Updates from: 04/11/2024 01:35:52
Category Microsoft Docs article Related commit history on GitHub Change details
enterprise Dns Records For Office 365 Dod https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/dns-records-for-office-365-dod.md
hideEdit: true
*This article applies to Office 365 DoD and Microsoft 365 DoD*
-As part of onboarding to Office 365 DoD, you will need to add your SMTP and SIP domains to your Online Services tenant. YouΓÇÖll do this using the New-MsolDomain cmdlet in Azure AD PowerShell or use the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership.
+As part of onboarding to Office 365 DoD, you need to add your SMTP and SIP domains to your Online Services tenant. You do this using the New-MsolDomain cmdlet in Azure AD PowerShell or use the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership.
[!INCLUDE [Azure AD PowerShell deprecation note](~/../microsoft-365/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
-Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organizationΓÇÖs needs with respect to the inbound MX record(s) and any existing Exchange Autodiscover record(s) you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.
+Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organizationΓÇÖs needs with respect to one or more inbound MX records and any existing Exchange Autodiscover records you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.
## Exchange Online | Type | Priority | Host name | Points to address or value | TTL | | | | | | |
-| MX | 0 | @ | *tenant*.mail.protection.office365.us (see below for more details) | One Hour |
+| MX | 0 | @ | *tenant*.mail.protection.office365.us (for more information, see below) | One Hour |
| TXT | - | @ | v=spf1 include:spf.protection.office365.us -all | One Hour | | CNAME | - | autodiscover | autodiscover-dod.office365.us | One Hour | ### Exchange Autodiscover record
-If you have Exchange Server on-premises, we recommend leaving your existing record in place while you migrate to Exchange Online, and update that record once you have completed your migration.
+If you have Exchange Server on-premises, we recommend leaving your existing record in place while you migrate to Exchange Online, and update that record once you complete your migration.
### Exchange Online MX Record
The MX record value for your accepted domains follows a standard format as noted
For example, if your tenant name is contoso.onmicrosoft.us, youΓÇÖd use **contoso.mail.protection.office365.us** as the value for your MX record.
-## Skype for Business Online
-
-### CNAME records
-
-| Type | Host name | Points to address or value | TTL |
-| | | | |
-| CNAME | sip | sipdir.online.dod.skypeforbusiness.us | One Hour |
-| CNAME | lyncdiscover | webdir.online.dod.skypeforbusiness.us | One Hour |
+## External DNS records required for Teams
### SRV records | Type | Service | Protocol | Port | Weight | Priority | Name | Target | TTL | | | | | | | | | | |
-| SRV | \_sip | \_tls | 443 | 1 | 100 | @ | sipdir.online.dod.skypeforbusiness.us | One Hour |
| SRV | \_sipfederationtls | \_tcp | 5061 | 1 | 100 | @ | sipfed.online.dod.skypeforbusiness.us | One Hour | ## Other DNS records > [!IMPORTANT]
-> If you have an existing *msoid* CNAME record in your DNS zone, you must **remove** the record from DNS at this time. The msoid record is incompatible with Microsoft 365 Enterprise Apps *(formerly Office 365 ProPlus)* and will prevent activation from succeeding.
+> If you have an existing *msoid* CNAME record in your DNS zone, you must **remove** the record from DNS at this time. The msoid record is incompatible with Microsoft 365 Enterprise Apps *(formerly Office 365 ProPlus)* and will prevent activation from succeeding.
enterprise Dns Records For Office 365 Gcc High https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/dns-records-for-office-365-gcc-high.md
hideEdit: true
*This article applies to Office 365 GCC High and Microsoft 365 GCC High*
-As part of onboarding to Office 365 GCC High, you will need to add your SMTP and SIP domains to your Online Services tenant. YouΓÇÖll do this using the New-MsolDomain cmdlet in Azure AD PowerShell or use the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership.
+As part of onboarding to Office 365 GCC High, you need to add your SMTP and SIP domains to your Online Services tenant. You do this using the New-MsolDomain cmdlet in Azure AD PowerShell or using the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership.
[!INCLUDE [Azure AD PowerShell deprecation note](~/../microsoft-365/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
-Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organizationΓÇÖs needs with respect to the inbound MX record(s) and any existing Exchange Autodiscover record(s) you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.
+Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organizationΓÇÖs needs with respect to one or more inbound MX records and any existing Exchange Autodiscover records you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.
## Exchange Online | Type | Priority | Host name | Points to address or value | TTL | | | | | | |
-| MX | 0 | @ | *tenant*.mail.protection.office365.us (see below for more details) | One Hour |
+| MX | 0 | @ | *tenant*.mail.protection.office365.us (for more information, see below) | One Hour |
| TXT | - | @ | v=spf1 include:spf.protection.office365.us -all | One Hour | | CNAME | - | autodiscover | autodiscover.office365.us | One Hour | ### Exchange Autodiscover record
-If you have Exchange Server on-premises, we recommend leaving your existing record in place while you migrate to Exchange Online, and update that record once you have completed your migration.
+If you have Exchange Server on-premises, we recommend leaving your existing record in place while you migrate to Exchange Online, and update that record once you complete your migration.
### Exchange Online MX Record
The MX record value for your accepted domains follows a standard format as noted
For example, if your tenant name is contoso.onmicrosoft.us, youΓÇÖd use **contoso.mail.protection.office365.us** as the value for your MX record.
-## Skype for Business Online
-
-### CNAME records
-
-| Type | Host name | Points to address or value | TTL |
-| | | | |
-| CNAME | sip | sipdir.online.gov.skypeforbusiness.us | One Hour |
-| CNAME | lyncdiscover | webdir.online.gov.skypeforbusiness.us | One Hour |
+## External DNS records required for Teams
### SRV records | Type | Service | Protocol | Port | Weight | Priority | Name | Target | TTL | | | | | | | | | | |
-| SRV | \_sip | \_tls | 443 | 1 | 100 | @ | sipdir.online.gov.skypeforbusiness.us | One Hour |
| SRV | \_sipfederationtls | \_tcp | 5061 | 1 | 100 | @ | sipfed.online.gov.skypeforbusiness.us | One Hour | ## Other DNS records > [!IMPORTANT]
-> If you have an existing *msoid* CNAME record in your DNS zone, you must **remove** the record from DNS at this time. The msoid record is incompatible with Microsoft 365 Enterprise Apps *(formerly Office 365 ProPlus)* and will prevent activation from succeeding.
+> If you have an existing *msoid* CNAME record in your DNS zone, you must **remove** the record from DNS at this time. The msoid record is incompatible with Microsoft 365 Enterprise Apps *(formerly Office 365 ProPlus)* and will prevent activation from succeeding.
security Mdb Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-started.md
audience: Admin
ms.localizationpriority: medium Previously updated : 09/06/2023 Last updated : 04/10/2024 f1.keywords: NOCSH
- m365-security - m365-initiative-defender-business - tier1
+- essentials-get-started
security Mdb Manage Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-subscription.md
f1.keywords: NOCSH
- M365-security-compliance - m365initiative-defender-business
+- essentials-manage
# Change your endpoint security subscription
security Mdb Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-overview.md
audience: Admin
ms.localizationpriority: medium Previously updated : 11/30/2023 Last updated : 04/10/2024 f1.keywords: NOCSH
- m365-security - m365-initiative-defender-business - tier1
+- essentials-overview
security Mdb Tutorials https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-tutorials.md
ms.localizationpriority: medium Previously updated : 01/26/2023 Last updated : 04/10/2024 f1.keywords: NOCSH - SMB - m365-security - tier1
+- essentials-get-started
# Tutorials and simulations in Microsoft Defender for Business
security Trial Playbook Defender Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/trial-playbook-defender-business.md
- m365-security - tier1
+- essentials-get-started
ms.localizationpriority: high Previously updated : 05/04/2023 Last updated : 04/10/2024 search.appverid: - MOE150
security Adv Tech Of Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/adv-tech-of-mdav.md
audience: ITPro
# Advanced technologies at the core of Microsoft Defender Antivirus
-**Applies to:** 
+**Applies to:**
-- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business) -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)  -- Microsoft Defender Antivirus -- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) 
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)
+- Microsoft Defender Antivirus
+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
Microsoft Defender Antivirus and the multiple engines that lead to the advanced detection and prevention technologies under the hood to detect and stop a wide range of threats and attacker techniques at multiple points, as depicted in the following diagram: :::image type="content" source="media/next-gen-protection-engines.png" alt-text="Diagram depicting next generation protection engines and how they work between the cloud and the client device.":::
-Many of these engines are built into the client and provide advanced protection against most threats in real time. 
+Many of these engines are built into the client and provide advanced protection against most threats in real time.
-These next-generation protection engines provide [industry-best](/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) detection and blocking capabilities and ensure that protection is: 
+These next-generation protection engines provide [industry-best](/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) detection and blocking capabilities and ensure that protection is:
- **Accurate**: Threats both common and sophisticated, many which are designed to try to slip through protections, are detected and blocked. - **Real-time**: Threats are prevented from getting on to devices, stopped in real-time at first sight, or detected and remediated in the least possible time (typically within a few milliseconds).
These next-generation protection engines provide [industry-best](/windows/securi
## Hybrid detection and protection
-Microsoft Defender Antivirus does hybrid detection and protection. What this means is, detection and protection occur on the client device first, and works with the cloud for newly developing threats, which results in faster, more effective detection and protection.
+Microsoft Defender Antivirus does hybrid detection and protection. What this means is, detection and protection occur on the client device first, and works with the cloud for newly developing threats, which results in faster, more effective detection and protection.
-When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources.
+When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources.
-| On the client | In the cloud |
+|On the client|In the cloud|
|||
-| **Machine learning (ML) engine**<br/>A set of light-weight machine learning models make a verdict within milliseconds. These models include specialized models and features that are built for specific file types commonly abused by attackers. Examples include models built for portable executable (PE) files, PowerShell, Office macros, JavaScript, PDF files, and more. | **Metadata-based ML engine** <br/>Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened [monotonic models](https://www.microsoft.com/en-us/security/blog/2019/07/25/new-machine-learning-model-sifts-through-the-good-to-unearth-the-bad-in-evasive-malware/), analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution. |
-| **Behavior monitoring engine**<br/>The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules. | **Behavior-based ML engine**<br/>Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration. |
-| **Memory scanning engine**<br/>This engine scans the memory space used by a running process to expose malicious behavior that could be hiding through code obfuscation. | **Antimalware Scan Interface (AMSI)-paired ML engine**<br/>Pairs of client-side and cloud-side models perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks. These models include a pair of models for each of the scripting engines covered, including PowerShell, JavaScript, VBScript, and Office VBA macros. Integrations include both dynamic content calls and/or behavior instrumentation on the scripting engines. |
-| **AMSI integration engine**<br/>Deep in-app integration engine enables detection of fileless and in-memory attacks through [AMSI](/windows/desktop/AMSI/antimalware-scan-interface-portal), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side. | **File classification ML engine**<br/>Multi-class, deep neural network classifiers examine full file contents, provides an extra layer of defense against attacks that require more analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file. |
-| **Heuristics engine**<br/>Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats. | **Detonation-based ML engine**<br/>Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks. |
-| **Emulation engine**<br/>The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware. | **Reputation ML engine**<br/>Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Defender for Office 365 for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph. |
-| **Network engine**<br/>Network activities are inspected to identify and stop malicious activities from threats. | **Smart rules engine**<br/>Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats. |
+|**Machine learning (ML) engine** <br/> A set of light-weight machine learning models make a verdict within milliseconds. These models include specialized models and features that are built for specific file types commonly abused by attackers. Examples include models built for portable executable (PE) files, PowerShell, Office macros, JavaScript, PDF files, and more.|**Metadata-based ML engine** <br/> Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened [monotonic models](https://www.microsoft.com/security/blog/2019/07/25/new-machine-learning-model-sifts-through-the-good-to-unearth-the-bad-in-evasive-malware/), analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution.|
+|**Behavior monitoring engine** <br/> The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules.|**Behavior-based ML engine** <br/> Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration.|
+|**Memory scanning engine** <br/> This engine scans the memory space used by a running process to expose malicious behavior that could be hiding through code obfuscation.|**Antimalware Scan Interface (AMSI)-paired ML engine** <br/> Pairs of client-side and cloud-side models perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks. These models include a pair of models for each of the scripting engines covered, including PowerShell, JavaScript, VBScript, and Office VBA macros. Integrations include both dynamic content calls and/or behavior instrumentation on the scripting engines.|
+|**AMSI integration engine** <br/> Deep in-app integration engine enables detection of fileless and in-memory attacks through [AMSI](/windows/desktop/AMSI/antimalware-scan-interface-portal), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side.|**File classification ML engine** <br/> Multi-class, deep neural network classifiers examine full file contents, provides an extra layer of defense against attacks that require more analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file.|
+|**Heuristics engine** <br/> Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.|**Detonation-based ML engine** <br/> Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.|
+|**Emulation engine** <br/> The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.|**Reputation ML engine** <br/> Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Defender for Office 365 for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.|
+|**Network engine** <br/> Network activities are inspected to identify and stop malicious activities from threats.|**Smart rules engine** <br/> Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.|
For more information, see [Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK&reg; Evaluations: Enterprise](https://www.microsoft.com/security/blog/2023/09/20/microsoft-365-defender-demonstrates-100-percent-protection-coverage-in-the-2023-mitre-engenuity-attck-evaluations-enterprise/). ## How next-generation protection works with other Defender for Endpoint capabilities
-Together with [attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), which includes advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall, [next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) engines deliver Microsoft Defender for Endpoint's prebreach capabilities, stopping attacks before they can infiltrate devices and compromise networks. 
+Together with [attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), which includes advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall, [next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) engines deliver Microsoft Defender for Endpoint's prebreach capabilities, stopping attacks before they can infiltrate devices and compromise networks.
As part of Microsoft's defense-in-depth solution, the superior performance of these engines accrues to the [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint) unified endpoint protection, where antivirus detections and other next-generation protection capabilities enrich endpoint detection and response, automated investigation and remediation, advanced hunting, threat and vulnerability management, managed threat hunting service, and other capabilities.
-These protections are further amplified through [Microsoft Defender XDR](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-xdr), Microsoft's comprehensive, end-to-end security solution for the modern workplace. Through [signal-sharing and orchestration of remediation across Microsoft's security technologies](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783), Microsoft Defender XDR secures identities, endpoints, email and data, apps, and infrastructure. 
+These protections are further amplified through [Microsoft Defender XDR](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-xdr), Microsoft's comprehensive, end-to-end security solution for the modern workplace. Through [signal-sharing and orchestration of remediation across Microsoft's security technologies](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783), Microsoft Defender XDR secures identities, endpoints, email and data, apps, and infrastructure.
-## Memory protection and memory scanning
+## Memory protection and memory scanning
-Microsoft Defender Antivirus (MDAV) provides memory protection with different engines:
+Microsoft Defender Antivirus (MDAV) provides memory protection with different engines:
|Client|Cloud| |:|:|
-|Behavior Monitoring | Behavior-based Machine Learning|
-|Antimalware Scan Interface(AMSI) integration | AMSI-paired Machine Learning|
-|Emulation |Detonation-based Machine Learning|
-|Memory scanning |N/A|
+|Behavior Monitoring|Behavior-based Machine Learning|
+|Antimalware Scan Interface(AMSI) integration|AMSI-paired Machine Learning|
+|Emulation|Detonation-based Machine Learning|
+|Memory scanning|N/A|
An additional layer to help prevent memory-based attacks is to use the Attack Surface Reduction (ASR) rule ΓÇô **Block Office applications from injecting code into other processes**. For more information see, [Block Office applications from injecting code into other processes](attack-surface-reduction-rules-reference.md#block-office-applications-from-injecting-code-into-other-processes). ## Frequently asked questions
-### How many malware threats does Microsoft Defender Antivirus block per month? 
+### How many malware threats does Microsoft Defender Antivirus block per month?
[Five billion threats on devices every month](https://www.microsoft.com/en-us/security/blog/2019/05/14/executing-vision-microsoft-threat-protection/).
-### How does Microsoft Defender Antivirus memory protection help?
+### How does Microsoft Defender Antivirus memory protection help?
See [Detecting reflective DLL loading with Windows Defender for Endpoint](https://www.microsoft.com/security/blog/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/) to learn about one way Microsoft Defender Antivirus memory attack protection helps.
-### Do you all focus your detections/preventions in one specific geographic area? 
+### Do you all focus your detections/preventions in one specific geographic area?
-No, we are in all the geographical regions (Americas, EMEA, and APAC). 
+No, we are in all the geographical regions (Americas, EMEA, and APAC).
-### Do you all focus on specific industries? 
+### Do you all focus on specific industries?
-We focus on every industry. 
- 
-### Do your detection/protection require a human analyst? 
+We focus on every industry.
-When you're pen-testing, you should demand where no human analysts are engaged on detect/protect, to see how the actual antivirus engine (prebreach) efficacy truly is, and a separate one where human analysts are engaged. You can add [Microsoft Defender Experts for XDR](/microsoft-365/security/defender/dex-xdr-overview) a managed extended detection and response service to augment your SOC.
+### Do your detection/protection require a human analyst?
-The ***continuous iterative enhancement*** each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent [top scores in industry tests](/microsoft-365/security/defender/top-scoring-industry-tests), but more importantly, translate to [threats and malware outbreaks](https://www.microsoft.com/en-us/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) stopped and [more customers protected](https://www.microsoft.com/en-us/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/). 
- 
+When you're pen-testing, you should demand where no human analysts are engaged on detect/protect, to see how the actual antivirus engine (prebreach) efficacy truly is, and a separate one where human analysts are engaged.You can add [Microsoft Defender Experts for XDR](/microsoft-365/security/defender/dex-xdr-overview) a managed extended detection and response service to augment your SOC.
+
+The ***continuous iterative enhancement*** each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent [top scores in industry tests](/microsoft-365/security/defender/top-scoring-industry-tests), but more importantly, translate to [threats and malware outbreaks](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) stopped and [more customers protected](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/).
security Amsi On Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/amsi-on-mdav.md
Title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"
+ Title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"
description: Describes fileless malware and how Microsoft Defender Antivirus uses AMSI to protect against hidden threats. -+ Previously updated : 02/27/2024 Last updated : 02/27/2024 ---
-ai-usage:
-- ai-assisted
+ms.localizationpriority:
+++
+search.appverid: MET150
+f1.keywords:
+audience:
+ai-usage:
+- ai-assisted
# Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus
__Applies to:__
- Microsoft Defender for Business - Microsoft Defender for Individuals
+__Platforms:__
-__Platforms__
- Windows 10 and newer - Windows Server 2016 and newer - Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article describes the benefits of AMSI integration, the types of scripting languages it supports, and how to enable AMSI for improved security. ## What is Fileless malware?+ Fileless malware plays a critical role in modern cyberattacks, using stealthy techniques to avoid detection. Several major ransomware outbreaks used fileless methods as part of their kill chains. Fileless malware uses existing tools that are already present on a compromised device, such as PowerShell.exe or wmic.exe. Malware can infiltrate a process, executing code within its memory space, and invoking these built-in tools. Attackers significantly reduce their footprint and evade traditional detection mechanisms.
-
-Because memory is volatile, and fileless malware doesn't place files on disk, establishing persistence by using fileless malware can be tricky. One example of how fileless malware achieved persistence was to create a registry run key that launches a ΓÇ£one-linerΓÇ¥ PowerShell cmdlet. This command launched an obfuscated PowerShell script that was stored in the registry BLOB. The obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry. The script stored in the registry ensured the malware persisted.
-Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:
+Because memory is volatile, and fileless malware doesn't place files on disk, establishing persistence by using fileless malware can be tricky. One example of how fileless malware achieved persistence was to create a registry run key that launches a ΓÇ£one-linerΓÇ¥ PowerShell cmdlet. This command launched an obfuscated PowerShell script that was stored in the registry BLOB. The obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry. The script stored in the registry ensured the malware persisted.
-- **Reflective DLL injection** Reflective DLL injection involves the manual loading of malicious DLLs into a process’ memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.
+Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:
-- **Memory exploits** Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, which lives entirely in the kernel’s memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.
+- **Reflective DLL injection** Reflective DLL injection involves the manual loading of malicious DLLs into a processΓÇÖ memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.
-- **Script-based techniques** Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.
+- **Memory exploits** Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, which lives entirely in the kernelΓÇÖs memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.
+
+- **Script-based techniques** Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.
> [!NOTE] > Do not disable PowerShell as a means to block fileless malware. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell. - **WMI persistence** Some attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings.
-Microsoft Defender Antivirus blocks most malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Microsoft Defender Antivirus protects against fileless malware through these capabilities:
+Microsoft Defender Antivirus blocks most malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Microsoft Defender Antivirus protects against fileless malware through these capabilities:
-- Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation -- Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed -- Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
+- Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation
+- Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
+- Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
## Why AMSI? AMSI provides a deeper level of inspection for malicious software that employs obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating AMSI, Microsoft Defender for Endpoint offers extra layers of protection against advanced threats. - ### Supported Scripting Languages+ - PowerShell - Jscript - VBScript
If you use Microsoft Office 365, AMSI also supports JavaScript, VBA, and XLM.
AMSI doesn't currently support Python or Perl. ### Enabling AMSI+ To enable AMSI, you need to enable Script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md) Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender) ### AMSI resources+ [Anti-malware Scan Interface (AMSI) APIs](/windows/win32/amsi/antimalware-scan-interface-portal) are available for developers and antivirus vendors to implement. Other Microsoft products such as [Exchange](https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371) and [Sharepoint](https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/cyberattack-protection-by-default-and-other-enhancements-to/ba-p/3925641) also use AMSI
-integration.
+integration.
## More resources to protect against fileless attacks -- [Windows Defender Application Control and AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). Enforces strong code Integrity policies and to allow only trusted applications to run. In the context of fileless malware, WDAC locks down PowerShell to Constrained Language Mode, which limits the extended language features that can lead to unverifiable code execution, such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects. This essentially mitigates PowerShell-based reflective DLL injection attacks.
+- [Windows Defender Application Control and AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). Enforces strong code Integrity policies and to allow only trusted applications to run. In the context of fileless malware, WDAC locks down PowerShell to Constrained Language Mode, which limits the extended language features that can lead to unverifiable code execution, such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects. This essentially mitigates PowerShell-based reflective DLL injection attacks.
- [Attack surface reduction](overview-attack-surface-reduction.md) helps admins protect against common attack vectors. -- [Enable virtualization-based protection of code integrity](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity). Mitigates kernel-memory exploits through Hypervisor Code Integrity (HVCI), which makes it difficult to inject malicious code using kernel-mode software vulnerabilities.
+- [Enable virtualization-based protection of code integrity](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity). Mitigates kernel-memory exploits through Hypervisor Code Integrity (HVCI), which makes it difficult to inject malicious code using kernel-mode software vulnerabilities.
security Batch Delete Ti Indicators https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/batch-delete-ti-indicators.md
Last updated 07/31/2023
[!include[Improve request performance](../../../includes/improve-request-performance.md)] - ## API description Deletes [Indicator](ti-indicator.md) entities by ID.
