a domain to be excluded. Add the domain you want to exclude. -- :::image type="content" source="../../media/defender-identity/add-excluded-domain.png" alt-text="The option to add a domain to be excluded" lightbox="../../media/defender-identity/add-excluded-domain.png"::: --1. The domain will be added to the list. Select **Exclude domains** to complete the exclusion. -- :::image type="content" source="../../media/defender-identity/select-exclude-domains.png" alt-text="The option to Select domains to be excluded" lightbox="../../media/defender-identity/select-exclude-domains.png"::: --1. You'll then see the domain in the list of entities to be excluded from all detection rules. You can export the list, or remove the entities by selecting them and clicking the **Remove** button. -- :::image type="content" source="../../media/defender-identity/global-excluded-entries-list.png" alt-text="The list of global excluded entries" lightbox="../../media/defender-identity/global-excluded-entries-list.png"::: --## See also --- [Manage Defender for Identity security alerts](manage-security-alerts.md) |
security | Product Long | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/includes/product-long.md | - Previously updated : 05/20/2021- -Microsoft Defender for Identity |
security | Product Short | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/includes/product-short.md | - Previously updated : 05/20/2021- -Defender for Identity |
security | Manage Security Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/manage-security-alerts.md | - Title: Microsoft Defender for Identity security alerts in Microsoft Defender XDR -description: Learn how to manage and review security alerts issued by Microsoft Defender for Identity in Microsoft Defender XDR Previously updated : 05/20/2021----------# Defender for Identity security alerts in Microsoft Defender XDR --**Applies to:** --- Microsoft Defender XDR-- Defender for Identity--This article explains the basics of how to work with [Microsoft Defender for Identity](/defender-for-identity) security alerts in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center). --Defender for Identity alerts are natively integrated into <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> with a dedicated Identity alert page format. This marks the first step in the journey to [introduce the full Microsoft Defender for Identity experience into Microsoft Defender XDR](/defender-for-identity/defender-for-identity-in-microsoft-365-defender). --The new Identity alert page gives Microsoft Defender for Identity customers better cross-domain signal enrichment and new automated identity response capabilities. It ensures that you stay secure and helps improve the efficiency of your security operations. --One of the benefits of investigating alerts through [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender) is that Microsoft Defender for Identity alerts are further correlated with information obtained from each of the other products in the suite. These enhanced alerts are consistent with the other Microsoft Defender XDR alert formats originating from [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). The new page effectively eliminates the need to navigate to another product portal to investigate alerts associated with identity. --Alerts originating from Defender for Identity can now trigger the [Microsoft Defender XDR automated investigation and response (AIR)](/microsoft-365/security/defender/m365d-autoir) capabilities, including automatically remediating alerts and the mitigation of tools and processes that can contribute to the suspicious activity. --> [!IMPORTANT] -> As part of the convergence with Microsoft Defender XDR, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features. --## Review security alerts --Alerts can be accessed from multiple locations, including the **Alerts** page, the **Incidents** page, the pages of individual **Devices**, and from the **Advanced hunting** page. In this example, we'll review the **Alerts page**. --In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, go to **Incidents & alerts** and then to **Alerts**. ---To see alerts from Defender for Identity, on the top-right select **Filter**, and then under **Service sources** select **Microsoft Defender for Identity**, and select **Apply**: ---The alerts are displayed with information in the following columns: **Alert name**, **Tags**, **Severity**, **Investigation state**, **Status**, **Category**, **Detection source**, **Impacted assets**, **First activity**, and **Last activity**. ---## Manage alerts --If you click the **Alert name** for one of the alerts, you'll go to the page with details about the alert. In the left pane, you'll see a summary of **What happened**: ---Above the **What happened** box are buttons for the **Accounts**, **Destination Host** and **Source Host** of the alert. For other alerts, you might see buttons for details about additional hosts, accounts, IP addresses, domains, and security groups. Select any of them to get more details about the entities involved. --On the right pane, you'll see the **Alert details**. Here you can see more details and perform several tasks: --- **Classify this alert** - Here you can designate this alert as a **True alert** or **False alert**-- :::image type="content" source="../../media/defender-identity/classify-alert.png" alt-text="The page on which you can classify an alert" lightbox="../../media/defender-identity/classify-alert.png"::: --- **Alert state** - In **Set Classification**, you can classify the alert as **True** or **False**. In **Assigned to**, you can assign the alert to yourself or unassign it.