POST https://api.securitycenter.microsoft.com/api/indicators/BatchDelete
## Request headers
-Name|Type|Description
-:|:|:
-Authorization | String | Bearer {token}. **Required**.
+|Name|Type|Description|
+|:|:|:|
+|Authorization | String | Bearer {token}. **Required**.|
## Request body
Here's an example of the request.
POST https://api.securitycenter.microsoft.com/api/indicators/BatchDelete ``` - ```json {
- "IndicatorIds": [ "1", "2", "5" ]
+ "IndicatorIds": [ "1", "2", "5" ]
} ```
security Behavior Monitor https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavior-monitor.md
description: Learn about Behavior monitoring in Microsoft Defender Antivirus and
-+ audience: ITPro
search.appverid: met150
# Behavior monitoring in Microsoft Defender Antivirus **Applies to:**+ - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Business](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-business)-- [Microsoft Defender for Individuals](https://www.microsoft.com/en-us/microsoft-365/microsoft-defender-for-individuals)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
- Microsoft Defender Antivirus
-Behavior monitoring is a critical detection and protection functionality of Microsoft Defender Antivirus.
-
-Monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on signature-based detection (which identifies known malware patterns), behavior monitoring focuses on observing how software behaves in real-time. HereΓÇÖs what it entails:
+Behavior monitoring is a critical detection and protection functionality of Microsoft Defender Antivirus.
-1. Real-Time Threat Detection:
+Monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on signature-based detection (which identifies known malware patterns), behavior monitoring focuses on observing how software behaves in real-time. HereΓÇÖs what it entails:
-- Continuously observe processes, file system activities, and interactions within the system. -- Defender Antivirus can identify patterns associated with malware or other threats. For example, it looks for processes making unusual changes to existing files, modifying or creating automatic startup registry (ASEP) keys, and other alterations to the file system or structure.
+1. Real-Time Threat Detection:
+ - Continuously observe processes, file system activities, and interactions within the system.
+ - Defender Antivirus can identify patterns associated with malware or other threats. For example, it looks for processes making unusual changes to existing files, modifying or creating automatic startup registry (ASEP) keys, and other alterations to the file system or structure.
-2. Dynamic Approach:
+2. Dynamic Approach:
-- Unlike static, signature-based detection, behavior monitoring adapts to new and evolving threats.
+- Unlike static, signature-based detection, behavior monitoring adapts to new and evolving threats.
-- Microsoft Defender Antivirus uses predefined patterns, and observes how software behaves during execution. For malware that doesnΓÇÖt fit any predefined pattern, Microsoft Defender Antivirus uses anomaly detection.
+- Microsoft Defender Antivirus uses predefined patterns, and observes how software behaves during execution. For malware that doesnΓÇÖt fit any predefined pattern, Microsoft Defender Antivirus uses anomaly detection.
-- If a program shows suspicious behavior (for example, attempting to modify critical system files), Microsoft Defender Antivirus can take action to prevent further harm, and revert some previous malware actions.
+- If a program shows suspicious behavior (for example, attempting to modify critical system files), Microsoft Defender Antivirus can take action to prevent further harm, and revert some previous malware actions.
-Behavior monitoring enhances Defender Antivirus’s ability to proactively detect emerging threats by focusing on real-time actions and behaviors rather than relying solely on known signatures.
+Behavior monitoring enhances Defender AntivirusΓÇÖs ability to proactively detect emerging threats by focusing on real-time actions and behaviors rather than relying solely on known signatures.
-The following features depend on behavior monitoring.
+The following features depend on behavior monitoring.
-**Anti-malware**
+**Anti-malware**:
-- Indicators, File hash, allow/block
+- Indicators, File hash, allow/block
-**Network Protection**
+**Network Protection**:
-- Indicators, IP address/URL, allow/block
+- Indicators, IP address/URL, allow/block
- Web Content Filtering, allow/block
-> [!NOTE]
-> Behavior monitoring is protected by tamper protection.
+> [!NOTE]
+> Behavior monitoring is protected by tamper protection.
To temporarily disable behavior monitoring in order to remove it out of the picture, you want to first enable Troubleshooting mode, disable Tamper Protection, and then disable behavior monitoring. ## Change the behavior monitoring policy+ The following table shows the different ways to configure behavior monitoring. | Management tool | Name | Links |
-|:|:|:|
+||||
| Security Settings Management | Allow behavior monitoring | This article | | Intune | Allow behavior monitoring | [Windows Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#real-time-protection) | | CSP | AllowBehaviorMonitoring | [Defender Policy CSP](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#real-time-protection) |
The following table shows the different ways to configure behavior monitoring.
If you use Microsoft Defender for Business, see [Review or edit your next-generation protection policies in Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-next-generation-protection). ## Modify the behavior monitoring settings by using PowerShell+ Use the following command to modify the behavior monitoring settings:
-`Set-MpPreference -DisableBehaviorMonitoring [true|false]`
+```powershell
+Set-MpPreference -DisableBehaviorMonitoring <true | false>
+```
-- `True` disables Behavior monitoring.
+- `True` disables Behavior monitoring.
- `False` enables Behavior monitoring.
-For more information, see [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring).
+For more information, see [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring).
## Query the behavior monitoring status from PowerShell
-`Get-MpComputerStatus | ft BehaviorMonitorEnabled`
+```powershell
+Get-MpComputerStatus | Format-Table BehaviorMonitorEnabled
+```
-If the value returned is `true`, behavior monitoring is enabled.
+If the value returned is `true`, behavior monitoring is enabled.
## Query the behavior monitoring status by using Advanced Hunting+ You can use Advanced Hunting (AH) to query the status of behavior monitoring. Requires Microsoft Defender XDR, Microsoft Defender for Endpoint Plan 2, or Microsoft Defender for Business.
-```
-let EvalTable = DeviceTvmSecureConfigurationAssessment
-| where ConfigurationId in ("scid-91")
-| summarize arg_max(Timestamp,IsCompliant, IsApplicable) by DeviceId, ConfigurationId,tostring(Context)
-| extend Test = case(
-ConfigurationId == "scid-91" , "BehaviorMonitoring",
-"N/A"),
-Result = case(IsApplicable == 0,"N/A",IsCompliant == 1 , "Enabled", "Disabled")
-| extend packed = pack(Test,Result)
-| summarize Tests = make_bag(packed) by DeviceId
-| evaluate bag_unpack(Tests);
-let DefUpdate = DeviceTvmSecureConfigurationAssessment
-| where ConfigurationId == "scid-2011"
-// | where isnotnull(Context)
-| extend Definition = parse_json(Context[0][0])
-| extend LastUpdated = parse_json(Context[0][2])
-| project DeviceId,Definition,LastUpdated;
-let DeviceInformation = DeviceInfo
-| where isnotempty(OSPlatform)
-| summarize arg_max(Timestamp,*) by DeviceId, DeviceName
-| project DeviceId, DeviceName, MachineGroup;
-let withNames = EvalTable
-| join kind = inner DeviceInformation on DeviceId
-| project-away DeviceId1
-| project-reorder DeviceName, MachineGroup;
-withNames | join kind = fullouter DefUpdate on DeviceId
-| project-away DeviceId1
+```kusto
+let EvalTable = DeviceTvmSecureConfigurationAssessment
+| where ConfigurationId in ("scid-91")
+| summarize arg_max(Timestamp,IsCompliant, IsApplicable) by DeviceId, ConfigurationId,tostring(Context)
+| extend Test = case(
+ConfigurationId == "scid-91" , "BehaviorMonitoring",
+"N/A"),
+Result = case(IsApplicable == 0,"N/A",IsCompliant == 1 , "Enabled", "Disabled")
+| extend packed = pack(Test,Result)
+| summarize Tests = make_bag(packed) by DeviceId
+| evaluate bag_unpack(Tests);
+let DefUpdate = DeviceTvmSecureConfigurationAssessment
+| where ConfigurationId == "scid-2011"
+// | where isnotnull(Context)
+| extend Definition = parse_json(Context[0][0])
+| extend LastUpdated = parse_json(Context[0][2])
+| project DeviceId,Definition,LastUpdated;
+let DeviceInformation = DeviceInfo
+| where isnotempty(OSPlatform)
+| summarize arg_max(Timestamp,*) by DeviceId, DeviceName
+| project DeviceId, DeviceName, MachineGroup;
+let withNames = EvalTable
+| join kind = inner DeviceInformation on DeviceId
+| project-away DeviceId1
+| project-reorder DeviceName, MachineGroup;
+withNames | join kind = fullouter DefUpdate on DeviceId
+| project-away DeviceId1
| sort by BehaviorMonitoring asc ``` ## Troubleshooting high CPU usage+ Detections related to behavior monitoring start with "[Behavior](/microsoft-365/security/defender/malware-naming#type)". When investigating high CPU usage in `MsMpEng.exe`, you can temporarily disable behavior monitoring to see if the issues continue. You can use Performance analyzer for Microsoft Defender Antivirus to find **\path\process**, **process** and/or **file extensions** that are contributing to the high cpu utilization. You can then add these items to [Contextual Exclusion](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md).
-For more information, see [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).
+For more information, see [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).
If you're seeing high CPU usage caused by behavior monitoring, continue troubleshooting the issue by reverting each of the following items in order. Re-enable behavior monitoring after reverting each item to identify where the problem might be.
If you're seeing high CPU usage caused by behavior monitoring, continue troubles
3. **security intelligence update**. If you're still encountering high CPU usage issues, contact Microsoft support and have your Client Analyzer data ready.
-
+ If behavior monitoring isn't causing the issue, use [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md) to collect log information. Collect two different logs using `a -c` and `a -a`. Have this information ready when you contact Microsoft support. For more information, see [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md).
security Data Storage Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md
Title: Microsoft Defender for Endpoint data storage and privacy
description: Learn about how Microsoft Defender for Endpoint handles privacy and data that it collects. keywords: Microsoft Defender for Endpoint, data storage and privacy, storage, privacy, licensing, geolocation, data retention, data
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security - tier2
+- essentials-privacy
+- essentials-security
+- essentials-compliance
search.appverid: met150
security Device Control Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-policies.md
Title: Device control policies in Microsoft Defender for Endpoint
-description: Learn about Device control policies in Defender for Endpoint
+ Title: Device control policies in Microsoft Defender for Endpoint
+description: Learn about Device control policies in Defender for Endpoint
-+ Last updated 04/09/2024 audience: ITPro-+ - m365-security - tier2 - mde-asr
- partner-contribution search.appverid: MET150
+f1.keywords: NOCSH
# Device control policies in Microsoft Defender for Endpoint
f1.keywords: NOCSH
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Business](/microsoft-365/security/defender-business)
-This article describes device control policies, rules, entries, groups, and advanced conditions. Essentially, device control policies define access for a set of devices. The devices that are in scope are determined by a list of included device groups and a list of excluded device groups. A policy applies if the device is in all of the included device groups and none of the excluded device groups. If no policies apply, then the default enforcement is applied.
+This article describes device control policies, rules, entries, groups, and advanced conditions. Essentially, device control policies define access for a set of devices. The devices that are in scope are determined by a list of included device groups and a list of excluded device groups. A policy applies if the device is in all of the included device groups and none of the excluded device groups. If no policies apply, then the default enforcement is applied.
By default device control is disabled, so access to all types of devices is allowed. To learn more about device control, see [Device control in Microsoft Defender for Endpoint](device-control-overview.md). ## Controlling default behavior
-When device control is enabled, it's enabled for all device types by default. The default enforcement can also be changed from *Allow* to *Deny*. Your security team can also configure the types of devices that device control protects. The following table below illustrates how various combinations of settings change the access control decision.
+When device control is enabled, it's enabled for all device types by default. The default enforcement can also be changed from *Allow* to *Deny*. Your security team can also configure the types of devices that device control protects. The following table below illustrates how various combinations of settings change the access control decision.
| Is device control enabled? | Default behavior | Device types | |||| | No | Access is allowed | - CD/DVD drives <br/>- Printers <br/>- Removable media devices <br/>- Windows portable devices | | Yes | (Not specified) <br/>Access is allowed | - CD/DVD drives <br/>- Printers <br/>- Removable media devices <br/>- Windows portable devices | | Yes | Deny | - CD/DVD drives <br/>- Printers <br/>- Removable media devices <br/>- Windows portable devices |
-| Yes | Deny removable media devices and printers | - Printers and removable media devices (blocked) <br/>- CD/DVD drives and Windows portable devices (allowed) |
+| Yes | Deny removable media devices and printers | - Printers and removable media devices (blocked) <br/>- CD/DVD drives and Windows portable devices (allowed) |
When device types are configured, device control in Defender for Endpoint ignores requests to other device families.
For schema details, see [JSON schema for Mac](https://github.com/microsoft/mdatp
Device control policies can be applied to users and/or user groups.
-> [!NOTE]
-> In the articles related to device control, groups of users are referred to as <i>user groups</i>. The term <i>groups</i> refer to [groups](#groups) defined in the device control policy.
+> [!NOTE]
+> In the articles related to device control, groups of users are referred to as <i>user groups</i>. The term <i>groups</i> refer to [groups](#groups) defined in the device control policy.
Using Intune, on either Mac and Windows, device control policies can be targeted to user groups defined in Entra Id.
-On Windows, a user or user group can be a condition on an [entry](#entries) in a policy.
+On Windows, a user or user group can be a condition on an [entry](#entries) in a policy.
-Entries with user or user groups can reference objects from either Entra Id or a local Active Directory.
+Entries with user or user groups can reference objects from either Entra Id or a local Active Directory.
### Best practices for using device control with users and user groups
Entries with user or user groups can reference objects from either Entra Id or a
## Rules
-A rule defines the list of included groups and a list of excluded groups. For the rule to apply, the device must be in all of the included groups and none of the excluded groups. If the device matches the rule, then the entries for that rule are evaluated. An entry defines the action and notification options applied, if the request matches the conditions. If no rules apply or no entries match the request then the default enforcement is applied.
+A rule defines the list of included groups and a list of excluded groups. For the rule to apply, the device must be in all of the included groups and none of the excluded groups. If the device matches the rule, then the entries for that rule are evaluated. An entry defines the action and notification options applied, if the request matches the conditions. If no rules apply or no entries match the request then the default enforcement is applied.
For example, to allow write access for some USB devices, and read access for all other USB devices, use the following policies, groups, and entries with default enforcement set to deny.
The following code snippet shows the syntax for a device control policy rule in
<GroupId>{3f5253e4-0e73-4587-bb9e-bb29a2171695}</GroupId> <ExcludedIdList> <Entry Id="{e3837e60-5e56-43ce-8095-043ccd793eac}">
- …
+ ...
</Entry> <Entry Id="{34413b98-8198-4e16-accf-c95c3c775ba3}">
- …
+ ...
</Entry> </PolicyRule>
The following code snippet shows the syntax for a device control policy rule in
"3f5253e4-0e73-4587-bb9e-bb29a2171695" ] "entries": [
- …
+ ...
] }
The following table provides more context for the XML code snippet:
## Entries
-Device control policies define access (called an entry) for a set of devices. Entries define the action and notification options for devices that match the policy and the conditions defined in the entry.
+Device control policies define access (called an entry) for a set of devices. Entries define the action and notification options for devices that match the policy and the conditions defined in the entry.
| Entry setting | Options | |||
An entry supports the following optional conditions:
> [!NOTE] > For user groups and users that are stored in Microsoft Entra Id, use the object id in the condition. For user groups and users that are stored localy, use the Security Identifier (SID)
-> [!NOTE]
+> [!NOTE]
> On Windows, The SID of the user who's signed in can be retrieved by running the PowerShell command `whoami /user`. - Machine Condition: Applies the action only to the device/group identified by the SID
In Intune, the **Access mask** field has options, such as:
- **Read** (Disk Level Read = 1) - **Write** (Disk Level Write = 2) - **Execute** (Disk Level Execute = 4)-- **Print** (Print = 64).
+- **Print** (Print = 64).
Not all features are shown in the Intune user interface. For more information, see [Deploy and manage device control with Intune](device-control-deploy-manage-intune.md).
The following table provides more context for the XML code snippet:
| `Option` | If type is `AuditAllowed` | - `0`: nothing<br/>- `1`: nothing <br/>- `2`: send event | | `Option` | If type is `AuditDenied` | - `0`: nothing <br/>- `1`: show notification <br/>- `2`: send event <br/>- `3`: show notification and send event | | `AccessMask` | Defines the access | See the following section [Understand mask access](#understand-mask-access-windows) |
-| `Sid` | Local user SID or user SID group, or the SID of the Microsoft Entra object or the Object ID. It defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the device. | SID |
-| `ComputerSid` | Local computer SID or computer SID group, or the SID of the Microsoft Entra object or the Object Id. It defines whether to apply this policy over a specific device or device group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the device. If you want to apply an Entry to a specific user and specific device, add both SID and ComputerSID into the same Entry. | SID |
+| `Sid` | Local user SID or user SID group, or the SID of the Microsoft Entra object or the Object ID. It defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the device. | SID |
+| `ComputerSid` | Local computer SID or computer SID group, or the SID of the Microsoft Entra object or the Object Id. It defines whether to apply this policy over a specific device or device group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the device. If you want to apply an Entry to a specific user and specific device, add both SID and ComputerSID into the same Entry. | SID |
| `Parameters` | Condition for an entry, such as network condition. | Can add groups (non-device types) or even put parameters into parameters. For more information, see the [advanced conditions](#advanced-conditions) section (in this article). | #### Understand mask access (Windows)
-Device control applies an access mask to determine if the request matches the entry. The following actions are available on `CdRomDevices`, `RemovableMediaDevices`, and `WpdDevices`:
+Device control applies an access mask to determine if the request matches the entry. The following actions are available on `CdRomDevices`, `RemovableMediaDevices`, and `WpdDevices`:
| Access | Mask | |--|--|
The following actions are available on PrinterDevices:
- Access: Print - Mask: 64
-You can have multiple access settings by performing a binary OR operation. Here's an example:
+You can have multiple access settings by performing a binary OR operation. Here's an example:
- The AccessMask for Read and Write and Execute is 7 - The AccessMask for Read and Write is 3 - ### [**JSON (Mac)**](#tab/JSON) The following code snippet shows the syntax for a device control entry in JSON for macOS:
The following table provides more context for the JSON code snippet:
| Property name | Description | Options | |||| | `id` | GUID, a unique ID, represents the entry and is used in reporting and troubleshooting. | You can generate the ID by using PowerShell. |
-| `enforcement $type` | Defines the action for the removable storage groups in `includedGroups`. <br/>- `allow` <br/>- `deny` <br/>- `auditAllow`: Defines notification and event when access is allowed <br/>- `AuditDeny`: Defines notification and event when access is denied; has to work together with the Deny entry. <br/><br/>When there are conflict types for the same media, the system applies the first one in the policy. An example of a conflict type is Allow and Deny. | The `enforcement $type` attribute can be one of the following values:<br/>- `allow`<br/>- `deny`<br/>- `auditAllow`<br/>- `auditDeny` |
+| `enforcement $type` | Defines the action for the removable storage groups in `includedGroups`. <br/>- `allow` <br/>- `deny` <br/>- `auditAllow`: Defines notification and event when access is allowed <br/>- `AuditDeny`: Defines notification and event when access is denied; has to work together with the Deny entry. <br/><br/>When there are conflict types for the same media, the system applies the first one in the policy. An example of a conflict type is Allow and Deny. | The `enforcement $type` attribute can be one of the following values:<br/>- `allow`<br/>- `deny`<br/>- `auditAllow`<br/>- `auditDeny` |
| `enforcement $options` | If enforcement $type is allow | `disable_audit_allow`: If Allow occurs and the auditAllow is setting configured, the system doesn't send events. | | `enforcement $options` | If enforcement $type is deny | `disable_audit_deny`: If Block happens and the auditDeny is setting configured, the system doesn't show notifications or send events. | | `enforcement $options` | If enforcement $type is auditAllow | `send_event`: Sends telemetry | | `enforcement $options` | If enforcement $type is auditDeny | <br/>- `send_event`: Sends telemetry <br/>- `show_notification`: Displays block message to user |
-| `$type` | The type of entry. The type determines the operations that can be protected by device control | The `$type` attributes can be any of the following values:<br/>- `removableMedia`<br/>- `appleDevice`<br/>- `PortableDevice`<br/>- `bluetoothDevice` |
-| `access` | A list of operations that this entry grants | See the next section, "Understand access on Mac" |
+| `$type` | The type of entry. The type determines the operations that can be protected by device control | The `$type` attributes can be any of the following values:<br/>- `removableMedia`<br/>- `appleDevice`<br/>- `PortableDevice`<br/>- `bluetoothDevice` |
+| `access` | A list of operations that this entry grants | See the next section, "Understand access on Mac" |
#### Understand access (Mac)
-There are two kinds of access for an entry: generic and device type specific.
+There are two kinds of access for an entry: generic and device type specific.
- Generic access options include `generic_read`, `generic_write`, and `generic_execute`. - Device type specific access provides a finer granularity of control, because the device type specific access values are included in the generic access types.
The following table describes the device type specific access and how they map t
| Device Type ($type) | Device Type Specific Access | Description | Read | Write | Execute | |||||||
-| `appleDevice` | `backup_device` | | X | | |
-| `appleDevice` | `update_device` | | | X | |
-| `appleDevice` | `download_photos_from_device` | download photo(s) from the specific iOS device to local device | X | | |
-| `appleDevice` | `download_files_from_device` | download file(s) from the specific iOS device to local device | X | | |
+| `appleDevice` | `backup_device` | | X | | |
+| `appleDevice` | `update_device` | | | X | |
+| `appleDevice` | `download_photos_from_device` | download photo(s) from the specific iOS device to local device | X | | |
+| `appleDevice` | `download_files_from_device` | download file(s) from the specific iOS device to local device | X | | |
| `appleDevice` | `sync_content_to_device` | sync content from local device to specific iOS device | | X | |
-| `portableDevice` | `download_files_from_device` | X | | |
-| `portableDevice` | `send_files_to_device` | | | X | |
-| `portableDevice` | `download_photos_from_device` | | X | | |
+| `portableDevice` | `download_files_from_device` | X | | |
+| `portableDevice` | `send_files_to_device` | | | X | |
+| `portableDevice` | `download_photos_from_device` | | X | | |
| `portableDevice` | `debug` | ADB tool control | | | X |
-| `removableMedia` | `read` | | X | | |
-| `removableMedia` | `write` | | | X | |
+| `removableMedia` | `read` | | X | | |
+| `removableMedia` | `write` | | | X | |
| `removableMedia` | `execute` | | | | X | | `bluetoothDevice` | `download_files_from_device` | | X | | |
-| `bluetoothDevice` | `send_files_to_device` | | | X | |
+| `bluetoothDevice` | `send_files_to_device` | | | X | |
## Groups
-Groups define criteria for filtering objects by their properties. The object is assigned to the group if its properties match the properties defined for the group.
+Groups define criteria for filtering objects by their properties. The object is assigned to the group if its properties match the properties defined for the group.
> [!NOTE]
-> Groups in this section **do not** refer to [user groups](#users).
+> Groups in this section **do not** refer to [user groups](#users).
For example: - Allowed USBs are all the devices that match any of these manufacturers - Lost USBs are all the devices that match any of these serial numbers-- Allowed printers are all the devices that match any of these VID/PID
+- Allowed printers are all the devices that match any of these VID/PID
The properties can be matched in four ways: `MatchAll`, `MatchAny`, `MatchExcludeAll`, and `MatchExcludeAny`
Groups are used two ways: to select devices for inclusion/exclusion in rules, a
| Type | Description | O/S | Include/Exclude Rules | Advanced conditions | ||||||
-| Device (default) | Filter devices and printers | Windows/Mac | X | |
+| Device (default) | Filter devices and printers | Windows/Mac | X | |
| Network | Filter network conditions | Windows | | X | | VPN Connection | Filter VPN conditions | Windows | | X | | File | Filter file properties | Windows | | X |
The devices that are in scope for the policy determined by a list of included gr
| `VID` | Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. | Y | Y | N | | `APFS Encrypted` | If the device is APFS encrypted | N | Y | N | - ### Using Windows Device Manager to determine device properties
-For Windows devices, you can use Device Manager to understand the properties of devices.
+For Windows devices, you can use Device Manager to understand the properties of devices.
1. Open Device Manager, locate the device, right-click on **Properties**, and then select the **Details** tab.
-2. In the Property list, select **Device instance path**.
+2. In the Property list, select **Device instance path**.
The value shown for device instance path is the `InstancePathId`, but it also contains other properties:
For Windows devices, you can use Device Manager to understand the properties of
| Parent | `VID_PID` | | DeviceInstancePath | `InstancePathId` | - ### Using reports and advanced hunting to determine properties of devices Device properties have slightly different labels in advanced hunting. The table below maps the labels in the portal to the `propertyId` in a device control policy.
Device properties have slightly different labels in advanced hunting. The table
| DeviceId | `InstancePathId` | | Serial Number | `SerialNumberId` | - > [!NOTE] > Make sure that the object selected has the correct Media Class for the policy. In general, for removable storage, use `Class Name == USB`.
Device properties have slightly different labels in advanced hunting. The table
You can configure groups in Intune, by using an XML file for Windows, or by using a JSON file on Mac. Select each tab for more details. > [!NOTE]
-> The `Group Id` in XML and `id` in JSON is used to identify the group within device control. Its not a reference to any other such as a [user group](#users) in Entra Id.
+> The `Group Id` in XML and `id` in JSON is used to identify the group within device control. Its not a reference to any other such as a [user group](#users) in Entra Id.
### [**Intune**](#tab/Removable)
Reusable settings in Intune map to device groups. You can configure reusable set
:::image type="content" source="media/device-control-groups-reusablesettings.png" alt-text="Screenshot of configuring reusable settings in Intune." lightbox="media/device-control-groups-reusablesettings.png":::
-There are two types of groups: Printer Device and Removable Storage. The following table lists the properties for these groups.
+There are two types of groups: Printer Device and Removable Storage. The following table lists the properties for these groups.
| Group type | Properties | |||
The following XML snippet shows the syntax for matching groups:
<Group Id="{3f5253e4-0e73-4587-bb9e-bb29a2171694}"> <MatchType>MatchAny</MatchType> <DescriptorIdList>
- …
+ ...
</DescriptorIdList> </Group>
The following table describes properties for groups.
| `MatchType` | The matching algorithm used | - `MatchAny`<br/>- `MatchAll`<br/>- `MatchExcludeAll`<br/>- `MatchExcludeAny` | | `DescriptionIdList` | The list of properties evaluated for inclusion in the group | See [DescriptionIdList properties](#descriptionidlist-properties) (section after this table) | - #### DescriptionIdList properties The properties described in the following table can be included in the `DescriptionIdList`:
The following JSON snippet shows the syntax for defining groups on Mac:
"query": { "$type": "or", "clauses": [
- …
+ ...
] } }
Then the group is then referenced as parameters in an entry, as illustrated in t
``` - ### File Conditions The following table describes file group properties:
The following table describes file group properties:
The following table illustrates how properties are added to the `DescriptorIdList` of a file group: ```xml
-
+ <Group Id="{e5f619a7-5c58-4927-90cd-75da2348a30f}" Type="File" MatchType="MatchAny"> <DescriptorIdList> <PathId>*.exe</PathId>
The group is then referenced as parameters in an entry, as illustrated in the fo
``` - ### Print Job Conditions The following table describes `PrintJob` group properties:
With device control, you can store evidence of files that were copied to removab
The `FileEvidenceLocation` field of has the location of the evidence file, if one is created. The evidence file has a name which ends in `.dup`, and its location is controlled by the `DataDuplicationFolder` setting. - ## Next steps - [View device control events and information in Microsoft Defender for Endpoint](device-control-report.md)
security Elam On Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/elam-on-mdav.md
audience: ITPro
# Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus
-**Applies to:** 
-
+**Applies to:**
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -- Microsoft Defender for Business -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) -- Microsoft Defender for Individual 
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- Microsoft Defender for Business
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- Microsoft Defender for Individual
**Platforms:**-- Windows 11, Windows 10, Windows 8.1, Windows 8 -- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 
+- Windows 11, Windows 10, Windows 8.1, Windows 8
+- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
+
+Detecting malware that starts early in the boot cycle was a challenge before Windows 8. In August 2012, Microsoft Defender Antivirus (MDAV) for Windows 8 or later, and Windows Server 2012 and later incorporated a new feature called the [Early Launch Antimalware (ELAM)](/windows/compatibility/early-launch-antimalware) driver. ELAM combats early boot threats (for example, rootkits or malicious drivers that can hide from detection) by using a Wdboot.sys driver that starts before other boot-start drivers. ELAM enables the evaluation of other drivers, and helps the Windows kernel decide whether those drivers should be initialized.
-Detecting malware that starts early in the boot cycle was a challenge before Windows 8. To combat early boot threats such as rootkits or malicious drivers that can hide from detection, as of August 1, 2012, Microsoft Defender Antivirus (MDAV) for Windows 8 and newer, or Windows Server 2012 and newer, incorporated a new feature called [Early Launch Antimalware (ELAM)](/windows/compatibility/early-launch-antimalware) driver. Microsoft Defender Antivirus uses Wdboot.sys driver that starts before other boot-start drivers, enables the evaluation of those drivers, and helps the Windows kernel decide whether they should be initialized. 
+## Where are the ELAM detections logged?
-### Where is the ELAM detection(s) logged?
-The ELAM detection is logged in the same location as the other Microsoft Defender Antivirus threats, such as [Event ID 1006](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus).
+The ELAM detection is logged in the same location as the other Microsoft Defender Antivirus threats, such as [Event ID 1006](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus).
+
+## How do I keep the MDAV ELAM driver up to date?
-### How do I keep the MDAV ELAM driver up to date?
The MDAV ELAM driver ships with the monthly ΓÇ£[Platform update](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates).ΓÇ¥
-### Can the Early Launch Antimalware (ELAM) policy be modified? 
-ELAM can be modified here: 
-**Computer Configuration > Administrative Templates > System > Early Launch Antimalware.**
+## Can the Early Launch Antimalware (ELAM) policy be modified?
+
+ELAM can be modified here:
+
+**Computer Configuration** \> **Administrative Templates** \> **System** \> **Early Launch Antimalware**
+
+## How can I check that the MDAV ELAM driver is loaded?
+
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch
+BackupPath (string) C:\Windows\\[ELAMBKUP](/windows-hardware/drivers/install/elam-driver-requirements)\WdBoot.sys (value)
+
+## How do I revert the MDAV ELAM driver to a previous version?
-### How can I check that the MDAV ELAM driver is loaded?
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch 
-BackupPath (string) C:\Windows\\[ELAMBKUP](/windows-hardware/drivers/install/elam-driver-requirements)\WdBoot.sys (value)
+C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>\MpCmdRun.exe -[RevertPlatform](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus).
-### How do I revert the MDAV ELAM driver to a previous version?
-C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>\MpCmdRun.exe -[RevertPlatform](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus)<br>
For example:
-```C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24010.12-0\MpCmdRun.exe -RevertPlatform```
+```dos
+C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24010.12-0\MpCmdRun.exe -RevertPlatform
+```
security Hardware Acceleration And Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/hardware-acceleration-and-mdav.md
audience: ITPro
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)  
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)
- Microsoft Defender Antivirus - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
security Linux Support Offline Security Intelligence Update https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-offline-security-intelligence-update.md
Mirror Server is any server in the customer's environment that can connect to th
Key benefits include: -- Ability to control and manage the frequency of signature downloads on the local server & the frequency at which endpoints pull the signatures from the local server.
+- Ability to control and manage the frequency of signature downloads on the local server & the frequency at which endpoints pull the signatures from the local server.
- Adds an extra layer of protection & control as the downloaded signatures can be tested on a test device before being propagated to the entire fleet.-- Reduces network bandwidth as now only one local server will poll MS cloud to get the latest signatures on behalf of your entire fleet.
+- Reduces network bandwidth as now only one local server will poll MS cloud to get the latest signatures on behalf of your entire fleet.
- Local server can run any of the three OS - Windows, Mac, Linux, and isn't required to install Defender for Endpoint.-- Provides the most up to date antivirus protection as signatures are always downloaded along with the latest compatible AV engine.
+- Provides the most up to date antivirus protection as signatures are always downloaded along with the latest compatible AV engine.
- In each iteration, signature with n-1 version is moved to a backup folder on the local server. If there's any issue with the latest signature, you can pull the n-1 signature version from the backup folder to your endpoints. - On the rare occasion the offline update fails, you can also choose to fallback to online updates from Microsoft cloud(traditional method).
Key benefits include:
- Organizations need to set up a Mirror Server, which is a local Web/NFS server that is reachable by the Microsoft cloud. - Signatures are downloaded from Microsoft Cloud on this Mirror Server by executing a script using cron job/task scheduler on the local server.-- Linux endpoints running Defender for Endpoint pull the downloaded signatures from this Mirror Server at a user-defined time interval.
+- Linux endpoints running Defender for Endpoint pull the downloaded signatures from this Mirror Server at a user-defined time interval.
- Signatures pulled on the Linux endpoints from the local server are first verified before loading it into the AV engine. - To trigger and configure the update process, update the managed config json file on the Linux endpoints. - The status of the update can be seen on the mdatp CLI.
Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd
## Prerequisites -- Defender for Endpoint version "101.24022.0001" or higher needs to be installed on the Linux endpoints.
+- Defender for Endpoint version "101.24022.0001" or higher needs to be installed on the Linux endpoints.
- The Linux endpoints need to have connectivity to the Mirror Server. - The Mirror Server can be either an HTTP/ HTTPS server or a network share server. For example, an NFS Server. - The Mirror Server needs to have access to the following URLs:
- - https://github.com/microsoft/mdatp-xplat.git
- - https://go.microsoft.com/fwlink/?linkid=2144709
+ - `https://github.com/microsoft/mdatp-xplat.git`
+ - `https://go.microsoft.com/fwlink/?linkid=2144709`
- The following operating systems are supported on the Mirror Server:
- - Linux (Any Flavor)
- - Windows (Any Version)
- - Mac (Any version)
+ - Linux (Any Flavor)
+ - Windows (Any Version)
+ - Mac (Any version)
- The Mirror Server should support bash or PowerShell. - The following minimum system specifications are required for the Mirror Server:
- | CPU Core | RAM | Free disk | Swap |
+ | CPU Core| RAM | Free disk | Swap |
|--|--|--|--|
- | 2 cores (Preferred 4 Core) | 1 GB Min (Preferred 4 GB) | 2 GB | System Dependent|
+ | 2 cores (Preferred 4 Core) | 1 GB Min (Preferred 4 GB) | 2 GB | System Dependent|
> [!NOTE] > This configuration may vary depending on the number of requests that are served and the load each server must process.
Follow these steps to get the downloader script:
After cloning the repo/downloaded zip file, the local directory structure should be as follows:
-```
+```console
user@vm:~/mdatp-xplat$ tree linux/definition_downloader/ linux/definition_downloader/ Γö£ΓöÇΓöÇ README.md
The `settings.json` file consists of a few variables that the user can configure
### Execute the offline security intelligence downloader script To manually execute the downloader script, configure the parameters in the `settings.json` file as per the description in the previous section, and use one of the following commands based on the OS of the Mirror Server:+ - Bash:
- `./xplat_offline_updates_download.sh`
+
+ ```bash
+ ./xplat_offline_updates_download.sh
+ ```
+ - PowerShell:
- `./xplat_offline_updates_download.ps1`
+
+ ```powershell
+ ./xplat_offline_updates_download.ps1
+ ```
> [!NOTE] > Schedule a [cron job](#scheduling-a-cron-job) to execute this script to download the latest security intelligence updates in the Mirror Server at regular intervals.
Once the Mirror Server is set up, we need to propagate this URL to the Linux end
- Use the following sample `mdatp_managed.json` and update the parameters as per the configuration and copy the file to the location `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`.
-```
+```json
{ "cloudService": { "automaticDefinitionUpdateEnabled": true,
Once the Mirror Server is set up, we need to propagate this URL to the Linux end
### Verify the configuration
- To test if the settings are applied correctly on the Linux endpoints, run the following command:
-```
+To test if the settings are applied correctly on the Linux endpoints, run the following command:
+
+```bash
mdatp health --details definitions ``` For example, a sample output would look like:
-```
+```console
user@vm:~$ mdatp health --details definitions automatic_definition_update_enabled : true [managed] definitions_updated : Mar 14, 2024 at 12:13:17 PM
offline_definition_update_fallback_to_cloud : false[managed]
## Triggering the Offline Security Intelligence Updates ### Automatic update+ - If the fields `automaticDefinitionUpdateEnabled` and 'offline_definition_update' in the managed json are set to true, then the offline security intelligence updates are triggered automatically at periodic intervals. - By default, this periodic interval is 8 hours. But it can be configured by setting the `definitionUpdatesInterval` in the managed json. ### Manual update+ - In order to trigger the offline security intelligence update manually to download the signatures from the Mirror Server on the Linux endpoints, run the command:
- `mdatp definitions update`
+
+ ```bash
+ mdatp definitions update
+ ```
### Check update status+ - After triggering the offline security intelligence update by either the automatic or manual method, verify that the update was successful by running the command: `mdatp health --details --definitions`. - Verify the following fields:
- ```
+ ```console
user@vm:~$ mdatp health --details definitions ... definitions_status : "up_to_date"
offline_definition_update_fallback_to_cloud : false[managed]
### Common Troubleshooting Steps -- Check the status of the offline security intelligence update feature by using the command: `mdatp health --details definitions`
- - This should provide us with some user-friendly message in the `definitions_update_fail_reason` section.
- - Check if `offline_definition_update` and `offline_definition_update_verify_sig` is enabled.
- - Check if `definitions_update_source_uri` is equal to `offline_definition_url_configured`
- - `definitions_update_source_uri` is the source from where the signatures were downloaded.
- - `offline_definition_url_configured` is the source from where signatures should be downloaded, the one mentioned in the managed config file.
-- Try performing the connectivity test to check if Mirror Server is reachable from the host:
- - `mdatp connectivity test`
-- Try to trigger manual update using the command:
- - `mdatp definitions update`
+- Check the status of the offline security intelligence update feature by using the command:
+
+ ```bash
+ mdatp health --details definitions
+ ```
+
+ - This command should provide us with some user-friendly message in the `definitions_update_fail_reason` section.
+ - Check if `offline_definition_update` and `offline_definition_update_verify_sig` is enabled.
+ - Check if `definitions_update_source_uri` is equal to `offline_definition_url_configured`
+ - `definitions_update_source_uri` is the source from where the signatures were downloaded.
+ - `offline_definition_url_configured` is the source from where signatures should be downloaded, the one mentioned in the managed config file.
+
+- Try performing the connectivity test to check if Mirror Server is reachable from the host:
+
+ ```bash
+ mdatp connectivity test
+ ```
+
+- Try to trigger manual update using the command:
+
+ ```bash
+ mdatp definitions update
+ ```
## Useful Links
offline_definition_update_fallback_to_cloud : false[managed]
- [GitHub repo](https://github.com/microsoft/mdatp-xplat) ### Scheduling a cron job+ - [Schedule a cron job in Linux](https://phoenixnap.com/kb/set-up-cron-job-linux) - [Schedule a cron job in macOS](https://phoenixnap.com/kb/cron-job-mac) - [Schedule a cron job in Windows](https://phoenixnap.com/kb/cron-job-windows)
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier3 - mde-macos
Last updated 02/29/2024
[!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Process|A specific process (specified either by the full path or file name) and
File, folder, and process exclusions support the following wildcards:
-Wildcard|Description|Examples|
-||
-\*|Matches any number of any characters including none (note if this wildcard is not used at the end of the path then it will substitute only one folder)| `/var/*/tmp` includes any file in `/var/abc/tmp` and its subdirectories, and `/var/def/tmp` and its subdirectories. It does not include `/var/abc/log` or `/var/def/log` <p> <p> `/var/*/` includes any file in `/var` and its subdirectories.
-?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not`file123.log`
+|Wildcard|Description|Examples|
+||||
+|\*|Matches any number of any characters including none (note if this wildcard is not used at the end of the path then it will substitute only one folder)| `/var/*/tmp` includes any file in `/var/abc/tmp` and its subdirectories, and `/var/def/tmp` and its subdirectories. It does not include `/var/abc/log` or `/var/def/log` <p> <p> `/var/*/` includes any file in `/var` and its subdirectories.|
+|?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not `file123.log`|
+ > [!NOTE] > When using the * wildcard at the end of the path, it will match all files and subdirectories under the parent of the wildcard.
+>
+> The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.
+## Best practices for adding antimalware exclusions for Microsoft Defender for Endpoint on macOS.
-> [!NOTE]
-> The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.
+1. Write down why an exclusion was added to a central location where only SecOps and/or Security Administrator have access.
+
+ e.g. Submitter, date, app name, reason, and exclusion information.
+
+1. Make sure to have an expiration date* for the exclusions
+
+ *except for apps that the ISV stated that there is no additional tweaking that could be done to prevent the false positive or higher cpu utilization from occurring.
+
+1. Avoid migrating 3rd party antimalware exclusions since they may no longer be applicable nor applicable to Microsoft Defender for Endpoint on macOS.
+
+1. Order of exclusions to consider top (more secure) to bottom (least secure):
+
+ 1. Indicators - Certificate - allow
+
+ 1. Add an extended validation (EV) code signing.
+
+ 1. Indicators - File hash - allow
+
+ 1. If a process or daemon doesn't change often, e.g. the app doesn't have a monthly security update.
+
+ 1. Path & Process
+
+ 1. Process
+
+ 1. Path
-## Best practices for adding antimalware exclusions for Microsoft Defender for Endpoint on macOS. 
-
-1. Write down why an exclusion was added to a central location where only SecOps and/or Security Administrator have access.
-
- e.g. Submitter, date, app name, reason, and exclusion information.  
-
-1. Make sure to have an expiration date* for the exclusions 
-
- *except for apps that the ISV stated that there is no additional tweaking that could be done to prevent the false positive or higher cpu utilization from occurring.
-
-1. Avoid migrating 3rd party antimalware exclusions since they may no longer be applicable nor applicable to Microsoft Defender for Endpoint on macOS. 
-
-1. Order of exclusions to consider top (more secure) to bottom (least secure): 
-
- 1. Indicators - Certificate - allow 
-
- 1. Add an extended validation (EV) code signing. 
-
- 1. Indicators - File hash - allow 
-
- 1. If a process or daemon doesn't change often, e.g. the app doesn't have a monthly security update. 
-
- 1. Path & Process 
-
- 1. Process
-
- 1. Path 
-
1. Extension
-
+ ## How to configure the list of exclusions ### From the Microsoft Defender for Endpoint Security Settings management console
For more information on how to configure exclusions from JAMF, Intune, or anothe
1. Open the Defender for Endpoint application and navigate to **Manage settings** \> **Add or Remove Exclusion...**, as shown in the following screenshot:
+ :::image type="content" source="mediatp-37-exclusions.png":::
2. Select the type of exclusion that you wish to add and follow the prompts.
For example, to add `EICAR-Test-File (not a virus)` (the threat name associated
```bash mdatp threat allowed add --name "EICAR-Test-File (not a virus)" ```+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Mac Support Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf-overview.md
Last updated 03/01/2024 -+ # Overview for how to troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
security Mac Troubleshoot Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier3 - mde-macos
Last updated 02/06/2024
This article describes how to enable the troubleshooting mode in Microsoft Defender for Endpoint on macOS so admins can troubleshoot various Microsoft Defender Antivirus features temporarily, even if organizational policies manage the devices.
-For example, if the tamper protection is enabled, certain settings can't be modified or turned off, but you can use troubleshooting mode on the device to edit those settings temporarily.
+For example, if the tamper protection is enabled, certain settings can't be modified or turned off, but you can use troubleshooting mode on the device to edit those settings temporarily.
Troubleshooting mode is disabled by default, and requires you to turn it on for a device (and/or group of devices) for a limited time. Troubleshooting mode is exclusively an enterprise-only feature, and requires access to [Microsoft Defender XDR portal](https://security.microsoft.com/).
Troubleshooting mode is disabled by default, and requires you to turn it on for
During the troubleshooting mode, you can: -- Use Microsoft Defender for Endpoint on macOS functional troubleshooting /application compatibility (false positives). -- Local admins, with appropriate permissions, can change the following policy locked configurations on individual endpoints:
+- Use Microsoft Defender for Endpoint on macOS functional troubleshooting /application compatibility (false positives).
+- Local admins, with appropriate permissions, can change the following policy locked configurations on individual endpoints:
| Setting | Enable | Disable/Remove | | -| - | -| | Real-Time Protection/ Passive mode / On-Demand | `mdatp config real-time-protection --value enabled` | `mdatp config real-time-protection --value disabled` | | Network Protection | `mdatp config network-protection enforcement-level --value block` | `mdatp config network-protection enforcement-level --value disabled` |
- | realTimeProtectionStatistics | `mdatp config real-time-protection-statistics  --value enabled` | `mdatp config real-time-protection-statistics  --value disabled` |
+ | realTimeProtectionStatistics | `mdatp config real-time-protection-statistics --value enabled` | `mdatp config real-time-protection-statistics --value disabled` |
| tags | `mdatp edr tag set --name GROUP --value [name]` | `mdatp edr tag remove --tag-name [name]` | | groupIds | `mdatp edr group-ids --group-id [group]`| | | Endpoint DLP | `mdatp config data_loss_prevention --value enabled` | `mdatp config data_loss_prevention --value disabled` | During troubleshooting mode, you can't: -- Disable tamper protection for Microsoft Defender for Endpoint on macOS.
+- Disable tamper protection for Microsoft Defender for Endpoint on macOS.