-- :::image type="content" source="../../media/defender-identity/alert-state.png" alt-text="The Alert state pane" lightbox="../../media/defender-identity/alert-state.png"::: --- **Alert details** - Under **Alert details**, you can find more information about the specific alert, follow a link to documentation about the type of alert, see which incident the alert is associated with, review any automated investigations linked to this alert type, and see the impacted devices and users.-- :::image type="content" source="../../media/defender-identity/alert-details.png" alt-text="The Alert details page" lightbox="../../media/defender-identity/alert-details.png"::: --- **Comments & history** - Here you can add your comments to the alert, and see the history of all actions associated with the alert.-- :::image type="content" source="../../media/defender-identity/comments-history.png" alt-text="The Comments & history page" lightbox="../../media/defender-identity/comments-history.png"::: --- **Manage alert** - If you select **Manage alert**, you'll go to a pane that will allow you to edit the:- - **Status** - You can choose **New**, **Resolved** or **In progress**. - - **Classification** - You can choose **True alert** or **False alert**. - - **Comment** - You can add a comment about the alert. -- If you select the three dots next to **Manage alert**, you can **Consult a threat expert**, **Export** the alert to an Excel file, or **Link to another incident**. -- :::image type="content" source="../../media/defender-identity/manage-alert.png" alt-text="The Manage alert option" lightbox="../../media/defender-identity/manage-alert.png"::: -- > [!NOTE] - > In the Excel file, you now have two links available: **View in Microsoft Defender for Identity** and **View in Microsoft Defender XDR**. Each link will bring you to the relevant portal, and provide information about the alert there. --## See also --- [Investigate alerts in Microsoft Defender XDR](../defender/investigate-alerts.md) |
security | Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/notifications.md | - Title: Microsoft Defender for Identity notifications in Microsoft Defender XDR -description: Learn how to set Microsoft Defender for Identity notifications in Microsoft Defender XDR. Previously updated : 05/20/2021----------# Defender for Identity notifications in Microsoft Defender XDR --**Applies to:** --- Microsoft Defender XDR-- Defender for Identity--This article explains how to work with [Microsoft Defender for Identity](/defender-for-identity) notifications in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center). --> [!IMPORTANT] -> As part of the convergence with Microsoft Defender XDR, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features. --## Health issues notifications --In Microsoft Defender XDR, you can add recipients for email notifications of health issues in Defender for Identity. --1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, go to **Settings** and then **Identities**. -- :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the column Name" lightbox="../../media/defender-identity/settings-identities.png"::: ---1. Select **Health issues notifications**. --1. Enter the recipient's email address. Select **Add**. -- :::image type="content" source="../../media/defender-identity/health-email-recipient.png" alt-text="The Health issues notifications submenu item" lightbox="../../media/defender-identity/health-email-recipient.png"::: --1. When Defender for Identity detects a health issue, the recipients will receive an email notification with the details. -- :::image type="content" source="../../media/defender-identity/health-email.png" alt-text="The health issue email" lightbox="../../media/defender-identity/health-email.png"::: -- > [!NOTE] - > The email provides two links for further details about the issue. You can either go to the **MDI Health Center** or the new **Health Center in M365D**. --## Alert notifications --In Microsoft Defender XDR, you can add recipients for email notifications of detected alerts. --1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, go to **Settings** and then **Identities**. -- :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option" lightbox="../../media/defender-identity/settings-identities.png"::: --1. Select **Alert notifications**. --1. Enter the recipient's email address. Select **Add**. -- :::image type="content" source="../../media/defender-identity/alert-email-recipient.png" alt-text="The Alert notifications submenu item" lightbox="../../media/defender-identity/alert-email-recipient.png"::: --## Syslog notifications --Defender for Identity can notify you when it detects suspicious activities by sending security and health alerts to your Syslog server through a nominated sensor. --> [!NOTE] -> To learn how to integrate Defender for Identity with Microsoft Sentinel, see [Microsoft Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration). --1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, go to **Settings** and then **Identities**. -- :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The option of Identities in the Name column" lightbox="../../media/defender-identity/settings-identities.png"::: --1. Select **Syslog notifications**. --1. To enable syslog notification, set the **Syslog service** toggle to the **on** position. -- :::image type="content" source="../../media/defender-identity/syslog-service.png" alt-text="The Syslog service option that can be turned on" lightbox="../../media/defender-identity/syslog-service.png"::: --1. Select **Configure service**. A pane will open where you can enter the details for the syslog service. -- :::image type="content" source="../../media/defender-identity/syslog-sensor.png" alt-text="The page on which you enter the Syslog service details" lightbox="../../media/defender-identity/syslog-sensor.png"::: --1. Enter the following details: -- - **Sensor** - From the drop-down list, choose the sensor that will send the alerts. - - **Service endpoint** and **Port** - Enter the IP address or fully qualified domain name (FQDN) for the syslog server and specify the port number. You can configure only one Syslog endpoint. - - **Transport** - Select the **Transport** protocol (TCP or UDP). - - **Format** - Select the format (RFC 3164 or RFC 5424). --1. Select **Send test SIEM notification** and then verify the message is received in your Syslog infrastructure solution. --1. Select **Save**. --1. Once you've configured the **Syslog service**, you can choose which types of notifications (alerts or health issues) to send to your Syslog server. -- :::image type="content" source="../../media/defender-identity/syslog-configured.png" alt-text="The Syslog service is configured option checked" lightbox="../../media/defender-identity/syslog-configured.png"::: --## See also --- [Manage Defender for Identity security alerts](manage-security-alerts.md) |
security | Sensor Health | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/sensor-health.md | - Title: Microsoft Defender for Identity sensor health and settings in Microsoft Defender XDR -description: Learn how to configure Microsoft Defender for Identity sensors and monitor their health in Microsoft Defender XDR Previously updated : 06/07/2021----------# Microsoft Defender for Identity sensor health and settings in Microsoft Defender XDR --**Applies to:** --- Microsoft Defender XDR-- Defender for Identity--This article explains how to configure and monitor [Microsoft Defender for Identity](/defender-for-identity) sensors in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center). --> [!IMPORTANT] -> As part of the convergence with Microsoft Defender XDR, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features. --## View Defender for Identity sensor settings and status --1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, go to **Settings** and then **Identities**. -- :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The option of Identities on the Settings page" lightbox="../../media/defender-identity/settings-identities.png"::: --1. Select the **Sensors** page, which displays all of your Defender for Identity sensors. For each sensor, you'll see its name, its domain membership, the version number, if updates should be delayed, the service status, update status, health status, the number of health issues, and when the sensor was created. -- [![Sensor page.](../../media/defender-identity/sensor-page.png)](../../media/defender-identity/sensor-page.png#lightbox) -- > [!NOTE] - > In the Defender for Identity portal, the sensor settings and health information were in separate locations. Note that in Microsoft Defender XDR they're now on the same page. --1. If you select **Filters**, you can choose which filters will be available. Then with each filter, you can choose which sensors to display. -- [![Sensor filters.](../../media/defender-identity/sensor-filters.png)](../../media/defender-identity/sensor-filters.png#lightbox) -- :::image type="content" source="../../media/defender-identity/filtered-sensor.png" alt-text="The Filtered sensor" lightbox="../../media/defender-identity/filtered-sensor.png"::: --1. If you select one of the sensors, a