- Uninstall the Microsoft Defender for Endpoint on macOS. ### Prerequisites - Supported version of macOS for Microsoft Defender for Endpoint.-- Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.
+- Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.
- Permissions for "Manage security settings in Security Center" in Microsoft Defender for Endpoint. - Platform Update version: [101.23122.0005]( mac-whatsnew.md#jan-2024-build-101231220005release-version-2012312250)
-or newer.
+or newer.
## Enable troubleshooting mode on macOS 1. Go to the [Microsoft Defender XDR portal](https://security.microsoft.com/), and sign in.
-2. Navigate to the device page you would like to turn on troubleshooting mode. Then, select the ellipses(...) and select **Turn on troubleshooting mode**.
+2. Navigate to the device page you would like to turn on troubleshooting mode. Then, select the ellipses(...) and select **Turn on troubleshooting mode**.
:::image type="content" source="media/troubleshooting-mode-on-mac.png" alt-text="Screenshot displaying the screenshot of the troubleshooting mode on mac.":::
or newer.
3. Read the information displayed on the pane and once you're ready, select **Submit** to confirm that you want to turn on troubleshooting mode for that device. 4. You'll see *It might take a few minutes for the change to take effect* text being displayed. During this time, when you select the ellipses again, you'll see the **Turn On Troubleshooting mode is pending** option grayed-out.
-5. Once complete, the device page shows that the device is now in troubleshooting mode.
+5. Once complete, the device page shows that the device is now in troubleshooting mode.
If the end-user is logged-in on the macOS device, they'll see the following text:
- *Troubleshooting mode has started. This mode allows you to temporarily change settings that are managed by your Administrator. Expires at YEAR-MM-DDTHH:MM:SSZ.*
+ *Troubleshooting mode has started. This mode allows you to temporarily change settings that are managed by your Administrator. Expires at YEAR-MM-DDTHH:MM:SSZ.*
Select **OK**.
or newer.
:::image type="content" source="media/ts-mode-rtp-disable.png" alt-text="Screenshot displaying the screenshot of real time protection being disabled."::: The output report similar to the following screenshot will be displayed on running mdatp health with `real_time_protection_enabled` as "false" and `tamper_protection` as "block."
-
+ :::image type="content" source="mediatp health running."::: ## Advanced hunting queries for detection
-There are some prebuilt advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can use these queries to [create detection rules](../defender/custom-detection-rules.md) to generate alerts when devices are in troubleshooting mode.
+There are some prebuilt advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can use these queries to [create detection rules](../defender/custom-detection-rules.md) to generate alerts when devices are in troubleshooting mode.
### Get troubleshooting events for a particular device You can use the following query to search by `deviceId` or `deviceName` by commenting out the respective lines. ```kusto
-//let deviceName = "<deviceName>"; // update with device name
-let deviceId = "<deviceID>"; // update with device id
-DeviceEvents
-| where DeviceId == deviceId
-//| where DeviceName == deviceName
-| where ActionType == "AntivirusTroubleshootModeEvent"
-| extend _tsmodeproperties = parse_json(AdditionalFields)
-| project Timestamp,DeviceId, DeviceName, _tsmodeproperties,
- _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,
- _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,
- _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource
+//let deviceName = "<deviceName>"; // update with device name
+let deviceId = "<deviceID>"; // update with device id
+DeviceEvents
+| where DeviceId == deviceId
+//| where DeviceName == deviceName
+| where ActionType == "AntivirusTroubleshootModeEvent"
+| extend _tsmodeproperties = parse_json(AdditionalFields)
+| project Timestamp,DeviceId, DeviceName, _tsmodeproperties,
+ _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,
+ _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,
+ _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource
``` ### Devices currently in troubleshooting mode
DeviceEvents
You can find the devices that are currently in troubleshooting mode using the following query: ```kusto
-DeviceEvents
-| where Timestamp > ago(3h) // troubleshooting mode automatically disables after 4 hours
-| where ActionType == "AntivirusTroubleshootModeEvent"
-| extend _tsmodeproperties = parse_json(AdditionalFields)
-| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"
-|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
-| order by Timestamp desc
+DeviceEvents
+| where Timestamp > ago(3h) // troubleshooting mode automatically disables after 4 hours
+| where ActionType == "AntivirusTroubleshootModeEvent"
+| extend _tsmodeproperties = parse_json(AdditionalFields)
+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"
+|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
+| order by Timestamp desc
```
-### Count of troubleshooting mode instances by device
+### Count of troubleshooting mode instances by device
You can find the number of troubleshooting mode instances for a device using the following query: ```kusto
-DeviceEvents
-| where ActionType == "AntivirusTroubleshootModeEvent"
-| extend _tsmodeproperties = parse_json(AdditionalFields)
-| where Timestamp > ago(30d) // choose the date range you want
-| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"
-| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
-| sort by count_
+DeviceEvents
+| where ActionType == "AntivirusTroubleshootModeEvent"
+| extend _tsmodeproperties = parse_json(AdditionalFields)
+| where Timestamp > ago(30d) // choose the date range you want
+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"
+| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
+| sort by count_
``` ### Total count
DeviceEvents
You can know the total count of troubleshooting mode instances using the following query: ```kusto
-DeviceEvents
-| where ActionType == "AntivirusTroubleshootModeEvent"
-| extend _tsmodeproperties = parse_json(AdditionalFields)
-| where Timestamp > ago(2d) //beginning of time range
-| where Timestamp < ago(1d) //end of time range
-| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"
-| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count()
-| where count_ > 5 // choose your max # of TS mode instances for your time range
+DeviceEvents
+| where ActionType == "AntivirusTroubleshootModeEvent"
+| extend _tsmodeproperties = parse_json(AdditionalFields)
+| where Timestamp > ago(2d) //beginning of time range
+| where Timestamp < ago(1d) //end of time range
+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"
+| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count()
+| where count_ > 5 // choose your max # of TS mode instances for your time range
``` ## Recommended content - [Microsoft Defender XDR for Endpoint on Mac](microsoft-defender-endpoint-mac.md) - [Microsoft Defender XDR for Endpoint integration with Microsoft Defender XDR for Cloud Apps](/defender-cloud-apps/mde-integration)-- [Get to know the innovative features in Microsoft Edge](https://www.microsoft.com/en-us/edge/features?form=MW00UY)
+- [Get to know the innovative features in Microsoft Edge](https://www.microsoft.com/edge/features?form=MW00UY)
- [Protect your network](network-protection.md) - [Turn on network protection](enable-network-protection.md) - [Web protection](web-protection-overview.md)
security Coinminer Malware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/coinminer-malware.md
description: Learn about coin miners, how they can infect devices, and what you
keywords: security, malware, coin miners, protection, cryptocurrencies ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Exploits Malware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/exploits-malware.md
description: Learn about how exploits use vulnerabilities in common software to
keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Fileless Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/fileless-threats.md
description: Learn about the categories of fileless threats and malware that liv
keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Macro Malware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/macro-malware.md
description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats. keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Phishing Trends https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/phishing-trends.md
description: Learn about how to spot phishing techniques
keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Phishing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/phishing.md
description: Learn about how phishing work, deliver malware do your devices, and
keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Prevent Malware Infection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/prevent-malware-infection.md
description: Learn steps you can take to help prevent a malware or potentially u
keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Rootkits Malware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/rootkits-malware.md
description: Rootkits may be used by malware authors to hide malicious code on y
keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Supply Chain Malware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/supply-chain-malware.md
description: Learn about how supply chain attacks work, deliver malware do your
keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Support Scams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/support-scams.md
description: Microsoft security software can protect you from tech support scams
keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Trojans Malware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/trojans-malware.md
description: Trojans are a type of threat that can infect your device. This arti
keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Understanding Malware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/understanding-malware.md
description: Learn about the most prevalent viruses, malware, and other threats.
keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Unwanted Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/unwanted-software.md
description: Learn about how unwanted software changes your default settings wit
keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Worms Malware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/malware/worms-malware.md
description: Learn about how worms replicate and spread to other computers or ne
keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning ms.mktglfcycl: secure
-ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
- m365-security - tier2 search.appverid: met150 Previously updated : 08/28/2023 Last updated : 04/08/2024 # Manage the sources for Microsoft Defender Antivirus protection updates
There are five locations where you can specify where an endpoint should obtain u
To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, Microsoft security intelligence updates, and platform updates sources deliver less frequent updates. Thus, the delta might be larger, resulting in larger downloads.
-Platform updates contain engine updates and are released on a monthly cadence. Security intelligence updates are also delivered multiple times a day, but this package doesn't contain an engine. See [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md).
+Platform updates and engine updates are released on a monthly cadence. Security intelligence updates are delivered multiple times a day, but this delta package doesn't contain an engine update. See [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md).
> [!IMPORTANT]
security Microsoft Defender Core Service Configurations And Experimentation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-core-service-configurations-and-experimentation.md
ms.localizationpriority: medium-+ Last updated 03/26/2024 audience: ITPro
security Microsoft Defender Core Service Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-core-service-overview.md
+
+ Title: Microsoft Defender Core service overview
+description: Get an overview of Microsoft Defender Core service.
+++++++ Last updated : 04/10/2024
+search.appverid: met150
+ms.localizationpriority: medium
+audience: ITPro
+
+- m365-security
+- tier2
++
+# Microsoft Defender Core service overview
+
+Microsoft Defender Core service
+
+To enhance your endpoint security experience, Microsoft is releasing the Microsoft Defender Core service to help with the stability and performance of Microsoft Defender Antivirus.
+
+The Microsoft Defender Core service is releasing with [Microsoft Defender Antivirus platform version 4.18.23110.2009](./msda-updates-previous-versions-technical-upgrade-support.md#october-2023-platform-418231002009--engine-11231002009).
+
+- Rollout begins in:
+
+ - November 2023 to prerelease customers,
+
+ - Mid April 2024 to Enterprise customers running Windows clients.
+
+ - Mid May 2024 to Enterprise customers running Windows Servers.
+
+ - Mid June 2024 to U.S. Government customers running Windows clients and Windows Servers.
+
+- Enterprise customers should allow the following URLs:
+
+ - `*.events.data.microsoft.com`
+
+ - `*.endpoint.security.microsoft.com`
+
+ - `*.ecs.office.com`
+
+- Enterprise U.S. Government customers should allow the following URLs:
+
+ - `*.events.data.microsoft.com`
+
+ - `*.endpoint.security.microsoft.us (GCC-H & DoD)`
+
+ - `*.gccmod.ecs.office.com (GCC-M)`
+
+ - `*.config.ecs.gov.teams.microsoft.us (GCC-H)`
+
+ - `*.config.ecs.dod.teams.microsoft.us (DoD)`
+
+- If you're using [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac), or you're running non-Microsoft antivirus or endpoint detection and response software, make sure to add the processes mentioned earlier to your allowlist.
+
+- Consumers don't need to take any actions to prepare.
+
+## Microsoft Defender Antivirus processes and services
+
+The following table summarizes where you can view Microsoft Defender Antivirus processes and services (`MdCoreSvc`) using Task Manager on Windows devices.
+
+| Process or service | Where to view its status |
+|--|--|
+| `Antimalware Core Service` | **Processes** tab |
+| `MpDefenderCoreService.exe` | **Details** tab |
+| `Microsoft Defender Core Service` | **Services** tab |
+
+To learn more about the Microsoft Defender Core service configurations and experimentation (ECS), see [Microsoft Defender Core service configurations and experimentation](microsoft-defender-core-service-configurations-and-experimentation.md).
+
security Migrate Devices Streamlined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrate-devices-streamlined.md
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier1
Last updated 02/01/2024
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) - [!Include[Prerelease information](../../includes/prerelease.md)] -
-This article describes how to migrate (reonboard) devices that are currently onboarded to Defender for Endpoint to use the streamlined device connectivity method. For more information on streamlined connectivity, see [Onboarding devices using streamlined connectivity](configure-device-connectivity.md). Devices must meet the prerequisites listed in [Streamlined connectivity](configure-device-connectivity.md#prerequisites).
+This article describes how to migrate (reonboard) devices that are currently onboarded to Defender for Endpoint to use the streamlined device connectivity method. For more information on streamlined connectivity, see [Onboarding devices using streamlined connectivity](configure-device-connectivity.md). Devices must meet the prerequisites listed in [Streamlined connectivity](configure-device-connectivity.md#prerequisites).
In most cases, full device offboarding isn't required when reonboarding. You can run the updated onboarding package and reboot your device to switch connectivity over. See below for details on individual operating systems. > [!IMPORTANT]
-> Preview limitations and known issues: <br>
-> - For device migrations (reonboarding): Offboarding is not required to switch over to streamlined connectivity method. Once the updated onboarding package is run, a full device reboot is required for Windows devices and a service restart for macOS and Linux. For more information, see the details included in this article. <br>
-> - Windows 10 versions 1607, 1703, 1709, and 1803 do not support reonboarding. Offboard first and then onboard using the updated package. These versions also require a longer URL list.
+> Preview limitations and known issues:
+>
+> - For device migrations (reonboarding): Offboarding is not required to switch over to streamlined connectivity method. Once the updated onboarding package is run, a full device reboot is required for Windows devices and a service restart for macOS and Linux. For more information, see the details included in this article.
+> - Windows 10 versions 1607, 1703, 1709, and 1803 do not support reonboarding. Offboard first and then onboard using the updated package. These versions also require a longer URL list.
> - Devices running the MMA agent are not supported and must continue using the MMA onboarding method. ## Migrating devices using the streamlined method
-### Migration recommendation:
+### Migration recommendation
-- **Start small**. It's recommended to start with a small set of devices first, apply the onboarding blob using any of the supported deployment tools, then monitor for connectivity. If you are using a new onboarding policy, to prevent conflicts make sure to exclude device from any other existing onboarding policies.
+- **Start small**. It's recommended to start with a small set of devices first, apply the onboarding blob using any of the supported deployment tools, then monitor for connectivity. If you are using a new onboarding policy, to prevent conflicts make sure to exclude device from any other existing onboarding policies.
-- **Validate and monitor**. After onboarding the small set of devices, validate that devices have successfully onboarded and are communicating with the service.
+- **Validate and monitor**. After onboarding the small set of devices, validate that devices have successfully onboarded and are communicating with the service.
- **Complete migration**. At this stage, you can gradually roll out the migration to a larger set of devices. To complete the migration, you can replace previous onboarding policies and remove the old URLs from your network device.
-
-Validate [device prerequisites](configure-device-connectivity.md#prerequisites) before proceeding with any migrations. This information builds upon the previous article by focusing on migrating existing devices.
+
+Validate [device prerequisites](configure-device-connectivity.md#prerequisites) before proceeding with any migrations. This information builds upon the previous article by focusing on migrating existing devices.
To reonboard devices, you will need to use the streamlined onboarding package. For more information on how to access the package, see [Streamlined connectivity](configure-device-connectivity.md).
Depending on the OS, migrations may require a device reboot or service restart o
- Windows: reboot the device - macOS: Reboot the device or restart the Defender for Endpoint service by running:
- 1. `sudo launchctl unload /Library/LaunchDaemons/com.microsoft.fresno.plist`
- 2. `sudo launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist`
-
+ 1. `sudo launchctl unload /Library/LaunchDaemons/com.microsoft.fresno.plist`
+ 2. `sudo launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist`
+ - Linux: Restart the Defender for Endpoint service by running: `sudo systemctl restart mdatp`
-The following table lists migration instructions for the available onboarding tools based on the device's operating system.
+The following table lists migration instructions for the available onboarding tools based on the device's operating system.
### [Windows 10 and 11](#tab/windows10and11) ### Windows 10 and 11
->[!IMPORTANT]
->Windows 10 version 1607, 1703, 1709, and 1803 do not support reonboarding. To migrate existing devices, you will need to fully offboard and onboard using the streamlined onboarding package.
+> [!IMPORTANT]
+> Windows 10 version 1607, 1703, 1709, and 1803 do not support reonboarding. To migrate existing devices, you will need to fully offboard and onboard using the streamlined onboarding package.
For general information on onboarding Windows client devices, see [Onboarding Windows Client](onboard-windows-client.md).
Follow the guidance in [Group policy](configure-endpoints-gp.md) using the strea
Follow the guidance in [Intune](/mem/intune/protect/endpoint-security-edr-policy#updating-the-onboarding-state-for-a-device) using the streamlined onboarding package. After completing the steps, you must restart the device for device connectivity to switch over.
-### Microsoft Configuration Manager
+### Microsoft Configuration Manager
Follow the guidance in [Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#bkmk_updateatp).
Confirm prerequisites are met: [Prerequisites for streamlined method](configure-
### Microsoft Defender for Cloud
-The streamlined connectivity method isn't currently supported through Microsoft Defender for Cloud.
+The streamlined connectivity method isn't currently supported through Microsoft Defender for Cloud.
-### Microsoft Configuration Manager
+### Microsoft Configuration Manager
Follow the guidance in [Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#bkmk_updateatp).
Follow the guidance in [Group policy](configure-endpoints-gp.md) using the strea
Follow the guidance in [Onboard nonpersistent virtual desktop infrastructure (VDI) devices](/microsoft-365/security/defender-endpoint/configure-endpoints-vdi). After completing the steps, you must restart the device for device connectivity to switch over. - ### [**macOS**](#tab/macOS) ### macOS For general information on onboarding macOS devices, see [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md).
-Confirm prerequisites are met: [Prerequisites for streamlined method](configure-device-connectivity.md#prerequisites).
+Confirm prerequisites are met: [Prerequisites for streamlined method](configure-device-connectivity.md#prerequisites).
### Local script Follow the guidance in [Manual deployment for Microsoft Defender for Endpoint on macOS](mac-install-manually.md) using the streamlined onboarding package.
-After completing the steps, you must either reboot the device or restart the service for connectivity to switch over.
+After completing the steps, you must either reboot the device or restart the service for connectivity to switch over.
### Microsoft Intune
-1. In Microsoft Intune, create a new onboarding policy using Custom Configuration profile. Don't assign it yet. Follow the instructions under [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune).
+1. In Microsoft Intune, create a new onboarding policy using Custom Configuration profile. Don't assign it yet. Follow the instructions under [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune).
2. Exclude the macOS device you're reonboarding from its existing onboarding policy. To learn more about excluding groups from policy assignments, see [Exclude groups from a policy assignment](/mem/intune/configuration/device-profile-assign#exclude-groups-from-a-policy-assignment).
After completing the steps, you must either reboot the device or restart the ser
1. Exclude device from any existing 'onboarding' policies in JAMF Pro.
-2. Create a new onboarding policy for the streamlined connectivity approach.
+2. Create a new onboarding policy for the streamlined connectivity approach.
3. Include device in the new streamlined onboarding policy. 4. Reboot device if previously onboarded to Defender for Endpoint. Alternatively, you can restart the service using the following commands:
- 1. `sudo launchctl unload /Library/LaunchDaemons/com.microsoft.fresno.plist`
- 2. `sudo launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist`
-
+ 1. `sudo launchctl unload /Library/LaunchDaemons/com.microsoft.fresno.plist`
+ 2. `sudo launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist`
+ For more JAMF guidelines, see [Deploying Microsoft Defender for Endpoint on macOS with JAMF Pro](mac-install-with-jamf.md). ### [**Linux**](#tab/linux) ### Linux
-For general information on onboarding Linux devices, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).
+For general information on onboarding Linux devices, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).
-Confirm prerequisites are met: [Prerequisites for streamlined method](configure-device-connectivity.md#prerequisites).
+Confirm prerequisites are met: [Prerequisites for streamlined method](configure-device-connectivity.md#prerequisites).
### Local script Use the guidance in [Deploy Microsoft Defender for Endpoint on Linux manually](linux-install-manually.md) using the streamlined onboarding package. After completing the steps, you must either reboot the device or restart the service using `sudo systemctl restart mdatp`.
-
+ Device connectivity to streamlined approach doesn't start if you don't reboot the device. ### Third-party Linux deployment tools (Puppet, Ansible, Chef)
Once onboarded, run the MDE Client Analyzer to confirm your device is connecting
Download the Microsoft Defender for Endpoint Client Analyzer tool where Defender for Endpoint sensor is running.
-You can follow the same instructions as in [Verify client connectivity to Microsoft Defender for Endpoint service](verify-connectivity.md). The script automatically uses the onboarding package configured on the device (should be streamlined version) to test connectivity.
+You can follow the same instructions as in [Verify client connectivity to Microsoft Defender for Endpoint service](verify-connectivity.md). The script automatically uses the onboarding package configured on the device (should be streamlined version) to test connectivity.
-Ensure connectivity is established with the appropriate URLs.
+Ensure connectivity is established with the appropriate URLs.
<a name='tracking-with-advanced-hunting-in-microsoft-365-defender'></a> ### Tracking with advanced hunting in Microsoft Defender XDR
-You can use advanced hunting in Microsoft Defender portal to view the connectivity type status.
+You can use advanced hunting in Microsoft Defender portal to view the connectivity type status.
This information is found in the DeviceInfo table under the "ConnectivityType" column: - Column Name: ConnectivityType
Once a device is migrated to use the streamlined method and the device establish
If you move the device back to the regular method, the value will be "standard".
-For devices that have not yet attempted reonboard, the value will remain blank.
-
+For devices that have not yet attempted reonboard, the value will remain blank.
### Tracking locally on a device through Windows Event Viewer
Open the Defender for Endpoint service event log using the following steps:
1. On the Windows menu, select **Start**, then type **Event Viewer**. Then select **Event Viewer**.
-2. In the log list, under **Log Summary**, scroll down until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to open the log.
+2. In the log list, under **Log Summary**, scroll down until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to open the log.
- :::image type="content" source="media/log-summary-event-viewer.png" alt-text="Screenshot of Event Viewer with log summary section":::
+ :::image type="content" source="media/log-summary-event-viewer.png" alt-text="Screenshot of Event Viewer with log summary section":::
- You can also access the log by expanding**Applications and Services Logs>Microsoft>Windows>SENSE** and select **Operational**.
+ You can also access the log by expanding**Applications and Services Logs>Microsoft>Windows>SENSE** and select **Operational**.
3. Event ID 4 tracks successful connections with Defender for Endpoint Command & Control channel. Verify successful connections with updated URL. For example:
- ```
- Contacted server 6 times, all succeeded, URI: <region>.<geo>.endpoint.security.microsoft.com.
- <EventData>
- <Data Name="UInt1">6</Data>
- <Data Name="Message1">https://<region>.<geo>.endpoint.security.microsoft.com>
- </EventData>
- ```
+ ```
+ Contacted server 6 times, all succeeded, URI: <region>.<geo>.endpoint.security.microsoft.com.
+ <EventData>
+ <Data Name="UInt1">6</Data>
+ <Data Name="Message1">https://<region>.<geo>.endpoint.security.microsoft.com>
+ </EventData>
+ ```
4. Message1 contains the contacted URL. Confirm the event includes the streamlined URL (endpoint.security.microsoft, com).
-5. Event ID 5 tracks errors if applicable.
+5. Event ID 5 tracks errors if applicable.
> [!NOTE] > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint. <br> > Events recorded by the service will appear in the log. <br> > For more information, see [Review events and error using Event Viewer](event-error-codes.md).
-### Run tests to confirm connectivity with Defender for Endpoint services
+### Run tests to confirm connectivity with Defender for Endpoint services
Once the device is onboarded to Defender for Endpoint, validate that it's continuing to appear in Device Inventory. The DeviceID should remain the same.
-Check the Device Page Timeline tab to confirm events are flowing from the device.
+Check the Device Page Timeline tab to confirm events are flowing from the device.
-#### Live Response
+#### Live Response
Ensure [Live Response](respond-machine-alerts.md#initiate-live-response-session) is working on your test device. Follow instructions in [Investigate entities on devices using live response](live-response.md). Make sure to run a couple of basic commands post-connection to confirm connectivity (such as cd, jobs, connect).
-#### Automated investigation and response
+#### Automated investigation and response
Ensure that Automated investigation and response is working on your test device: [Configure automated investigation and response capabilities](/microsoft-365/security/defender/m365d-configure-auto-investigation-response). For Auto-IR testing labs, navigate to **Microsoft Defender XDR** \> **Evaluations & Tutorials** \> **Tutorials & Simulations** \> **Tutorials \> **Automated Investigation tutorials**.
-#### Cloud-delivered protection
+#### Cloud-delivered protection
1. Open a Command Prompt as an administrator.
-2. Right-click the item in the Start menu, select **Run as administrator** then select **Yes** at the permissions prompt.
+2. Right-click the item in the Start menu, select **Run as administrator** then select **Yes** at the permissions prompt.
-3. Use the following argument with the Microsoft Defender Antivirus command-line utility (mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
+3. Use the following argument with the Microsoft Defender Antivirus command-line utility (mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
- ```
- "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
- ```
+ ```dos
+ "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
+ ```
> [!NOTE]
- > This command will only work on Windows 10, version 1703 or higher, or Windows 11.
- > For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
+ > This command will only work on Windows 10, version 1703 or higher, or Windows 11.
+ > For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
-#### Test Block at First Sight
+#### Test Block at First Sight
Follow instructions in [Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration](defender-endpoint-demonstration-block-at-first-sight-bafs.md).
-#### Test SmartScreen
-
-Follow instructions in [Microsoft Defender SmartScreen Demo (msft.net)](https://demo.smartscreen.msft.net/).
+#### Test SmartScreen
+Follow instructions in [Microsoft Defender SmartScreen Demo (msft.net)](https://demo.smartscreen.msft.net/).
### PowerShell detection test+ 1. On the Windows device, create a folder: `C:\test-MDATP-test`. 2. Open Command Prompt as an administrator.
For macOS and Linux, you can use the following methods:
### MDATP connectivity test (macOS and Linux)
-Run `mdatp health -details features ` to confirm simplified_connectivity: "enabled".
+Run `mdatp health -details features` to confirm simplified_connectivity: "enabled".
Run `mdatp health -details edr` to confirm `edr_partner_geo_location` is available. The value should be `GW_<geo>` where 'geo' is your tenant's geo-location.
Download and run the client analyzer for macOS or Linux. For more information, s
1. Run `mdeclientanalyzer.cmd -o <path to cmd file>` from within the MDEClientAnalyzer folder. The command uses parameters from the onboarding package to test connectivity.
-2. Run `mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU>` (where parameter is of GW_US, GW_EU, GW_UK). GW refers to the streamlined option. Run with applicable tenant geo.
+2. Run `mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU>` (where parameter is of GW_US, GW_EU, GW_UK). GW refers to the streamlined option. Run with applicable tenant geo.
security Mobile Resources Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint.md
Microsoft Defender for Endpoint provides multiple capabilities on mobile devices
|Configure privacy in vulnerability assessment of apps| Control what app data shows up in the security portal when Defender for Vulnerability Management is enabled|Enable Vulnerability Management privacy= 0(default)/1|DefenderTVMPrivacyMode = 0(default)/1|DefenderTVMPrivacyMode = 0(default)/1| |Network protection | Control the collection of network and certificate details in the alert report|Enable Network protection privacy = 1/0 |DefenderNetworkProtectionPrivacy = 1/0 |DefenderNetworkProtectionPrivacy | - ## Other configurations |Configuration| Description | Android AE config key | Android MAM | iOS |
Suspicious certificates |Informational| | |
[Complete privacy information for iOS](ios-privacy.md) - ## Microsoft Defender Mobile App exclusion from Conditional Access(CA) Policies Microsoft Defender Mobile app is a security app that needs to constantly be running in the background to report the device security posture. This security posture is used in the Compliance and App Protection policies to secure the managed apps and ensure that corporate data is accessed only in a secured device. However, with restrictive Conditional Access policies such as having Block policies based on certain locations, or enforcing frequent sign ins can result in Defender blocked from reporting posture. If the Defender app fails to report the device posture this can lead to situation where the device is under a threat, leading to vulnerability of corporate data on the device. To ensure seamless protection, we recommend excluding the Defender app from the blocking Conditional Access Policy.
-### Apps required to exclude:
+### Apps required to exclude
1. **Xplat Broker App ( a0e84e36-b067-4d5c-ab4a-3db38e598ae2)** Xplat Broker App is the application responsible for forwarding Defender risk signals to the Defender backend. However, the presence of restrictive CA policies can result in Defender blocked from reporting signals. In these scenarios, we recommend excluding the Xplat Broker App. Note, that **Xplat Broker App** is also used by other platforms like Mac and Linux. So if the policy is same for these platforms, it is better to create a separate Conditional Access policy for Mobile. -
-2. **TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196)**
+2. **TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196)**
Microsoft Defender for Mobile TVM (Threat and Vulnerability Management) is the service, which provides the vulnerability assessment for the installed apps on the iOS devices. However, the presence of restrictive CA policies can result in Defender blocked from communicating the onboarding requests to the TVM backend services. This service should be excluded if MDVM (Vulnerability Assessment) is used in the organization.
-### Steps to exclude:
+### Steps to exclude
1. Create service principal for the apps that needs to be excluded. [Steps to create service principal.](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=powershell#request&preserve-view=true).
Microsoft Defender for Mobile TVM (Threat and Vulnerability Management) is the s
1. After the object is successfully created the two apps are visible in the CA screen and can be excluded. :::image type="content" source="media/mobile-resources-defender-endpoint/appexclusion.png" alt-text="Image displaying Application exclusions.":::-
security Msda Updates Previous Versions Technical Upgrade Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md
Microsoft regularly releases [security intelligence updates and product updates
## November-2023 (Platform: 4.18.23110.3 | Engine: 1.1.23110.2) - Security intelligence update version: **1.403.7.0**-- Release date:ΓÇ»**December 5, 2023 (Platform)** / **December 6, 2023 (Engine)**
+- Release date: **December 5, 2023 (Platform)** / **December 6, 2023 (Engine)**
- Platform: **4.18.23110.3** - Engine: **1.1.23110.2** - Support phase: **Technical upgrade support (only)**
Microsoft regularly releases [security intelligence updates and product updates
### What's new - Fixed PowerShell cmdlet [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) to show the correct date/time for `AntivirusSignatureLastUpdated`-- Resolved deadlock issue that occurred on systems with multiple filter drivers reading a file when the file is copied -- Added the `InitializationProgress` field to [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) output -- Fixed installation failure on Windows Server 2016 due to existing Defender EventLog registry key -- Added the ability to have [quick scans](schedule-antivirus-scans.md) ignore Microsoft Defender Antivirus exclusions -- Fixed remediation for long running [on-demand scans](run-scan-microsoft-defender-antivirus.md) where the service may have been restarted -- Fixed an issue with Microsoft Defender Vulnerability Management to allow the execution of a [blocked application](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps) when the [warn option](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps#block-or-warn-mitigation-action) is selected -- Added support for managing schedule day/time for [signature updates in Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#updates) and [Defender for Endpoint security settings management](/mem/intune/protect/mde-security-integration)
+- Resolved deadlock issue that occurred on systems with multiple filter drivers reading a file when the file is copied
+- Added the `InitializationProgress` field to [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) output
+- Fixed installation failure on Windows Server 2016 due to existing Defender EventLog registry key
+- Added the ability to have [quick scans](schedule-antivirus-scans.md) ignore Microsoft Defender Antivirus exclusions
+- Fixed remediation for long running [on-demand scans](run-scan-microsoft-defender-antivirus.md) where the service may have been restarted
+- Fixed an issue with Microsoft Defender Vulnerability Management to allow the execution of a [blocked application](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps) when the [warn option](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps#block-or-warn-mitigation-action) is selected
+- Added support for managing schedule day/time for [signature updates in Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#updates) and [Defender for Endpoint security settings management](/mem/intune/protect/mde-security-integration)
- Fixed non-standard signature path loading across platforms ([Windows](microsoft-defender-antivirus-windows.md), [Mac](microsoft-defender-endpoint-mac.md), [Linux](microsoft-defender-endpoint-linux.md), [Android](microsoft-defender-endpoint-android.md), and [iOS](microsoft-defender-endpoint-ios.md)) - Improved handling of cached detections in [attack surface reduction](overview-attack-surface-reduction.md) capabilities - Improved performance for enumerating virtual memory ranges
Microsoft regularly releases [security intelligence updates and product updates
- None ## July-2023 (Platform: 4.18.23070.1004 | Engine: 1.1.23070.1005)
-
+ - Security intelligence update version: **1.395.30.0** - Released: **August 9, 2023 (Engine and Platform)** - Platform: **4.18.23070.1004**
Microsoft regularly releases [security intelligence updates and product updates
- Support phase: **Technical upgrade support (only)** ### What's new
-
+ - Improved output for [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) if scan results fail to retrieve - Extended management options for configuring security intelligence updates with Intune, Group Policy, and PowerShell - Extended management options for disabling IOAV scans over the network using Intune, Group Policy, and PowerShell. The new setting is `ApplyDisableNetworkScanningToIOAV` for [Set-MpPreference](/powershell/module/defender/set-mppreference).
Microsoft regularly releases [security intelligence updates and product updates
- Improved error reporting in the [modern, unified agent installer](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution) - Fixed the overriding logic in the ASR rule [Block all Office applications from creating child processes](attack-surface-reduction-rules-reference.md#block-all-office-applications-from-creating-child-processes) configured in warn mode - Added support for scanning Zstandard (Zstd) containers/archives
-
+ ### Known issues
-
+ - None ## May-2023 *UPDATE* (Platform: 4.18.23050.9)
Microsoft regularly releases [security intelligence updates and product updates
## June-2023 (Engine: 1.1.23060.1005) - Security intelligence update version: **1.393.71.0**-- Released: **July 10, 2023 (Engine only)**
+- Released: **July 10, 2023 (Engine only)**
- Engine: **1.1.23060.1005** - Support phase: **Technical upgrade support (only)**
-
-### What's new
+
+### What's new
- Fixed an issue with [ASR rules deployed via Intune](/mem/intune/protect/endpoint-security-asr-policy) to display accurately in the Microsoft Defender portal - Fixed a performance issue when building and validating the Microsoft Defender Antivirus cache - Improved performance by removing redundant exclusion checks
-
-### Known Issues
+
+### Known Issues
- See [May-2023 *UPDATE* (Platform: 4.18.23050.9 | Engine: 1.1.23060.1005)](#may-2023-update-platform-418230509) for platform updates.
Microsoft regularly releases [security intelligence updates and product updates
- Platform: **4.18.23050.5** - Engine: **1.1.23050.2** - Support phase: **Technical upgrade support (only)**
-
-### What's new
+
+### What's new
- Fixed issue that could lead to resolution of incorrect service endpoint
-
-### Known Issues
+
+### Known Issues
- Users encounter slow loading webpages in non-Microsoft web browsers with [web content filtering](/microsoft-365/security/defender-endpoint/web-content-filtering) enabled ## May-2023 (Platform: 4.18.23050.3 | Engine: 1.1.23050.2) -- Security intelligence update version: **1.391.64.0** -- Released: **May 31, 2023** -- Platform: **4.18.23050.3** -- Engine: **1.1.23050.2** -- Support phase: **Technical upgrade support (only)**
-
-### What's new
+- Security intelligence update version: **1.391.64.0**
+- Released: **May 31, 2023**
+- Platform: **4.18.23050.3**
+- Engine: **1.1.23050.2**
+- Support phase: **Technical upgrade support (only)**
+
+### What's new
- New version format for Platform and Engine (see the [April-2023 update](#whats-new))-- Improved processing of SmartLockerMode -- Fixed input parameters for DefinitionUpdateChannel cmdlet in [Set-MpPreference](/powershell/module/defender/set-mppreference) -- Improved installation experience for [Windows Server 2012 R2 and Windows Server 2016](microsoft-defender-antivirus-on-windows-server.md) -- Added ability to disable Defender task maintenance tasks programmatically -- Fixed WDFilter 0x50 bug check -- Fixed print enforcement issue for device control -- Fixed scan randomization issue when setting Intune policy -- Fixed sense offboarding on Windows Server 2016 when [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled -- Fixed inconsistent results of caching files with the internal Defender file cache -- Augmented attack surface reduction telemetry with more data related to an ASR detection
+- Improved processing of SmartLockerMode
+- Fixed input parameters for DefinitionUpdateChannel cmdlet in [Set-MpPreference](/powershell/module/defender/set-mppreference)
+- Improved installation experience for [Windows Server 2012 R2 and Windows Server 2016](microsoft-defender-antivirus-on-windows-server.md)
+- Added ability to disable Defender task maintenance tasks programmatically
+- Fixed WDFilter 0x50 bug check
+- Fixed print enforcement issue for device control
+- Fixed scan randomization issue when setting Intune policy
+- Fixed sense offboarding on Windows Server 2016 when [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled
+- Fixed inconsistent results of caching files with the internal Defender file cache
+- Augmented attack surface reduction telemetry with more data related to an ASR detection
- Removed Image File Execution Options (IFEO) debugger value during installation, which can be used to prevent service starts-- Fixed memory leaked in ASR logic
+- Fixed memory leaked in ASR logic
- Improved validation guard-rail for Malicious Software Removal Tool (MSRT) releases
-
-### Known Issues
+
+### Known Issues
- Potential issue that could lead to resolution of incorrect service endpoint
Microsoft regularly releases [security intelligence updates and product updates
- Security intelligence update version: **1.387.2997.0** - Release date: **May 2, 2023 (Engine) / May 2, 2023 (Platform)**-- Platform: **4.18.2304.8**
+- Platform: **4.18.2304.8**
- Engine: **1.1.20300.3** - Support phase: **Technical upgrade support (only)** ### What's new -- **Beginning in May 2023, the Platform and Engine version schema have a new format**. Here's what the new version format looks like:
- - Platform: `4.18.23050.1`
- - Engine: `1.1.23050.63000`
+- **Beginning in May 2023, the Platform and Engine version schema have a new format**. Here's what the new version format looks like:
+ - Platform: `4.18.23050.1`
+ - Engine: `1.1.23050.63000`
- Fixed memory leak in behavior monitoring - Improved resiliency of signature loading and platform updates - Quarantine and restore support for [WMI](use-wmi-microsoft-defender-antivirus.md)
Microsoft regularly releases [security intelligence updates and product updates
### What's new - Improved CPU usage efficiency of certain intensive scenarios on Exchange servers-- Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module.
+- Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module.
- Fixed bug in which `SharedSignatureRoot` value couldn't be removed when set with PowerShell - Fixed bug in which [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) failed to be enabled, even though Microsoft Defender for Endpoint indicated that tamper protection was turned on - Added supportability and bug fixes to performance analyzer for Microsoft Defender Antivirus tool. For more information, see [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).
security Review Detected Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-detected-threats.md
Title: Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration
+ Title: Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration
description: Use the Microsoft Defender for Endpoint Antivirus and Intune integration to view and manage threat detections.
ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier2 - mde-edr
search.appverid: met150
In the Microsoft Defender portal, you can view and manage threat detections using the following steps:
-1. Visit [Microsoft XDR portal](https://security.microsoft.com/) and sign-in.
+1. Visit [Microsoft XDR portal](https://security.microsoft.com/) and sign-in.
- On the landing page, you'll see the **Devices with active malware** card with the following information:
+ On the landing page, you'll see the **Devices with active malware** card with the following information:
- Display text: Applies to Intune-managed devices. Devices with multiple malware detections may be counted more than once. - Last updated date and time.
- - A bar with the Active and Malware remediated portions as per your scan.
+ - A bar with the Active and Malware remediated portions as per your scan.
You can select **View Details** for more information.
You can manage threat detections for any devices that are [enrolled in Microsoft
1. Go to the Microsoft Intune admin center at [intune.microsoft.com](https://intune.microsoft.com) and sign-in.
-2. In the navigation pane, select **Endpoint security**.
+2. In the navigation pane, select **Endpoint security**.
3. Under **Manage**, select **Antivirus**. You'll see tabs for **Summary**, **Unhealthy endpoints**, and **Active malware**. 4. Review the information on the available tabs, and then take action as necessary.
- For example, when you can select a device that is listed under the **Active malware** tab, you can choose one action from the list of actions provided:
+ For example, when you can select a device that is listed under the **Active malware** tab, you can choose one action from the list of actions provided:
- Restart - Quick Scan - Full Scan
You can manage threat detections for any devices that are [enrolled in Microsoft
To see when the malware was detected, you can do the following: 1. Since this is an integration with Intune, visit [**Intune portal**](https://intune.microsoft.com) and select **Antivirus** and then select **Active malware** tab.
-2. Select **Export**.
+2. Select **Export**.
3. On your device, go to Downloads, and extract the Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip. 4. Open the CSV and find the **LastStateChangeDateTime** column to see when malware was detected.
-### In the devices with malware detections report, why canΓÇÖt I see any information about which malware was detected on the device.
+### In the devices with malware detections report, why canΓÇÖt I see any information about which malware was detected on the device.
To see the malware name, visit the [Intune portal](https://intune.microsoft.com) as this is an integration with Intune, select **Antivirus**, and select **Active malware** tab and you'll see a column named **Malware name**.
To see the malware name, visit the [Intune portal](https://intune.microsoft.com)
The **Devices with active malware** report is based on the devices that were active within the last 1 day (24 hours) and had malware detections within the last 15 days.
-Use the following Advanced Hunting query:
+Use the following Advanced Hunting query:
```kusto
-DeviceInfo
-| where Timestamp > startofday(datetime(2024-01-29 00:00:00))
-| where OnboardingStatus == "Onboarded"
-| where SensorHealthState == "Active"
-| distinct DeviceId, DeviceName
-| join kind=innerunique (
-AlertEvidence
-| where Timestamp > ago(15d)
-| where ServiceSource == "Microsoft Defender for Endpoint"
-| where DetectionSource == "Antivirus"
-DeviceName
-| distinct DeviceName, DeviceId, Title, AlertId, Timestamp
+DeviceInfo
+| where Timestamp > startofday(datetime(2024-01-29 00:00:00))
+| where OnboardingStatus == "Onboarded"
+| where SensorHealthState == "Active"
+| distinct DeviceId, DeviceName
+| join kind=innerunique (
+AlertEvidence
+| where Timestamp > ago(15d)
+| where ServiceSource == "Microsoft Defender for Endpoint"
+| where DetectionSource == "Antivirus"
+DeviceName
+| distinct DeviceName, DeviceId, Title, AlertId, Timestamp
```
-### I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?
+### I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?
Use the Advanced Hunting query that is mentioned [here](#i-see-a-different-number-for-active-malware-in-devices-with-active-malware-report-when-compared-to-numbers-i-see-using-reports--detected-malware-and-intune--antivirus--active-malware) for details such as unique DeviceID, Title, AlertID, and the remediation process. After identifying, work with your IT adminΓÇÖs to make sure that the devices are uniquely named. If a device is retired, use [tags to decommission it.](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058)
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
Combined with always-on, real-time protection, which reviews files when they are
1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com/)) and sign-in. 2. Go to the **device page** that you would like to run a remote scan.
-3. Click on the ellipses **(…)**.
+3. Click on the ellipses **(...)**.
4. Click on **Run Antivirus Scan**. 5. Under **Select scan type**, select the radio button for **Quick Scan** or **Full Scan**. 6. Add a comment.
security Safety Scanner Download https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/safety-scanner-download.md
ms.sitesec: library
ms.localizationpriority: medium -+ audience: ITPro - m365-security
security Schedule Antivirus Scans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans.md
ms.localizationpriority: medium
Previously updated : 12/14/2023- Last updated : 04/10/2024+
search.appverid: met150
You can set up regular, scheduled antivirus scans on devices. These scheduled scans are in addition to always-on, real-time protection and [on-demand antivirus](run-scan-microsoft-defender-antivirus.md) scans. When you schedule a scan, you can specify the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or when a device isn't being used. You can also set up special scans to complete remediation actions if needed. -- [Compare the quick scan, full scan, and custom scan](#comparing-the-quick-scan-full-scan-and-custom-scan)-- [Choose a scan type](#how-to-choose-a-scan-type)-- [Keep these important points](#important-points-to-keep-in-mind)-- [Try the scheduled quick scan performance optimization](#scheduled-quick-scan-performance-optimization)-- [Additional resources](#see-also)- ## Comparing the quick scan, full scan, and custom scan The following table describes the different types of scans you can configure.
The following table describes the different types of scans you can configure.
> [!NOTE] > By default, quick scans run on mounted removable devices, such as USB drives.
+> [!TIP]
+> If you have a Network-Attached Storage (NAS) or Storage Area Network (SAN), you can use Internet Content Adaption Protocol (ICAP) scanning with the Microsoft Defender Antivirus engine. For more information, see [Tech Community Blog: MetaDefender ICAP with Windows Defender Antivirus: World-class security for hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/metadefender-icap-with-windows-defender-antivirus-world-class/ba-p/800234).
+ ## How to choose a scan type Use the following table to choose a scan type.
security Security Intelligence Update Tshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/security-intelligence-update-tshoot.md
+
+ Title: Security Intelligence update troubleshooting from Microsoft Update source
+description: Learn how to troubleshoot security intelligence updates from your Microsoft Update source.
+++ Last updated : 04/10/2024+++
+ms.localizationpriority: medium
++
+- partner-contribution
+
+search.appverid: MET150
+f1.keywords: NOCSH
+audience: ITPro
++
+# Troubleshooting Security Intelligence Updates from Microsoft Update source
+
+**Applies to:**
+
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint Plan 1 and 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
+- Microsoft Defender Antivirus
+
+Use this article to learn how to troubleshoot security intelligence updates for Microsoft Defender Antivirus when the first source is from Microsoft Update (formerly known as Windows Update). Follow these steps to troubleshoot issues with getting your security intelligence updates:
+
+1. Make sure that the URLs needed for security intelligence updates are allowed thru the firewall or proxy. See the Defender for Endpoint URL spreadsheets in [Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).
+
+ If you're only using Microsoft Defender Antivirus, see the **Windows Update** section in [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints).