pane will display with information about the sensor and its health status. -- [![Sensor details.](../../media/defender-identity/sensor-details.png)](../../media/defender-identity/sensor-details.png#lightbox) --1. If you select any of the health issues, you'll get a pane with more details about them. If you choose a closed issue, you can reopen it from here. -- :::image type="content" source="../../media/defender-identity/issue-details.png" alt-text="The Issue details" lightbox="../../media/defender-identity/issue-details.png"::: --1. If you select **Manage sensor**, a pane will open where you can configure the sensor details. -- :::image type="content" source="../../media/defender-identity/manage-sensor.png" alt-text="The Manage sensor option" lightbox="../../media/defender-identity/manage-sensor.png"::: -- :::image type="content" source="../../media/defender-identity/configure-sensor-details.png" alt-text="The page on which you configure settings for the sensor" lightbox="../../media/defender-identity/configure-sensor-details.png"::: --1. In the **Sensors** page, you can export your list of sensors to a .csv file by selecting **Export**. -- :::image type="content" source="../../media/defender-identity/export-sensors.png" alt-text="The Export list of sensors" lightbox="../../media/defender-identity/export-sensors.png"::: --## Add a sensor --From the **Sensors** page, you can add a new sensor. --1. Select **Add sensor**. -- :::image type="content" source="../../media/defender-identity/add-sensor.png" alt-text="The Add sensor option" lightbox="../../media/defender-identity/add-sensor.png"::: --1. A pane will open, providing you with a button to download the sensor installer and a generated access key. -- :::image type="content" source="../../media/defender-identity/installer-access-key.png" alt-text="The options to download the installer and regenerate the key" lightbox="../../media/defender-identity/installer-access-key.png"::: --1. Select **Download installer** to save the package locally. The zip file includes the following files: -- - The Defender for Identity sensor installer -- - The configuration setting file with the required information to connect to the Defender for Identity cloud service --1. Copy the **Access key**. The access key is required for the Defender for Identity sensor to connect to your Defender for Identity instance. The access key is a one-time-password for sensor deployment, after which all communication is performed using certificates for authentication and TLS encryption. Use the **Regenerate key** button if you ever need to regenerate the new access key. It won't affect any previously deployed sensors, because it's only used for initial registration of the sensor. --1. Copy the package to the dedicated server or domain controller onto which you're installing the Defender for Identity sensor. --## See also --- [Manage Defender for Identity security alerts](manage-security-alerts.md) |
security | Vpn Integration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/vpn-integration.md | - Title: Microsoft Defender for Identity VPN integration in Microsoft Defender XDR -description: Learn how to collect accounting information by integrating a VPN for Microsoft Defender for Identity in Microsoft Defender XDR Previously updated : 06/07/2021----------# Defender for Identity VPN integration in Microsoft Defender XDR --**Applies to:** --- Microsoft Defender XDR-- Defender for Identity--This article explains how to integrate a VPN with [Microsoft Defender for Identity](/defender-for-identity) in [Microsoft Defender XDR](/microsoft-365/security/defender/overview-security-center). --> [!IMPORTANT] -> As part of the convergence with <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features. ----- Microsoft-- F5-- Check Point-- Cisco ASA--## Prerequisites --To enable VPN integration, make sure you set the following parameters: --- Open port UDP 1813 on your [!INCLUDE [Product short](includes/product-short.md)] sensors and/or [!INCLUDE [Product short](includes/product-short.md)] standalone sensors.--> [!NOTE] -> -> - By enabling **Radius Accounting**, the [!INCLUDE [Product short](includes/product-short.md)] sensor will enable a pre-provisioned Windows firewall policy called **[!INCLUDE [Product long](includes/product-long.md)] Sensor** to allow incoming RADIUS Accounting on port UDP 1813. -> - VPN integration is not supported in environments adhering to Federal Information Processing Standards (FIPS) --The example below uses Microsoft Routing and Remote Access Server (RRAS) to describe the VPN configuration process. --If you're using a third-party VPN solution, consult their documentation for instructions on how to enable RADIUS Accounting. --## Configure RADIUS Accounting on the VPN system --Perform the following steps on your RRAS server. --1. Open the **Routing and Remote Access** console. -1. Right-click the server name and select **Properties**. -1. In the **Security** tab, under **Accounting provider**, select **RADIUS Accounting** and select **Configure**. -- :::image type="content" source="../../media/defender-identity/radius-setup.png" alt-text="The RADIUS setup" lightbox="../../media/defender-identity/radius-setup.png"::: --1. In the **Add RADIUS Server** window, type the **Server name** of the closest [!INCLUDE [Product short](includes/product-short.md)] sensor (which has network connectivity). For high availability, you can add additional [!INCLUDE [Product short](includes/product-short.md)] sensors as RADIUS Servers. Under **Port**, make sure the default of 1813 is configured. Select **Change** and type a new shared secret string of alphanumeric characters. Take note of the new shared secret string as you'll need to fill it out later during [!INCLUDE [Product short](includes/product-short.md)] Configuration. Check the **Send RADIUS Account On and Accounting Off messages** box and select **OK** on all open dialog boxes. -- :::image type="content" source="../../media/defender-identity/vpn-set-accounting.png" alt-text="The VPN setup" lightbox="../../media/defender-identity/vpn-set-accounting.png"::: --## Configure VPN in Defender for Identity ---To configure VPN data in [!INCLUDE [Product short](includes/product-short.md)] in Microsoft Defender XDR: --1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>, go to **Settings** and then **Identities**. -- :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option under the settings menu item" lightbox="../../media/defender-identity/settings-identities.png"::: --1. Select **VPN**. -1. Select **Enable radius accounting**, and type the **Shared Secret** you configured previously on your RRAS VPN Server. Then select **Save**. -- :::image type="content" source="../../media/defender-identity/vpn-integration.png" alt-text="The VPN integration" lightbox="../../media/defender-identity/vpn-integration.png"::: --After this is enabled, all Defender for Identity sensors will listen on port 1813 for RADIUS accounting events, and your VPN setup is complete. --After the Defender for Identity sensor receives the VPN events and sends them to the Defender for Identity cloud service for processing, the entity profile will indicate distinct accessed VPN locations and activities in the profile will indicate locations. --## See also --- [Investigate alerts in Microsoft Defender XDR](../defender/investigate-alerts.md) |
security | Before You Begin Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-xdr.md | Defender Experts for XDR is a managed extended detection and response (XDR) serv ### Server coverage -Defender Experts for XDR also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesn't cover Microsoft Defender for Cloud. +Defender Experts for XDR also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Endpoint for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesn't cover Microsoft Defender for Cloud workloads. [Learn more about specific hardware and software requirements](/microsoft-365/security/defender-endpoint/minimum-requirements). ### Ask Defender Experts |
security | Defender Experts For Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-for-hunting.md | The following capabilities included in this managed threat hunting service could - **Threat hunting and analysis** ΓÇô Defender Experts for Hunting look deeper to expose advanced threats and identify the scope and impact of malicious activity associated with human adversaries or hands-on-keyboard attacks. - **Defender Experts Notifications** ΓÇô Notifications show up as incidents in Microsoft Defender XDR, helping to improve your security operations' incident response with specific information about the scope, method of entry, and remediation instructions.-- **Experts on Demand** ΓÇô Select **Ask Defender Experts** in the Microsoft Defender portal to get expert advice about threats your organization is facing. You can ask for help on a specific incident, nation-state actor, or attack vector-related notifications.+- **Ask Defender Experts** ΓÇô Select **Ask Defender Experts** in the Microsoft Defender portal to get expert advice about threats your organization is facing. You can ask for help on a specific incident, nation-state actor, or attack vector-related notifications. - **Hunter-trained AI** ΓÇô Our Defender Experts for Hunting share their learning back into the automated tools they use to improve threat discovery and prioritization. - **Reports** ΓÇô An interactive report summarizing what we hunted and what we found. |