+
+2. Make sure that the URLs you reviewed during the previous step aren't SSL inspected. Otherwise, you might see the following error in the event log:
+
+ ```properties
+
+ Source: Windows Defender
+
+ Event ID: 2001
+
+ Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
+
+ Error code: 0x80072ee7
+
+ Error description: The server name or address could not be resolved.
+
+ ```
+
+ What is error code `0x80072ee7`?
+
+ ```properties
+
+ C:\>err 0x80072ee7
+
+ # as an HRESULT: Severity: FAILURE (1), Facility: 0x7, Code 0x2ee7
+
+ # for hex 0x2ee7 / decimal 12007 :
+
+ ERROR_INTERNET_NAME_NOT_RESOLVED inetmsg.h
+
+ ERROR_INTERNET_NAME_NOT_RESOLVED wininet.h
+
+ ```
+
+3. Make sure that the services needed for Windows Update are started. These services include:
+
+ - Windows Update service
+
+ - Background Intelligence Transfer Service (BITS)
+
+4. If you're using a [Fallback order](/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus) policy, make sure that *Microsoft Update* (`MicrosoftUpdateServer`) is the first item in the list.
+
+5. Gather diagnostic data from the [Microsoft Defender for Endpoint Client Analyzer tool](download-client-analyzer.md).
+
+ - If you have Microsoft Defender for Endpoint Plan 2 and access to Live Response, you can gather the diagnostic data remotely. See [Collect support logs in Microsoft Defender for Endpoint using live response](troubleshoot-collect-support-log.md).
+
+ - If you have Microsoft Defender for Endpoint Plan 1 or only Microsoft Defender Antivirus, you can gather the diagnostic data using the client analyzer on Windows. See [Run the client analyzer on Windows](run-analyzer-windows.md).
+
+ - If either method doesn't work for you, use Microsoft Defender Antivirus diagnostic data collection. See [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md).
+
+6. When you have your diagnostic data, convert the `WindowsUpdate.etl` logs into a human readable format by using the PowerShell command, [Get-WindowsUpdateLog](/powershell/module/windowsupdate/get-windowsupdatelog). Use that information to troubleshoot issues with security intelligence updates.
+
+## See also
+
+- [Troubleshoot Microsoft Defender Antivirus settings](troubleshoot-settings.md)
+
+- [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
security Troubleshoot Np https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md
-+ - m365-security - tier3 - mde-asr
The current exclusion options are:
2. Using IP exclusions: `Add-MpPreference -ExclusionIpAddress 192.168.1.1`.
-3. Excluding an entire process. For more information, see [Microsoft Defender Antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md).
+3. Excluding an entire process. For more information, see [Microsoft Defender Antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md).
## Network Performance issues In certain circumstances, a network protections component might contribute to slow network connections to Domain Controllers and/or Exchange servers. You might also notice Event ID 5783 NETLOGON errors.
-To attempt to solve these issues, change Network Protection from ‘block mode’ to either ‘[audit mode](troubleshoot-np.md)’ or 'disabled'. If your network issues are fixed, follow the next steps to find out which component in Network Protection is contributing to the behavior. 
+To attempt to solve these issues, change Network Protection from ΓÇÿblock modeΓÇÖ to either ΓÇÿ[audit mode](troubleshoot-np.md)ΓÇÖ or 'disabled'. If your network issues are fixed, follow the next steps to find out which component in Network Protection is contributing to the behavior.
Disable the following components in order and test your network connectivity performance after disabling each one:
- 1. [Disable Datagram Processing on Windows Server](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable Network Protection Perf Telemetry](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable FTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable SSH parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable RDP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable HTTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable SMTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable DNS over TCP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable DNS parsing ](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable inbound connection filtering](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
- 1. [Disable TLS parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable Datagram Processing on Windows Server](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable Network Protection Perf Telemetry](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable FTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable SSH parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable RDP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable HTTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable SMTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable DNS over TCP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable DNS parsing ](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable inbound connection filtering](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
+1. [Disable TLS parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)
If your network performance issues persist after following these troubleshooting steps, then they're probably not related to network protection and you should look for other causes of your network performance issues.
You can configure the registry key by using PowerShell, Microsoft Configuration
- [Evaluate network protection](evaluate-network-protection.md) - [Enable network protection](enable-network-protection.md) - [Address false positives/negatives in Defender for Endpoint](defender-endpoint-false-positives-negatives.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Troubleshoot Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-settings.md
Last updated 03/19/2024
+ms.localizationpriority: medium
search.appverid: MET150
Microsoft Defender Antivirus provides numerous ways to manage the product, which
- Registry > [!TIP]
-> For best results, use one method of managing Microsoft Defender Antivirus.
+> For best results, use one method of managing Microsoft Defender Antivirus.
## Troubleshooting Microsoft Defender Antivirus settings
To remove policy conflicts, here's our current, recommended process:
When policies and settings are configured in multiple tools, in general, here's the order of precedence: 1. Microsoft Defender for Endpoint security settings management- 1. Group Policy (GPO)
-2. Microsoft Configuration Manager co-management
-3. Microsoft Configuration Manager (standalone)
-4. Microsoft Intune (MDM)
-5. Microsoft Configuration Manager with Tenant Attach
-6. PowerShell ([Set-MpPreference](/powershell/module/defender/set-mppreference)), [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md), or [Windows Management Instrumentation](use-wmi-microsoft-defender-antivirus.md) (WMI).
+1. Microsoft Configuration Manager co-management
+1. Microsoft Configuration Manager (standalone)
+1. Microsoft Intune (MDM)
+1. Microsoft Configuration Manager with Tenant Attach
+1. PowerShell ([Set-MpPreference](/powershell/module/defender/set-mppreference)), [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md), or [Windows Management Instrumentation](use-wmi-microsoft-defender-antivirus.md) (WMI).
> [!WARNING] > [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) is a Policy CSP setting that does not apply for all settings, such as [attack surface reduction rules](attack-surface-reduction-rules-reference.md) (ASR rules) in Windows 10.
- 
+ ## Step 2: Determine where Microsoft Defender Antivirus settings are configured Find out whether Microsoft Defender Antivirus settings are coming through a policy, MDM, or a local setting. The following table describes policies, settings, and relevant tools.
The following table describes how to identify policies and settings.
## Step 4: Remove or revise conflicting policies Once you have identified the conflicting policy, work with your security administrators to change device targeting so that devices receive the correct Microsoft Defender Antivirus settings.--
security Whats New Mde Archive https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-mde-archive.md
ms.localizationpriority: medium
Last updated 03/25/2024 audience: ITPro-+ - m365-security - tier1
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - The following features were in preview or generally available (GA) in Microsoft Defender for Endpoint prior to the calendar year 2023. For more information on preview features, see [Preview features](preview.md).
For more information on Microsoft Defender for Endpoint on specific operating sy
## August 2021 - [Microsoft Defender for Endpoint Plan 1 ](defender-endpoint-plan-1.md) (preview). Defender for Endpoint Plan 1 (preview) is an endpoint protection solution that includes next-generation protection, attack surface reduction, centralized management and reporting, and APIs. Defender for Endpoint Plan 1 (preview) is a new offering for customers who:
+ - Want to try our endpoint protection capabilities
+ - Have Microsoft 365 E3, and
+ - Don't yet have Microsoft 365 E5
- - Want to try our endpoint protection capabilities
- - Have Microsoft 365 E3, and
- - Don't yet have Microsoft 365 E5
-
- For more information on Defender for Endpoint Plan 1 (preview), see [Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md).
+ For more information on Defender for Endpoint Plan 1 (preview), see [Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md).
- Existing [Defender for Endpoint](microsoft-defender-endpoint.md) capabilities will be known as Defender for Endpoint Plan 2.
+ Existing [Defender for Endpoint](microsoft-defender-endpoint.md) capabilities will be known as Defender for Endpoint Plan 2.
- (Preview) [Web Content Filtering](web-content-filtering.md)<br> Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
For more information on Microsoft Defender for Endpoint on specific operating sy
- [Delta export software vulnerabilities assessment](get-assessment-methods-properties.md#31-methods) API <br> An addition to the [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API collection. <br> Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization." -- [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API <br> Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.
+- [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API <br> Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.
-- [Remediation activity](get-remediation-methods-properties.md) API <br> Adds a collection of APIs with responses that contain threat and vulnerability management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.
+- [Remediation activity](get-remediation-methods-properties.md) API <br> Adds a collection of APIs with responses that contain threat and vulnerability management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.
- [Device discovery](device-discovery.md) <br> Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.
For more information on Microsoft Defender for Endpoint on specific operating sy
- [Microsoft Tunnel VPN integration](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730) <br> Microsoft Tunnel VPN capabilities are now integrated with Microsoft Defender for Endpoint app for Android. This unification enables organizations to offer a simplified end-user experience with one security app – offering both mobile threat defense and the ability to access on-prem resources from their mobile device – while security and IT teams are able to maintain the same admin experiences they are familiar with. -- [Jailbreak detection on iOS](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios) <br> Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see [Setup Conditional Access Policy based on device risk signals](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios).
+- [Jailbreak detection on iOS](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios) <br> Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see [Setup Conditional Access Policy based on device risk signals](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios).
## March 2021
For more information on Microsoft Defender for Endpoint on specific operating sy
## November-December 2019 - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) <BR> Microsoft Defender for Endpoint for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](overview-endpoint-detection-response.md).
-
+ - [Threat & Vulnerability Management application and application version end-of-life information](../defender-vulnerability-management/tvm-security-recommendation.md) <BR>Applications and application versions which have reached their end of life (EOL) are tagged or labeled as such; so, you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications. - [Threat & Vulnerability Management Advanced Hunting Schemas](../defender/advanced-hunting-schema-tables.md) <BR>Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
-
+
+- [Threat & Vulnerability Management role-based access controls](user-roles.md) <BR>Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so that only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
## October 2019 - [Indicators for IP addresses, URLs/Domains](manage-indicators.md) <BR> You can now allow or block URLs/domains using your own threat intelligence. -- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md) <BR> You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.
+- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md) <BR> You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.
-- [Connected Azure AD applications](connected-applications.md)<br> The **Connected applications** page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization.
+- [Connected Azure AD applications](connected-applications.md)<br> The **Connected applications** page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization.
- [API Explorer](api-explorer.md)<br> The API explorer makes it easy to construct and execute API queries, and to test and send requests for any available Microsoft Defender for Endpoint API endpoint.
For more information on Microsoft Defender for Endpoint on specific operating sy
## June 2019 - [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) <BR> A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-
+ - [Device health and compliance report](machine-reports.md) The device health and compliance report provides high-level information about the devices in your organization. ## May 2019 - [Threat protection reports](threat-protection-reports.md)<BR>The threat protection report provides high-level information about alerts generated in your organization. -- [Microsoft Threat Experts](endpoint-attack-notifications.md)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides an additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
+- [Microsoft Threat Experts](endpoint-attack-notifications.md)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides an additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
- [Indicators](api/ti-indicator.md) <BR> APIs for indicators are now generally available.
Threat Analytics is a set of interactive reports published by the Microsoft Defe
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
+ - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
- - [Configure CPU priority settings](configure-advanced-scan-types-microsoft-defender-antivirus.md) for Microsoft Defender Antivirus scans.
+ - [Configure CPU priority settings](configure-advanced-scan-types-microsoft-defender-antivirus.md) for Microsoft Defender Antivirus scans.
## March 2018 - [Advanced Hunting](../defender/advanced-hunting-query-language.md)<BR>Query data using advanced hunting in Microsoft Defender for Endpoint. -- [Attack surface reduction rules](attack-surface-reduction.md)<BR>The newly introduced attack surface reduction rules are:
+- [Attack surface reduction rules](attack-surface-reduction.md)<BR>The newly introduced attack surface reduction rules are:
- Use advanced protection against ransomware
Threat Analytics is a set of interactive reports published by the Microsoft Defe
- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)<BR>Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md). -- Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) and executable files. For more information, see [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
+- Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) and executable files. For more information, see [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
security Fixed Reported Inaccuracies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies.md
If you come across missing or incorrect vulnerability information for your organ
This article provides information on inaccuracies that have been reported. You can use it to determine if new or updated vulnerability support has been added, or if support isn't currently available.
->[!Note]
+> [!NOTE]
> The tables may also include updates based on vulnerability support queries from ICMs or in response to customer requests. The following tables present the relevant vulnerability information organized by month: ## March 2024
-Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-| - | Defender Vulnerability Management doesn't currently support CVE-2023-4966 | 05-Mar-24
-| 47296 | Defender Vulnerability Management doesn't currently support Bitdefender Vulnerabilities - CVE-2017-17408, CVE-2017-17409 & CVE-2017-17410 | 05-Mar-24
-| 45748 | Fixed inaccuracy in Zscaler Client Connector | 14-Mar-24
-| 49672 | Fixed inaccuracy in CVE-2024-0819 | 20-Mar-24
-| 30583 | Fixed inaccuracy in Opera Browser | 21-Mar-24
-| - | Fixed inaccuracy in Autodesk Civil 3D and Anydesk | 21-Mar-24
-| 44979 | Defender Vulnerability Management doesn't currently support CVE-2017-13774 | 26-Mar-24
-| 46812 | Fixed inaccuracy in Dell Supportassist | 26-Mar-24
-| 48178 | Fixed inaccuracy in RuneLite | 26-Mar-24
-| 49660 | Fixed inaccuracy in RSUPPORT RemoteView Agent | 26-Mar-24
-| 46828 | Defender Vulnerability Management doesn't currently support OsiSoft Pi Server | 26-Mar-24
-| 48034 | Defender Vulnerability Management doesn't currently support CVE-2023-35637 | 26-Mar-24
-| - | Fixed inaccuracy in Adobe Acrobat Reader and Reader DC | 26-Mar-24
-| 46021 | Defender Vulnerability Management doesn't currently support CVE-2023-6129 | 26-Mar-24
-| - | Fixed inaccuracy in Ultraedit | 26-Mar-24
-| - | Defender Vulnerability Management doesn't currently support CVE-2023-47248 | 26-Mar-24
-| - | Fixed inaccuracy in Mitel 6920 & 6930 Firmwares | 31-Mar-24
+| Inaccuracy report ID | Description | Fix date |
+||||
+| - | Defender Vulnerability Management doesn't currently support CVE-2023-4966 | 05-Mar-24 |
+| 47296 | Defender Vulnerability Management doesn't currently support Bitdefender Vulnerabilities - CVE-2017-17408, CVE-2017-17409 & CVE-2017-17410 | 05-Mar-24 |
+| 45748 | Fixed inaccuracy in Zscaler Client Connector | 14-Mar-24 |
+| 49672 | Fixed inaccuracy in CVE-2024-0819 | 20-Mar-24 |
+| 30583 | Fixed inaccuracy in Opera Browser | 21-Mar-24 |
+| - | Fixed inaccuracy in Autodesk Civil 3D and Anydesk | 21-Mar-24 |
+| 44979 | Defender Vulnerability Management doesn't currently support CVE-2017-13774 | 26-Mar-24 |
+| 46812 | Fixed inaccuracy in Dell Supportassist | 26-Mar-24 |
+| 48178 | Fixed inaccuracy in RuneLite | 26-Mar-24 |
+| 49660 | Fixed inaccuracy in RSUPPORT RemoteView Agent | 26-Mar-24 |
+| 46828 | Defender Vulnerability Management doesn't currently support OsiSoft Pi Server | 26-Mar-24 |
+| 48034 | Defender Vulnerability Management doesn't currently support CVE-2023-35637 | 26-Mar-24 |
+| - | Fixed inaccuracy in Adobe Acrobat Reader and Reader DC | 26-Mar-24 |
+| 46021 | Defender Vulnerability Management doesn't currently support CVE-2023-6129 | 26-Mar-24 |
+| - | Fixed inaccuracy in Ultraedit | 26-Mar-24 |
+| - | Defender Vulnerability Management doesn't currently support CVE-2023-47248 | 26-Mar-24 |
+| - | Fixed inaccuracy in Mitel 6920 & 6930 Firmwares | 31-Mar-24 |
## February 2024
-Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-| - | Fixed inaccuracy in Snow Inventory Agent | 06-Feb-24
-| 42360 | Fixed inaccuracy in GitHub vulnerabilities - CVE-2020-10519 and CVE-2021-22863 | 12-Feb-24
-| 44875 | Fixed inaccuracy in Zoom Meetings for macOS | 14-Feb-24
-| 45686 | Fixed inaccuracy in ConnectWise Control (Formerly known as ScreenConnect) | 14-Feb-24
-| 45559 | Added Microsoft Defender Vulnerability Management support to Forta GoAnyWhere MFT | 14-Feb-24
-| - | Added Microsoft Defender Vulnerability Management support to BeyondTrust Remote Support Jump Client | 14-Feb-24
-| - | Fixed inaccuracy in Ignite Real Time | 14-Feb-24
-| - | Added Microsoft Defender Vulnerability Management support to Ivanti (Pulse Secure) February released Vulnerabilities | 20-Feb-24
-| - | Defender Vulnerability Management doesn't currently support SAP GUI | 21-Feb-24
-| 46606 | Defender Vulnerability Management doesn't currently support Postgresql | 21-Feb-24
-| 47700 | Defender Vulnerability Management doesn't currently support Adobe Digital Editions | 21-Feb-24
-| 45297 | Fixed inaccuracy in Tera Term vulnerability - CVE-2023-48995 | 22-Feb-24
-| - | Fixed invalid version detections in Control & Control Client | 23-Feb-24
-| - | Added Microsoft Defender Vulnerability Management support to ConnectWise Control vulnerabilities - CVE-2024-1708 & CVE-2024-1709 | 23-Feb-24
-| 43472 | Added correct version details in all FortiClient CVEs | 25-Feb-24
-| 45727 | Added Microsoft Defender Vulnerability Management support to Box Tools & Box for Office products | 26-Feb-24
-| 47045 | Fixed inaccuracy issues in April 2021 GitLab Vulnerabilities | 26-Feb-24
-| 47174 | Added accurate EOS details for SQL Server Editions | 26-Feb-24
-| 46416 | Fixed inaccuracy in Oracle Kernel-uek-modules | 28-Feb-24
+| Inaccuracy report ID | Description | Fix date |
+||||
+| - | Fixed inaccuracy in Snow Inventory Agent | 06-Feb-24 |
+| 42360 | Fixed inaccuracy in GitHub vulnerabilities - CVE-2020-10519 and CVE-2021-22863 | 12-Feb-24 |
+| 44875 | Fixed inaccuracy in Zoom Meetings for macOS | 14-Feb-24 |
+| 45686 | Fixed inaccuracy in ConnectWise Control (Formerly known as ScreenConnect) | 14-Feb-24 |
+| 45559 | Added Microsoft Defender Vulnerability Management support to Forta GoAnyWhere MFT | 14-Feb-24 |
+| - | Added Microsoft Defender Vulnerability Management support to BeyondTrust Remote Support Jump Client | 14-Feb-24 |
+| - | Fixed inaccuracy in Ignite Real Time | 14-Feb-24 |
+| - | Added Microsoft Defender Vulnerability Management support to Ivanti (Pulse Secure) February released Vulnerabilities | 20-Feb-24 |
+| - | Defender Vulnerability Management doesn't currently support SAP GUI | 21-Feb-24 |
+| 46606 | Defender Vulnerability Management doesn't currently support Postgresql | 21-Feb-24 |
+| 47700 | Defender Vulnerability Management doesn't currently support Adobe Digital Editions | 21-Feb-24 |
+| 45297 | Fixed inaccuracy in Tera Term vulnerability - CVE-2023-48995 | 22-Feb-24 |
+| - | Fixed invalid version detections in Control & Control Client | 23-Feb-24 |
+| - | Added Microsoft Defender Vulnerability Management support to ConnectWise Control vulnerabilities - CVE-2024-1708 & CVE-2024-1709 | 23-Feb-24 |
+| 43472 | Added correct version details in all FortiClient CVEs | 25-Feb-24 |
+| 45727 | Added Microsoft Defender Vulnerability Management support to Box Tools & Box for Office products | 26-Feb-24 |
+| 47045 | Fixed inaccuracy issues in April 2021 GitLab Vulnerabilities | 26-Feb-24 |
+| 47174 | Added accurate EOS details for SQL Server Editions | 26-Feb-24 |
+| 46416 | Fixed inaccuracy in Oracle Kernel-uek-modules | 28-Feb-24 |
## January 2024
-Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-| 30873 | Fixed inaccuracy in Apache Tomcat | 08-Jan-24
-| 31664 | Fixed inaccuracy in OpenSSL | 08-Jan-24
-| 30674 | Fixed inaccuracy in Microsoft Visio | 08-Jan-24
-| 30674 | Fixed inaccuracy in Microsoft Office | 08-Jan-24
-| 35382 | Fixed inaccuracy in MySQL connector | 08-Jan-24
-| 38235 | Fixed inaccuracy in Python | 10-Jan-24
-| - | Defender Vulnerability Management doesn't currently support Atlassian Confluence | 10-Jan-24
-| - | Fixed inaccuracy in JetBrains TeamCity and JetBrains IntelliJ IDEA | 10-Jan-24
-| 41860 | Defender Vulnerability Management doesn't currently support Lenovo ThinkPad T480 Firmware | 10-Jan-24
-| 41049 | Defender Vulnerability Management doesn't currently support Lenovo ThinkCentre M700 Firmware | 10-Jan-24
-| 25969 | Defender Vulnerability Management doesn't currently support Siemens Sinec NMS | 10-Jan-24
-| 39167 | Defender Vulnerability Management doesn't currently support Avaya IP Office | 10-Jan-24
-| - | Fixed inaccuracy in Palo Alto Networks - Global Protect | 10-Jan-24
-| 38038 | Fixed inaccuracy in CVE-2022-3167 | 16-Jan-24
-| 40269 | Fixed inaccuracy in CVE-2023-46587 | 16-Jan-24
-| 36968 | Fixed inaccuracies in Lenovo August 2021 released Vulnerabilities | 16-Jan-24
-| 41041 | Fixed inaccurate CVEs of Samsung Health | 16-Jan-24
-| 38717 | Defender Vulnerability Management doesn't currently support CVE-2023-36397 | 17-Jan-24
-| 43673 | Defender Vulnerability Management doesn't currently support Lenovo ThinkPad T14 Gen 2 Firmware | 17-Jan-24
-| 43513 | Fixed inaccuracies in OpenSSL invalid file detections | 17-Jan-24
-| 41204 | Fixed inaccuracy in Affinity photo | 21-Jan-24
-| 40584 | Fixed inaccuracy in Veeam One Client | 21-Jan-24
-| 40704 | Fixed inaccuracy in Windows Subsystem for Linux(WSL) | 21-Jan-24
-| 43600 | Fixed inaccuracy in Dell RVTools | 21-Jan-24
-| 43378 | Fixed inaccuracy in Decisive Tactics Serial | 21-Jan-24
-| 43466 | Fixed inaccuracy in Intel- Dynamic Tuning Technology (DTT) | 21-Jan-24
-| 35750 | Fixed inaccuracy in Bitdefender Internet Security | 21-Jan-24
-| 44190 | Fixed inaccuracy in CVE-2023-48670 | 29-Jan-24
-| 43565 | Fixed inaccuracy in WinSCP Vulnerability - CVE-2023-48795 | 30-Jan-24
-| - | Fixed detection issues in Ignite Realtime Openfire | 30-Jan-24
-| - | Fixed inaccuracy in GitLab | 30-Jan-24
-| - | Added Microsoft Defender Vulnerability Management support to SAP Business Client | 30-Jan-24
-| - | Added Microsoft Defender Vulnerability Management support to SAP GUI | 30-Jan-24
-| - | Added Microsoft Defender Vulnerability Management support to PostgreSQL | 30-Jan-24
-| - | Added Microsoft Defender Vulnerability Management support to Adobe Digital Editions | 30-Jan-24
-| - | Fixed inaccuracy in Python Anaconda3 | 30-Jan-24
-
+| Inaccuracy report ID | Description | Fix date |
+||||
+| 30873 | Fixed inaccuracy in Apache Tomcat | 08-Jan-24 |
+| 31664 | Fixed inaccuracy in OpenSSL | 08-Jan-24 |
+| 30674 | Fixed inaccuracy in Microsoft Visio | 08-Jan-24 |
+| 30674 | Fixed inaccuracy in Microsoft Office | 08-Jan-24 |
+| 35382 | Fixed inaccuracy in MySQL connector | 08-Jan-24 |
+| 38235 | Fixed inaccuracy in Python | 10-Jan-24 |
+| - | Defender Vulnerability Management doesn't currently support Atlassian Confluence | 10-Jan-24 |
+| - | Fixed inaccuracy in JetBrains TeamCity and JetBrains IntelliJ IDEA | 10-Jan-24 |
+| 41860 | Defender Vulnerability Management doesn't currently support Lenovo ThinkPad T480 Firmware | 10-Jan-24 |
+| 41049 | Defender Vulnerability Management doesn't currently support Lenovo ThinkCentre M700 Firmware | 10-Jan-24 |
+| 25969 | Defender Vulnerability Management doesn't currently support Siemens Sinec NMS | 10-Jan-24 |
+| 39167 | Defender Vulnerability Management doesn't currently support Avaya IP Office | 10-Jan-24 |
+| - | Fixed inaccuracy in Palo Alto Networks - Global Protect | 10-Jan-24 |
+| 38038 | Fixed inaccuracy in CVE-2022-3167 | 16-Jan-24 |
+| 40269 | Fixed inaccuracy in CVE-2023-46587 | 16-Jan-24 |
+| 36968 | Fixed inaccuracies in Lenovo August 2021 released Vulnerabilities | 16-Jan-24 |
+| 41041 | Fixed inaccurate CVEs of Samsung Health | 16-Jan-24 |
+| 38717 | Defender Vulnerability Management doesn't currently support CVE-2023-36397 | 17-Jan-24 |
+| 43673 | Defender Vulnerability Management doesn't currently support Lenovo ThinkPad T14 Gen 2 Firmware | 17-Jan-24 |
+| 43513 | Fixed inaccuracies in OpenSSL invalid file detections | 17-Jan-24 |
+| 41204 | Fixed inaccuracy in Affinity photo | 21-Jan-24 |
+| 40584 | Fixed inaccuracy in Veeam One Client | 21-Jan-24 |
+| 40704 | Fixed inaccuracy in Windows Subsystem for Linux(WSL) | 21-Jan-24 |
+| 43600 | Fixed inaccuracy in Dell RVTools | 21-Jan-24 |
+| 43378 | Fixed inaccuracy in Decisive Tactics Serial | 21-Jan-24 |
+| 43466 | Fixed inaccuracy in Intel- Dynamic Tuning Technology (DTT) | 21-Jan-24 |
+| 35750 | Fixed inaccuracy in Bitdefender Internet Security | 21-Jan-24 |
+| 44190 | Fixed inaccuracy in CVE-2023-48670 | 29-Jan-24 |
+| 43565 | Fixed inaccuracy in WinSCP Vulnerability - CVE-2023-48795 | 30-Jan-24 |
+| - | Fixed detection issues in Ignite Realtime Openfire | 30-Jan-24 |
+| - | Fixed inaccuracy in GitLab | 30-Jan-24 |
+| - | Added Microsoft Defender Vulnerability Management support to SAP Business Client | 30-Jan-24 |
+| - | Added Microsoft Defender Vulnerability Management support to SAP GUI | 30-Jan-24 |
+| - | Added Microsoft Defender Vulnerability Management support to PostgreSQL | 30-Jan-24 |
+| - | Added Microsoft Defender Vulnerability Management support to Adobe Digital Editions | 30-Jan-24 |
+| - | Fixed inaccuracy in Python Anaconda3 | 30-Jan-24 |
## December 2023
-Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-| - | Added Microsoft Defender Vulnerability Management support to SysAid Server | 05-Dec-23
-| - | Removed CVE 'TVM-0001-00000000' from Defender Vulnerability Management | 05-Dec-23
-| 33439 | Fixed inaccuracies in IBM Maximo CVEs | 05-Dec-23
-| 38186 | Fixed inaccuracy in CVE-2020-36160 | 05-Dec-23
-| 38705 | Fixed inaccuracies in November released Veeam ONE CVEs | 05-Dec-23
-| - | Added End of Support details for Intel HAXM | 05-Dec-23
-| 36856 | Defender Vulnerability Management doesn't currently support Click Studios-Passwordstate | 05-Dec-23
-| 33377 | Defender Vulnerability Management doesn't currently support IBM Db2 | 05-Dec-23
-| 35256 | Fixed inaccuracy in Techsmith Snagit | 10-Dec-23
-| 39620 | Fixed inaccuracy in Adobe Audition | 10-Dec-23
-| 39542 | Fixed inaccuracy in Splunk Vulnerabilities- CVE-2021-22570, CVE-2022-31799, CVE-2023-24329, CVE-2023-3817, CVE-2023-3446 | 19-Dec-23
-| 39620 | Fixed inaccuracy in CVE-2023-28388 | 19-Dec-23
-| 35256 | Fixed inaccuracy in CVE-2020-11541 | 19-Dec-23
-| 41330 | Fixed inaccuracy in CVE-2023-22524 | 19-Dec-23
-| - | Fixed inaccuracy in Progress OpenEdge | 20-Dec-23
-| 27605 | Fixed inaccuracy in Maltego | 20-Dec-23
-
+| Inaccuracy report ID | Description | Fix date |
+||||
+| - | Added Microsoft Defender Vulnerability Management support to SysAid Server | 05-Dec-23 |
+| - | Removed CVE 'TVM-0001-00000000' from Defender Vulnerability Management | 05-Dec-23 |
+| 33439 | Fixed inaccuracies in IBM Maximo CVEs | 05-Dec-23 |
+| 38186 | Fixed inaccuracy in CVE-2020-36160 | 05-Dec-23 |
+| 38705 | Fixed inaccuracies in November released Veeam ONE CVEs | 05-Dec-23 |
+| - | Added End of Support details for Intel HAXM | 05-Dec-23 |
+| 36856 | Defender Vulnerability Management doesn't currently support Click Studios-Passwordstate | 05-Dec-23 |
+| 33377 | Defender Vulnerability Management doesn't currently support IBM Db2 | 05-Dec-23 |
+| 35256 | Fixed inaccuracy in Techsmith Snagit | 10-Dec-23 |
+| 39620 | Fixed inaccuracy in Adobe Audition | 10-Dec-23 |
+| 39542 | Fixed inaccuracy in Splunk Vulnerabilities- CVE-2021-22570, CVE-2022-31799, CVE-2023-24329, CVE-2023-3817, CVE-2023-3446 | 19-Dec-23 |
+| 39620 | Fixed inaccuracy in CVE-2023-28388 | 19-Dec-23 |
+| 35256 | Fixed inaccuracy in CVE-2020-11541 | 19-Dec-23 |
+| 41330 | Fixed inaccuracy in CVE-2023-22524 | 19-Dec-23 |
+| - | Fixed inaccuracy in Progress OpenEdge | 20-Dec-23 |
+| 27605 | Fixed inaccuracy in Maltego | 20-Dec-23 |
## November 2023
-Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-| 35498 | Fixed inaccuracy in CVE-2023-38802 | 05-Nov-23
-| 34698 | Fixed normalization inaccuracy in Condor Team | 05-Nov-23
-| 36594 | Fixed inaccurate file path detections in Cisco Secure Client | 12-Nov-23
-| 37041 | Fixed inaccuracy in OpenVPN | 12-Nov-23
-| 36808 | Fixed inaccurate file path detections in Zoom Meetings | 15-Nov-23
-| 33837 | Defender Vulnerability Management doesn't currently support IBM Cognos Analytics | 15-Nov-23
-| 37041 | Fixed inaccuracy in CVE-2021-3606 | 15-Nov-23
-| 37408 | Fixed inaccuracy in Kernel Module Core | 15-Nov-23
-| 37440 | Added accurate End of Life details for Oracle JDK versions | 26-Nov-23
-| - | Fixed inaccuracy in CVE-2023-47246 | 26-Nov-23
-| 36774 | Fixed inaccuracies in October released Node.js CVEs | 26-Nov-23
-| 29643 | Fixed inaccurate detections in Palo Alto Networks - Global Protect | 29-Nov-23
-| 36459 | Defender Vulnerability Management doesn't currently support Siemens Simatic WinCC Runtime | 29-Nov-23
-| 36348 | Fixed inaccurate file path detections in PHP | 29-Nov-23
-
+| Inaccuracy report ID | Description | Fix date |
+||||
+| 35498 | Fixed inaccuracy in CVE-2023-38802 | 05-Nov-23 |
+| 34698 | Fixed normalization inaccuracy in Condor Team | 05-Nov-23 |
+| 36594 | Fixed inaccurate file path detections in Cisco Secure Client | 12-Nov-23 |
+| 37041 | Fixed inaccuracy in OpenVPN | 12-Nov-23 |
+| 36808 | Fixed inaccurate file path detections in Zoom Meetings | 15-Nov-23 |
+| 33837 | Defender Vulnerability Management doesn't currently support IBM Cognos Analytics | 15-Nov-23 |
+| 37041 | Fixed inaccuracy in CVE-2021-3606 | 15-Nov-23 |
+| 37408 | Fixed inaccuracy in Kernel Module Core | 15-Nov-23 |
+| 37440 | Added accurate End of Life details for Oracle JDK versions | 26-Nov-23 |
+| - | Fixed inaccuracy in CVE-2023-47246 | 26-Nov-23 |
+| 36774 | Fixed inaccuracies in October released Node.js CVEs | 26-Nov-23 |
+| 29643 | Fixed inaccurate detections in Palo Alto Networks - Global Protect | 29-Nov-23 |
+| 36459 | Defender Vulnerability Management doesn't currently support Siemens Simatic WinCC Runtime | 29-Nov-23 |
+| 36348 | Fixed inaccurate file path detections in PHP | 29-Nov-23 |
## October 2023
-Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-| 32689 | Fixed inaccuracy in Kernel Module Extra | 11-Oct-23
-| - | Fixed inaccuracies in Exim vulnerabilities | 11-Oct-23
-| 33312 | Updated End of Support details for acrobat and acrobat reader version 2017 | 11-Oct-23
-| - | Fixed inaccuracy in CVE-2023-38545 | 12-Oct-23
-| 32734 | Fixed inaccuracy in Thunderbird | 19-Oct-23
-| - | Added Microsoft Defender Vulnerability Management support to Jetbrains Teamcity | 22-Oct-23
-| 36144 | Fixed inaccuracy in CVE-2023-3935 | 23-Oct-23
-| 32979 | Fixed inaccuracy in Bloomberg | 25-Oct-23
-| - | Fixed inaccuracy in Curl normalization | 25-Oct-23
-| - | Fixed inaccuracy in Progress - WS FTP Server | 25-Oct-23
-| - | Added Microsoft Defender Vulnerability Management support to SQL server 2022 | 26-Oct-23
-| - | Added accurate End of Life details for Flash Player | 30-Oct-23
-| 32020 | Fixed inaccuracy in Fiddler Everywhere | 30-Oct-23
-| 35189 |Fixed inaccuracy in OpenSSL for Magnet Forensics | 30-Oct-23
-| 31139 | Fixed inaccuracy in CVE-2023-3935 | 31-Oct-23
-| - | Fixed inaccuracy in CVE-2023-31102 | 31-Oct-23
-| - | Fixed inaccuracy in CVE-2022-43946 | 31-Oct-23
-| 33380 | Fixed inaccuracy in CVE-2023-32558 | 31-Oct-23
-| - | Fixed inaccuracy in CVE-2014-5455 | 31-Oct-23
-
+| Inaccuracy report ID | Description | Fix date |
+||||
+| 32689 | Fixed inaccuracy in Kernel Module Extra | 11-Oct-23 |
+| - | Fixed inaccuracies in Exim vulnerabilities | 11-Oct-23 |
+| 33312 | Updated End of Support details for acrobat and acrobat reader version 2017 | 11-Oct-23 |
+| - | Fixed inaccuracy in CVE-2023-38545 | 12-Oct-23 |
+| 32734 | Fixed inaccuracy in Thunderbird | 19-Oct-23 |
+| - | Added Microsoft Defender Vulnerability Management support to Jetbrains Teamcity | 22-Oct-23 |
+| 36144 | Fixed inaccuracy in CVE-2023-3935 | 23-Oct-23 |
+| 32979 | Fixed inaccuracy in Bloomberg | 25-Oct-23 |
+| - | Fixed inaccuracy in Curl normalization | 25-Oct-23 |
+| - | Fixed inaccuracy in Progress - WS FTP Server | 25-Oct-23 |
+| - | Added Microsoft Defender Vulnerability Management support to SQL server 2022 | 26-Oct-23 |
+| - | Added accurate End of Life details for Flash Player | 30-Oct-23 |
+| 32020 | Fixed inaccuracy in Fiddler Everywhere | 30-Oct-23 |
+| 35189 |Fixed inaccuracy in OpenSSL for Magnet Forensics | 30-Oct-23 |
+| 31139 | Fixed inaccuracy in CVE-2023-3935 | 31-Oct-23 |
+| - | Fixed inaccuracy in CVE-2023-31102 | 31-Oct-23 |
+| - | Fixed inaccuracy in CVE-2022-43946 | 31-Oct-23 |
+| 33380 | Fixed inaccuracy in CVE-2023-32558 | 31-Oct-23 |
+| - | Fixed inaccuracy in CVE-2014-5455 | 31-Oct-23 |
## September 2023
-Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-| - |Added accurate EOS details for Redis| 04-Sep-23
-| 31688 |Fixed inaccuracy in CVE-2023-38831 and CVE-2023-40477| 05-Sep-23
-| 31898 |Fixed Inaccuracy in CVE-2023-4373| 05-Sep-23
-| 30809 |Fixed inaccuracy in FireEye path of OpenSSL| 05-Sep-23
-| 31651 |Microsoft Defender Vulnerability Management doesn't currently support </br> CVE-2022-0778| 12-Sep-23
-| 31590 |Fixed inaccuracy in Dell Command Update| 12-Sep-23
-| 30966 |Microsoft Defender Vulnerability Management doesn't currently support </br> Lenovo ThinkPad models: X1 Yoga 3rd Gen and X13 3rd Gen| 12-Sep-23
-| 29892 |Microsoft Defender Vulnerability Management doesn't currently support OpenBSI| 12-Sep-23
-| 29634 |Fixed inaccuracy in CVE-2019-14568| 13-Sep-23
-| - |Microsoft Defender Vulnerability Management doesn't currently support </br> IBM Business Process Monitor| 12-Sep-23
-| 27242 |Fixed inaccuracy in Forticlient| 13-Sep-23
-| 30770 |Fixed inaccuracy in MySQL WorkBench| 13-Sep-23
-| 32471 |Fixed inaccuracy in CVE-2023-40481| 19-Sep-23
-| 32114 |Microsoft Defender Vulnerability Management doesn't currently support</br> MitsubishiElectric GX Works3| 19-Sep-23
-| 30581 |Fixed inaccuracy in CVE-2022-35909| 21-Sep-23
-| - |Fixed Inaccuracy in Cisco Secure Client| 21-Sep-23
-
+| Inaccuracy report ID | Description | Fix date |
+||||
+| - |Added accurate EOS details for Redis| 04-Sep-23 |
+| 31688 |Fixed inaccuracy in CVE-2023-38831 and CVE-2023-40477| 05-Sep-23 |
+| 31898 |Fixed Inaccuracy in CVE-2023-4373| 05-Sep-23 |
+| 30809 |Fixed inaccuracy in FireEye path of OpenSSL| 05-Sep-23 |
+| 31651 |Microsoft Defender Vulnerability Management doesn't currently support </br> CVE-2022-0778| 12-Sep-23 |
+| 31590 |Fixed inaccuracy in Dell Command Update| 12-Sep-23 |
+| 30966 |Microsoft Defender Vulnerability Management doesn't currently support </br> Lenovo ThinkPad models: X1 Yoga 3rd Gen and X13 3rd Gen| 12-Sep-23 |
+| 29892 |Microsoft Defender Vulnerability Management doesn't currently support OpenBSI| 12-Sep-23 |
+| 29634 |Fixed inaccuracy in CVE-2019-14568| 13-Sep-23 |
+| - |Microsoft Defender Vulnerability Management doesn't currently support </br> IBM Business Process Monitor| 12-Sep-23 |
+| 27242 |Fixed inaccuracy in Forticlient| 13-Sep-23 |
+| 30770 |Fixed inaccuracy in MySQL WorkBench| 13-Sep-23 |
+| 32471 |Fixed inaccuracy in CVE-2023-40481| 19-Sep-23 |
+| 32114 |Microsoft Defender Vulnerability Management doesn't currently support</br> MitsubishiElectric GX Works3| 19-Sep-23 |
+| 30581 |Fixed inaccuracy in CVE-2022-35909| 21-Sep-23 |
+| - |Fixed Inaccuracy in Cisco Secure Client| 21-Sep-23 |
## August 2023
-Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-| - |Fixed inaccuracy in Acrobat Reader DC| 02-Aug-23
-|29672 |Fixed inaccuracy in RedHat Kernel Devel and CentOS Kernel Devel| 03-Aug-23
-| - |Fixed inaccuracy in NetScaler Gateway Plugin| 03-Aug-23
-| - |Added Microsoft Defender Vulnerability Management support for Azul products| 09-Aug-23
-|30082 |Fixed inaccuracy in CVE-2022-43946| 09-Aug-23
-| - |Added accurate EOS details for Outlook (2010 & 2013) and Office build versions: </br> (2304,2305,1902,1908,2008,2202)| 10-Aug-23
-|30002 |Fixed inaccuracy in KeePass versions| 10-Aug-23
-| - |Added Microsoft Defender Vulnerability Management support to ODBC and OLEDB| 10-Aug-23
-|29552 |Fixed inaccuracy in Dell Command Update| 14-Aug-23
-| - |Fixed inaccuracy in CVE-2021-36234| 22-Aug-23
-| - |Fixed inaccuracy in CVE-2021-36283| 22-Aug-23
-| 30303 | Microsoft Defender Vulnerability Management doesn't currently support </br> Lenovo ThinkPad models: E15-gen 4, L13, L490, T490, T490s, and T470s| 29-Aug-23
-| 29397 | Fixed inaccuracy in Microsoft PowerShell| 29-Aug-23
-| 31279 | Fixed inaccuracy in Azul Zulu| 29-Aug-23
-| - |Fixed inaccuracy in CVE-2021-36324| 30-Aug-23
+| Inaccuracy report ID | Description | Fix date |
+||||
+| - |Fixed inaccuracy in Acrobat Reader DC| 02-Aug-23 |
+| 29672 |Fixed inaccuracy in RedHat Kernel Devel and CentOS Kernel Devel| 03-Aug-23 |
+| - |Fixed inaccuracy in NetScaler Gateway Plugin| 03-Aug-23 |
+| - |Added Microsoft Defender Vulnerability Management support for Azul products| 09-Aug-23 |
+| 30082 |Fixed inaccuracy in CVE-2022-43946| 09-Aug-23 |
+| - |Added accurate EOS details for Outlook (2010 & 2013) and Office build versions: </br> (2304,2305,1902,1908,2008,2202)| 10-Aug-23 |
+| 30002 |Fixed inaccuracy in KeePass versions| 10-Aug-23 |
+| - |Added Microsoft Defender Vulnerability Management support to ODBC and OLEDB| 10-Aug-23 |
+| 29552 |Fixed inaccuracy in Dell Command Update| 14-Aug-23 |
+| - |Fixed inaccuracy in CVE-2021-36234| 22-Aug-23 |
+| - |Fixed inaccuracy in CVE-2021-36283| 22-Aug-23 |
+| 30303 | Microsoft Defender Vulnerability Management doesn't currently support </br> Lenovo ThinkPad models: E15-gen 4, L13, L490, T490, T490s, and T470s| 29-Aug-23 |
+| 29397 | Fixed inaccuracy in Microsoft PowerShell| 29-Aug-23 |
+| 31279 | Fixed inaccuracy in Azul Zulu| 29-Aug-23 |
+| - |Fixed inaccuracy in CVE-2021-36324| 30-Aug-23 |
## July 2023
-|Inaccuracy report ID |Description |Fix date |
-|:|:|:|
-|24162 |Fixed inaccuracy in MYSQL Workbench| 04-Jul-23|
-|25736 | Fixed inaccuracy in KeePass | 04-Jul-23|
-|24598 | Fixed inaccuracy in Adobe Flash Player plugins |04-Jul-23|
+| Inaccuracy report ID | Description | Fix date |
+||||
+| 24162 |Fixed inaccuracy in MYSQL Workbench| 04-Jul-23|
+| 25736 | Fixed inaccuracy in KeePass | 04-Jul-23|
+| 24598 | Fixed inaccuracy in Adobe Flash Player plugins |04-Jul-23|
| - |Lenovo CVEs not currently supported by Defender Vulnerability Management: </br> CVE-2021-3519, CVE-2021-22499, CVE-2021-22500, CVE-2021-22514| 03-Jul-23| | - |Added Microsoft Defender Vulnerability Management support for Arcserve UDP | 05-Jul-23| | - |Added accurate EOS details for Log 4j versions| 05-Jul-23|
-|27379 | Fixed inaccuracy in Adobe Animate | 06-Jul-23|
+| 27379 | Fixed inaccuracy in Adobe Animate | 06-Jul-23|
| - |Added Arcserve UDP affected product details in CVE-2023-26258 |05-Jul-23|
-|26391 | Fixed inaccuracy in CVE-2020-26941 | 09-Jul-23|
-|25245 | Fixed inaccuracy in CVE-2022-40011 | 11-Jul-23|
-| - |Added Defender Vulnerability Management support for </br> Microsoft PowerBI Desktop | 13-Jul-23|
+| 26391 | Fixed inaccuracy in CVE-2020-26941 | 09-Jul-23|
+| 25245 | Fixed inaccuracy in CVE-2022-40011 | 11-Jul-23|
+| - |Added Defender Vulnerability Management support for </br> Microsoft PowerBI Desktop | 13-Jul-23|
| - |Added zero-day details for CVE-2023-36884 | 12-Jul-23|
-|26421 |Defender Vulnerability Management doesn't currently support: </br> ThinkCentre M75q Gen 2 & ThinkPad l390 Firmware| 14-Jul-23|
-|23876 |Fixed inaccurate recommendation in Microsoft Teams CVE-2023-24881 | 20-Jul-23|
-|25969 |Fixed inaccuracy in Siemens Sinec NMS | 24-Jul-23|
+| 26421 |Defender Vulnerability Management doesn't currently support: </br> ThinkCentre M75q Gen 2 & ThinkPad l390 Firmware| 14-Jul-23|
+| 23876 |Fixed inaccurate recommendation in Microsoft Teams CVE-2023-24881 | 20-Jul-23|
+| 25969 |Fixed inaccuracy in Siemens Sinec NMS | 24-Jul-23|
| - |Added EOS details for Windows Server 2012 & Windows Server 2012 R2 | 25-Jul-23|
-|29096 | Fixed inaccurate detection of Slack version 1.0.0.0 | 25-Jul-23|
-|27941 | Defender Vulnerability Management doesn't currently support </br> Application Performance Management| 25-Jul-23|
-|26116 | Fixed inaccuracy in HP CVEs: </br> CVE-2021-33159, CVE-2022-26845, CVE-2022-27497, CVE-2022-29893 | 27-Jul-23|
-|25809 | Defender Vulnerability Management doesn't currently support: </br> Visio 2010, 2013, 2016 & 2019 | 31-Jul-23|
-|25810 | Defender Vulnerability Management doesn't currently support Project 2019| 31-Jul-23|
-|28176 | Fixed inaccuracy in VMWare Tools CVE-2021-31693 | 31-Jul-23|
-|29089 | Fixed inaccuracy in CVE-2023-24329| 31-Jul-23|
-|28489 | Fixed inaccuracy in CVE-2020-9484 | 31-Jul-23|
-|28385 | Fixed inaccuracy in CVE-2023-28759| 31-Jul-23|
+| 29096 | Fixed inaccurate detection of Slack version 1.0.0.0 | 25-Jul-23|
+| 27941 | Defender Vulnerability Management doesn't currently support </br> Application Performance Management| 25-Jul-23|
+| 26116 | Fixed inaccuracy in HP CVEs: </br> CVE-2021-33159, CVE-2022-26845, CVE-2022-27497, CVE-2022-29893 | 27-Jul-23|
+| 25809 | Defender Vulnerability Management doesn't currently support: </br> Visio 2010, 2013, 2016 & 2019 | 31-Jul-23|
+| 25810 | Defender Vulnerability Management doesn't currently support Project 2019| 31-Jul-23|
+| 28176 | Fixed inaccuracy in VMWare Tools CVE-2021-31693 | 31-Jul-23|
+| 29089 | Fixed inaccuracy in CVE-2023-24329| 31-Jul-23|
+| 28489 | Fixed inaccuracy in CVE-2020-9484 | 31-Jul-23|
+| 28385 | Fixed inaccuracy in CVE-2023-28759| 31-Jul-23|
## June 2023
-Inaccuracy report ID |Description |Fix date |
-:|:|:|
-24147 | Fixed inaccuracy in CVE-2023-29338 | 5-Jun-23
-24145 | Fixed inaccurate detections in product - dbeaver | 06-Jun-23
-23877 | Disabled Defender Vulnerability Management assessment for oracle_ bpftool | 06-Jun-23
-24620 | Disabled Defender Vulnerability Management for synology_chat | 12-Jun-23
-25091 | Updated inaccurate EOS date for oracle_jdk version 7 | 15-Jun-23
-23425 | Fixed inaccurate detections in mongodb & mongosh | 21-Jun-23
-23188 | Fixed inaccurate detections in oracle: vm_virtualbox & vm_virtualbox_guest_additions | 21-Jun-23
-25559 | Fixed inaccuracy in Halo version -1.0.0.0 | 22-Jun-23
-25762 | Fixed inaccuracy in CVE-2022-48435 | 28-Jun-23
-25639 | Fixed inaccurate file path detections in apache_commonsText | 28-Jun-23
-26367 | Fixed inaccurate file path detections in Winrar | 28-Jun-23
-27146 | Fixed inaccuracy in Windows 2012 r2 - KB5012170 | 28-Jun-23
-22866 | Fixed normalization issue in dell optiplex_7470_ firmware | 29-Jun-23
---
+| Inaccuracy report ID | Description | Fix date |
+||||
+| 24147 | Fixed inaccuracy in CVE-2023-29338 | 5-Jun-23 |
+| 24145 | Fixed inaccurate detections in product - dbeaver | 06-Jun-23 |
+| 23877 | Disabled Defender Vulnerability Management assessment for oracle_ bpftool | 06-Jun-23 |
+| 24620 | Disabled Defender Vulnerability Management for synology_chat | 12-Jun-23 |
+| 25091 | Updated inaccurate EOS date for oracle_jdk version 7 | 15-Jun-23 |
+| 23425 | Fixed inaccurate detections in mongodb & mongosh | 21-Jun-23 |
+| 23188 | Fixed inaccurate detections in oracle: vm_virtualbox & vm_virtualbox_guest_additions | 21-Jun-23 |
+| 25559 | Fixed inaccuracy in Halo version -1.0.0.0 | 22-Jun-23 |
+| 25762 | Fixed inaccuracy in CVE-2022-48435 | 28-Jun-23 |
+| 25639 | Fixed inaccurate file path detections in apache_commonsText | 28-Jun-23 |
+| 26367 | Fixed inaccurate file path detections in Winrar | 28-Jun-23 |
+| 27146 | Fixed inaccuracy in Windows 2012 r2 - KB5012170 | 28-Jun-23 |
+| 22866 | Fixed normalization issue in dell optiplex_7470_ firmware | 29-Jun-23 |
security Mdvm Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/mdvm-onboard-devices.md
ms.localizationpriority: medium
audience: ITPro
- - m365-security
- - tier1
- - essentials-manage
+- m365-security
+- tier1
+- essentials-manage
+- essentials-get-started
search.appverid: met150
security Api Update Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-update-incidents.md
search.appverid:
- MOE150 - MET150 Previously updated : 02/08/2024 Last updated : 04/09/2024 # Update incidents API
Property|Type|Description
status|Enum|Specifies the current status of the incident. Possible values are: `Active`, `Resolved`, `InProgress`, and `Redirected`. assignedTo|string|Owner of the incident. classification|Enum|Specification of the incident. Possible values are: `TruePositive` (True positive), `InformationalExpectedActivity` (Informational, expected activity), and `FalsePositive` (False Positive).