security | Incident Response Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-response-overview.md | Here are the primary investigate and respond tasks for Microsoft Defender XDR: - [Review and approve automatic remediation actions](#automated-investigation-and-remediation) - [Search for known threats in your data](#proactive-search-for-threats-with-advanced-hunting) - [Understand the latest cyberattacks](#get-ahead-of-emerging-threats-with-threat-analytics)-- [Get help](#collaborate-with-microsoft-defender-experts) ## Incident response Each identified threat includes an analyst report, a comprehensive analysis of t For more information, see [Threat analytics in Microsoft Defender XDR](threat-analytics.md). -## Collaborate with Microsoft Defender experts --Endpoint Attack Notifications (previously referred to as Microsoft Threat Experts - Targeted Attack Notifications) is a managed threat hunting service. Once you apply and are accepted, you'll receive Endpoint Attack Notifications from Microsoft Defender experts, so you won't miss critical threats to your environment. These notifications will help you protect your organization's endpoints, email, and identities. Microsoft Defender Experts ΓÇô Experts on Demand lets you get expert advice about threats your organization is facing and you can reach out for help on threats your organization is facing. It's available as an additional subscription service. --For more information, see [Microsoft Defender Experts in Microsoft 365 overview](../defender-endpoint/experts-on-demand.md). [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)] |
security | Onboarding Defender Experts For Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboarding-defender-experts-for-hunting.md | Title: How to subscribe to Microsoft Defender Experts for Hunting description: If you're new to Microsoft Defender XDR and Defender Experts for Hunting, this is how you subscribe to Defender experts notifications -keywords: managed threat hunting service, sample DEN, defender experts notifications, managed detection and response (MDR) service, MTE, Microsoft Threat Experts, EOD, endpoint attack notifications, Microsoft Defender Experts for hunting, managed response. +keywords: managed threat hunting service,onboarding to Defender Experts, sample DEN, defender experts notifications, Ask Defender Experts, MTE, Microsoft Threat Experts, EOD, endpoint attack notifications, Microsoft Defender Experts for hunting, managed response. search.product: Windows 10 ms.mktglfcycl: deploy A sample Defender Experts Notification shows up in your **Incidents** page with :::image type="content" source="../../media/mte/defenderexperts/sample-den-links-dexh.png" alt-text="Screenshot of Sample DEN links." lightbox="../../media/mte/defenderexperts/sample-den-links-dexh.png"::: -## Collaborate with Experts on Demand +## Collaborate with experts on demand > [!NOTE]-> Experts on Demand is included in your Defender Experts for Hunting subscription with [monthly allocations](/microsoft-365/security/defender/before-you-begin-defender-experts#eligibility-and-licensing). However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/). +> Ask Defender Experts is included in your Defender Experts for Hunting subscription with [monthly allocations](/microsoft-365/security/defender/before-you-begin-defender-experts#eligibility-and-licensing). However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/). Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization may face. Experts on Demand can help to: |
security | Anti Spam Protection About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection-about.md | For more information about BCL, see [Bulk complaint level (BCL) in EOP](anti-spa > [!TIP] > By default, the PowerShell only setting _MarkAsSpamBulkMail_ is `On` in anti-spam policies in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). This setting dramatically affects the results of a **Bulk compliant level (BCL) met or exceeded** filtering verdict:+> > - **_MarkAsSpamBulkMail_ is On**: A BCL that's greater than or equal to the threshold value is converted to an SCL 6 that corresponds to a filtering verdict of **Spam**, and the action for the **Bulk compliant level (BCL) met or exceeded** filtering verdict is taken on the message. > - **_MarkAsSpamBulkMail_ is Off**: The message is stamped with the BCL, but _no action_ is taken for a **Bulk compliant level (BCL) met or exceeded** filtering verdict. In effect, the BCL threshold and **Bulk compliant level (BCL) met or exceeded** filtering verdict action are irrelevant. |
security | Configure Junk Email Settings On Exo Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes.md | In Microsoft 365 organizations with mailboxes in Exchange Online, organizational But, there are also specific anti-spam settings that admins can configure on individual mailboxes in Exchange Online: -- **Move messages to the Junk Email folder based on anti-spam policies**: When an anti-spam policy is configured with the action **Move message to Junk Email folder** for a spam filtering verdict, the message is moved to the Junk Email folder *after* the message is delivered to the mailbox. For more information about spam filtering verdicts in anti-spam policies, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md). Similarly, if zero-hour auto purge (ZAP) determines that a delivered message is spam or phish, the message is moved to the Junk Email folder for **Move message to Junk Email folder** spam filtering verdict actions. For more information about ZAP, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).+- **Move messages to the Junk Email folder based on anti-spam policies**: When an anti-spam policy is configured with the action **Move message to Junk Email folder** for a spam filtering verdict, the message is moved to the Junk Email folder _after_ the message is delivered to the mailbox. For more information about spam filtering verdicts in anti-spam policies, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md). Similarly, if zero-hour auto purge (ZAP) determines that a delivered message is spam or phish, the message is moved to the Junk Email folder for **Move message to Junk Email folder** spam filtering verdict actions. For more information about ZAP, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md). - **Junk email settings that users configure for themselves in Outlook or Outlook on the web**: The _safelist collection_ is the Safe Senders list, the Safe Recipients list, and the Blocked Senders list on each mailbox. The entries in these lists determine whether the message is moved to the Inbox or the Junk Email folder. Users can configure the safelist collection for their own mailboxes in Outlook or Outlook on the web (formerly known as Outlook Web App). Admins can configure the safelist collection on any user's mailbox. Admins can use Exchange Online PowerShell to configure entries in the safelist c The safelist collection on a mailbox includes the Safe Senders list, the Safe Recipients list, and the Blocked Senders list. By default, users can configure the safelist collection on their own mailboxes in Outlook or Outlook on the web. Admins can use the corresponding parameters on the **Set-MailboxJunkEmailConfiguration** cmdlet to configure the safelist collection on a user's mailbox. These parameters are described in the following table. -|Parameter on Set-MailboxJunkEmailConfiguration|Outlook on the web setting| -||| -|_BlockedSendersAndDomains_|**Move email from these senders or domains to my Junk Email folder**| -|_ContactsTrusted_|**Trust email from my contacts**| -|_TrustedListsOnly_|**Only trust email from addresses in my Safe senders and domains list and Safe mailing lists**| -|_TrustedSendersAndDomains_<sup>\*</sup>|**Don't move email from these senders to my Junk Email folder**| +|Parameter on Set-MailboxJunkEmailConfiguration|Junk Email Options in Outlook|Junk email settings in Outlook on the web| +|||| +|_BlockedSendersAndDomains_|**Blocked Senders** tab|**Blocked Senders and domains** section| +|_ContactsTrusted_|**Safe Senders** tab \> **Also trust email from my Contacts**|**Filters** sections \> **Trust email from my contacts**| +|_TrustedListsOnly_|**Options** tab \> **Safe Lists Only: Only mail from people or domains on your Safe Senders List or Safe Recipients List will be delivered to your Inbox**|**Filters** section \> **Only trust email from addresses in my Safe senders and domains list and Safe mailing lists**| +|_TrustedSendersAndDomains_<sup>\*</sup>|**Safe Senders** tab|**Safe senders and domains** section| -<sup>\*</sup> **Notes**: +<sup>\*</sup> You can't directly modify the **Safe Recipients** list by using the **Set-MailboxJunkEmailConfiguration** cmdlet (the _TrustedRecipientsAndDomains_ parameter doesn't work). You modify the Safe Senders list, and those changes are synchronized to the Safe Recipients list. ++**Notes**: - In Exchange Online, whether entries in the Safe Senders list or _TrustedSendersAndDomains_ parameter work or don't work depends on the verdict and action in the policy that identified the message: - **Move messages to Junk Email folder**: Domain entries and sender email address entries are honored. Messages from those senders aren't moved to the Junk Email folder. The safelist collection on a mailbox includes the Safe Senders list, the Safe Re - The message isn't identified as malware or high confidence phishing (malware and high confidence phishing messages are quarantined). - The email address isn't in a block entry in the [Tenant Allow/Block](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses). - In standalone EOP with directory synchronization, domain entries aren't synchronized by default, but you can enable synchronization for domains. For more information, see [Configure Content Filtering to Use Safe Domain Data: Exchange 2013 Help | Microsoft Learn](/exchange/configure-content-filtering-to-use-safe-domain-data-exchange-2013-help).-- You can't directly modify the Safe Recipients list by using the **Set-MailboxJunkEmailConfiguration** cmdlet (the _TrustedRecipientsAndDomains_ parameter doesn't work). You modify the Safe Senders list, and those changes are synchronized to the Safe Recipients list. To configure the safelist collection on a mailbox, use the following syntax: |