-determination|Enum|Specifies the determination of the incident. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `Multistage attack` (MultiStagedAttack), `Malicious user activity` (MaliciousUserActivity), `Compromised account` (CompromisedUser) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `UnwantedSoftware` (Unwanted software), and `Other` (Other). <li> <b>Informational, expected activity:</b> `SecurityTesting` (Security test), `LineOfBusinessApplication` (Line-of-business application), `ConfirmedActivity` (Confirmed activity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Clean` (Not malicious) - consider changing the enum name in public api accordingly, `NoEnoughDataToValidate` (Not enough data to validate), and `Other` (Other).
+determination|Enum|Specifies the determination of the incident. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `MultiStagedAttack` (Multi staged attack), `MaliciousUserActivity` (Malicious user activity), `CompromisedAccount` (Compromised account) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `UnwantedSoftware` (Unwanted software), and `Other` (Other). <li> <b>Informational, expected activity:</b> `SecurityTesting` (Security test), `LineOfBusinessApplication` (Line-of-business application), `ConfirmedActivity` (Confirmed activity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Clean` (Not malicious) - consider changing the enum name in public api accordingly, `NoEnoughDataToValidate` (Not enough data to validate), and `Other` (Other).
tags|string list|List of Incident tags. comment|string|Comment to be added to the incident.
Here's an example of the request.
PATCH https://api.security.microsoft.com/api/incidents/{id} ```
-### Request example
+### Request data example
```json {
security Copilot In Defender Device Summary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/copilot-in-defender-device-summary.md
The device summary generated by Copilot contains noteworthy information about th
You can access the device summary capability through the following ways: 1. From the main menu, open the Device inventory page by selecting **Devices** under Assets. Choose a device to investigate from the list. Upon opening the device page, Copilot automatically summarizes the device information of the chosen device and displays the summary in the Copilot pane.+ :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page-small.png" alt-text="Screenshot of the device summary results in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-device-page.png":::+ 2. From an incident page, you can choose a device on the incident graph and then select **Device details** (1). On the device pane, select **Summarize** (2) to generate the device summary. The summary is displayed in the Copilot pane.+ :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-ΓÇîincident-small.png" alt-text="Screenshot highlighting the steps to access the device summary in an incident page in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-ΓÇîincident.png":::+ You can also access the device summary capability by choosing a device listed in the **Assets** tab of an incident. Select **Copilot** in the device pane to generate the device summary.+ :::image type="content" source="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets-small.png" alt-text="Screenshot highlighting the device summary option in the assets tab of an incident page in Copilot in Defender." lightbox="../../media/copilot-in-defender/device-summary/copilot-defender-device-summary-assets.png"::: Review the results. You can copy the results to clipboard, regenerate the results, or open the Copilot for Security portal by selecting the More actions ellipsis (...) on top of the device summary card.
security Get Started Xdr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started-xdr.md
To turn on Teams notifications and chat after the initial setup, go to **Setting
:::image type="content" source="../../media/xdr/Teams-managed-response.png" alt-text="Screenshot of option to activate Teams for receiving managed response." lightbox="../../media/xdr/Teams-managed-response.png":::
-You can add new members to the channel by navigating to **Defender Experts team** > **More options (…)** > **Manage team** > **Add member**.
+You can add new members to the channel by navigating to **Defender Experts team** \> **More options (...)** > **Manage team** > **Add member**.
## Prepare your environment for the Defender Experts service
security Integrate Microsoft 365 Defender Secops Readiness https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-readiness.md
The following list provides some examples of things that must be remediated in o
- **Infrastructure:** Large number of unsanctioned SaaS licenses, no container security, and others. - **Networking:** Performance issues due to low bandwidth, flat network, wireless security issues, and others.
-Use the guidance in [turning on Microsoft Defender XDR](m365d-enable.md) to capture the baseline set of configuration requirements. These steps will in turn determine remediation activities the SOC teams have to carry out to effectively develop use cases.
+Use the guidance in [turning on Microsoft Defender XDR](m365d-enable.md) to capture the baseline set of configuration requirements. These steps help determine remediation activities the SOC teams have to carry out to effectively develop use cases.
Adoption procedures and use case creation are described in Steps 3 and 4.
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
audience: ITPro
- admindeeplinkDEFENDER - intro-overview+
+- essentials-overview
+- tier1
adobe-target: true Last updated 03/28/2024
security Respond First Incident 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/respond-first-incident-365-defender.md
Title: Responding to your first incident in Microsoft Defender XDR description: The basics of responding to your first incident in Microsoft Defender XDR.
+f1.keywords:
- NOCSH ms.localizationpriority: medium audience: ITPro-+ - m365-security - m365solution-firstincident - highpri - tier1
+search.appverid:
- MOE150 - MET150 Last updated 01/22/2024
This guide has three main sections:
## Understanding incidents
-An [incident](incidents-overview.md) is a chain of processes created, commands, and actions that might not have coincided. An incident provides a holistic picture and context of suspicious or malicious activity. A single incident gives you an attack's complete context instead of triaging hundreds of alerts from multiple services.
+An [incident](incidents-overview.md) is a chain of processes created, commands, and actions that might not have coincided. An incident provides a holistic picture and context of suspicious or malicious activity. A single incident gives you an attack's complete context instead of triaging hundreds of alerts from multiple services.
> [!TIP] > For a limited time during January 2024, when you visit the **Incidents** page, Defender Boxed appears. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. To reopen Defender Boxed, in the Microsoft Defender portal, go to **Incidents**, and then select **Your Defender Boxed**.
Each incident contains automatically correlated [alerts](investigate-alerts.md)
## Incident triage
-Incident prioritization varies per responder, security team, and organization. [Incident response plans](/security/operations/incident-response-planning) and security teams' direction can mandate incident priority.
+Incident prioritization varies per responder, security team, and organization. [Incident response plans](/security/operations/incident-response-planning) and security teams' direction can mandate incident priority.
Microsoft Defender XDR has various indicators like incident severity, types of users, or threat types to triage and prioritize incidents. You can use any combination of these indicators readily available through the [incident queue](incident-queue.md) filters.
Learn how to classify incidents and alerts through this video:
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4LHJq] - ## Next steps -- [Analyze your first incident](respond-first-incident-analyze.md)
+- [Analyze your first incident](respond-first-incident-analyze.md)
- [Remediate your first incident](respond-first-incident-remediate.md) - Watch demos and the portal's new developments in action in the [Microsoft Defender XDR Virtual Ninja Training](https://adoption.microsoft.com/en-us/ninja-show/)
security Virus Initiative Criteria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/virus-initiative-criteria.md
The Microsoft Virus Initiative (MVI) helps organizations improve the security so
You can request membership if you're a representative of an organization that develops antimalware technology. Not all applicants are accepted into the program. To be considered for the MVI program, your organization must meet all the following requirements:
-1. Your commercially available security solution must provide real-time protection that detects, prevents, and remediates malicious software.
-2. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows.
-3. Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences, membership in industry organizations, or being reviewed in industry-standard reports such as AV-Comparatives, OPSWAT, or Gartner.
-4. Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
-5. Your organization must sign a program license agreement.
-6. Your organization must be active in the program and meet all program requirements.
-7. Your security solution must meet all program requirements, which requires use of [Azure Code Signing](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669).
-8. Your security solution must have been certified within the last 12 months through independent testing by at least one of the organizations listed below. Yearly certification must be maintained.
+1. Your commercially available security solution must provide real-time protection that detects, prevents, and remediates malicious software.
+2. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows.
+3. Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences, membership in industry organizations, or being reviewed in industry-standard reports such as AV-Comparatives, OPSWAT, or Gartner.
+4. Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
+5. Your organization must sign a program license agreement.
+6. Your organization must be active in the program and meet all program requirements.
+7. Your security solution must meet all program requirements, which requires use of [Azure Code Signing](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669).
+8. Your security solution must have been certified within the last 12 months through independent testing by at least one of the organizations listed below. Yearly certification must be maintained.
|Test Provider|Lab Test Type|Minimum Level / Score|
-|-||-|
-|[AV-Comparatives](https://www.av-comparatives.org/testmethod/real-world-protection-tests/) | Real-World Protection Test. | Approved rating|
-|[AV-Test](https://www.av-test.org/en/about-the-institute/certification/) | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted.| ΓÇó AV-TEST Certified (home) <br> ΓÇó AV-TEST Approved (corporate) |
-|[SKD Labs](http://www.skdlabs.com/) | Certification Requirements Product: Anti-virus or Antimalware. | Score >= 98.5% with On Demand, On Access and Total Detection tests |
-|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/) | VB100 Certification Test V1.1 | VB100 Certification |
-|[West Coast Labs](https://www.westcoastlabs.com/checkmark) | Checkmark Certified | Product validated minimum of grade A|
-|[SE Labs](https://selabs.uk/en/reports/consumers/) | Protection, Small Business, or Enterprise EP Protection Test. | ΓÇó Protection A rating <br> ΓÇó Small Business EP A rating <br>ΓÇó Enterprise EP Protection A rating |
-
+||||
+|[AV-Comparatives](https://www.av-comparatives.org/testmethod/real-world-protection-tests/)|Real-World Protection Test.|Approved rating|
+|[AV-Test](https://www.av-test.org/en/about-the-institute/certification/)|Must pass tests for Windows. Certifications for Mac and Linux aren't accepted.|<ul><li>AV-TEST Certified (home)<li></li>AV-TEST Approved (corporate)</li></ul>|
+|[SKD Labs](http://www.skdlabs.com/)|Certification Requirements Product: Anti-virus or Antimalware.|Score >= 98.5% with On Demand, On Access and Total Detection tests|
+|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/)|VB100 Certification Test V1.1|VB100 Certification|
+|[West Coast Labs](https://www.westcoastlabs.com/checkmark)|Checkmark Certified|Product validated minimum of grade A|
+|[SE Labs](https://selabs.uk/en/reports/consumers/)|Protection, Small Business, or Enterprise EP Protection Test.|<ul><li>Protection A rating<li></li>Small Business EP A rating<li></li>Enterprise EP Protection A rating</li></ul>|
## Apply now
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
You can also get product updates and important notifications through the [messag
- (Preview) The **unified security operations platform** in the Microsoft Defender portal is now available. This release brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot in Microsoft Defender. For more information, see the following resources:
- - Blog announcement: [ΓÇïΓÇïUnified security operations platform ready to revolutionize protection and efficiency](https://aka.ms/unified-soc-announcement)
+ - Blog announcement: [Unified security operations platform ready to revolutionize protection and efficiency](https://aka.ms/unified-soc-announcement)
- [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690) - [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md) - [Microsoft Security Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md)
-
+ - (GA) **[Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md)** is now generally available. Copilot in Defender helps you investigate and respond to incidents faster and more effectively. Copilot provides guided responses, incident summaries and reports, helps you build KQL queries to hunt for threats, provide file and script analyses, and enable you to summarize relevant and actionable threat intelligence. - Copilot in Defender customers can now export incident data to PDF. Use the exported data to easily share incident data, facilitating discussions with your security teams and other stakeholders. For details, see **[Export incident data to PDF](manage-incidents.md#export-incident-data-to-pdf)**.-- **Notifications in the Microsoft Defender portal** are now available. On the top right-hand side of the Defender portal, select the bell icon to view all your active notifications. Different types of notifications are supported such as success, info, warning, and error. Dismiss individual notifications or dismiss all from the notifications tab.
+- **Notifications in the Microsoft Defender portal** are now available. On the top right-hand side of the Defender portal, select the bell icon to view all your active notifications. Different types of notifications are supported such as success, info, warning, and error. Dismiss individual notifications or dismiss all from the notifications tab.
## February 2024
You can also get product updates and important notifications through the [messag
- (Preview) **[Custom detection rules in Microsoft Graph security API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)** are now available. Create advanced hunting custom detection rules specific to your org to proactively monitor for threats and take action. >[!Warning]
-> The 2024-02 platform release causes inconsistent results for device control customers using removable media policies with disk/device-level access only (masks that are less of equal to 7). The enforcement might not work as expected.
+> The 2024-02 platform release causes inconsistent results for device control customers using removable media policies with disk/device-level access only (masks that are less of equal to 7). The enforcement might not work as expected.
> To mitigate this issue, rolling back to the previous version of the Defender platform is recommended. ## January 2024 -- **Defender Boxed is available for a limited period of time**. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. Take a moment to celebrate your organization's improvements in security posture, overall response to detected threats (manual and automatic), blocked emails, and more.
+- **Defender Boxed is available for a limited period of time**. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. Take a moment to celebrate your organization's improvements in security posture, overall response to detected threats (manual and automatic), blocked emails, and more.
- - Defender Boxed opens automatically when you go to the **Incidents** page in the Microsoft Defender portal.
+ - Defender Boxed opens automatically when you go to the **Incidents** page in the Microsoft Defender portal.
- If you close Defender Boxed and you want to reopen it, in the Microsoft Defender portal, go to **Incidents**, and then select **Your Defender Boxed**. - Act quickly! Defender Boxed is available only for a short period of time.
You can also get product updates and important notifications through the [messag
- (GA) Microsoft Defender for Cloud alerts integration with Microsoft Defender XDR is now generally available. Learn more about the integration in [Microsoft Defender for Cloud in Microsoft Defender XDR](microsoft-365-security-center-defender-cloud.md). -- (GA) **Activity log** is now available within an incident page. Use the activity log to view all audits and comments, and add comments to the log of an incident. For details, see [Activity log](manage-incidents.md#activity-log).
+- (GA) **Activity log** is now available within an incident page. Use the activity log to view all audits and comments, and add comments to the log of an incident. For details, see [Activity log](manage-incidents.md#activity-log).
- (Preview) **[Query history](advanced-hunting-query-history.md) in advanced hunting** is now available. You can now rerun or refine queries you have run recently. Up to 30 queries in the past 28 days can be loaded in the query history pane.
You can also get product updates and important notifications through the [messag
- (GA) [Automatic attack disruption](automatic-attack-disruption.md) is now generally available. This capability automatically disrupts human-operated ransomware (HumOR), business email compromise (BEC), and adversary-in-the-middle (AiTM) attacks. -- (Preview) [Custom functions](advanced-hunting-custom-functions.md) are now available in advanced hunting. You can now create your own custom functions so you can reuse any query logic when you hunt in your environment.
+- (Preview) [Custom functions](advanced-hunting-custom-functions.md) are now available in advanced hunting. You can now create your own custom functions so you can reuse any query logic when you hunt in your environment.
## April 2023
You can also get product updates and important notifications through the [messag
- Microsoft is using a new weather-based naming taxonomy for threat actors. This new naming schema will provide more clarity and will be easier to reference. [Learn more about the new naming taxonomy](../intelligence/microsoft-threat-actor-naming.md).
-## March 2023
+## March 2023
- (Preview) Microsoft Defender Threat Intelligence (Defender TI) is now available in the Microsoft Defender portal.
The security operations team can view all actions pending approval, and the stip
## April 2022 -- (Preview) [Actions](advanced-hunting-take-action.md) can now be taken on email messages straight from hunting query results. Emails can be moved to other folders or deleted permanently.
+- (Preview) [Actions](advanced-hunting-take-action.md) can now be taken on email messages straight from hunting query results. Emails can be moved to other folders or deleted permanently.
- (Preview) The new [`UrlClickEvents` table](advanced-hunting-urlclickevents-table.md) in advanced hunting can be used to hunt for threats like phishing campaigns and suspicious links based on information coming from Safe Links clicks in email messages, Microsoft Teams, and Office 365 apps.
security Air Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-report-false-positives-negatives.md
Title: "How to report false positives or false negatives following automated investigation in Microsoft Defender for Office 365" description: Was something missed or wrongly detected by AIR in Microsoft Defender for Office 365? Learn how to submit false positives or false negatives to Microsoft for analysis. search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
security Tenant Allow Block List Urls Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure.md
This article describes how admins can manage entries for URLs in the Microsoft D
- An entry should be active within 5 minutes. - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/Security settings/Read-only**.
+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell):
+ - *Add and remove entries from the Tenant Allow/Block List*: Membership assigned with the following permissions:
+ - **Authorization and settings/Security settings/Detection tuning (manage)**
+ - *Read-only access to the Tenant Allow/Block List*:
+ - **Authorization and settings/Security settings/Read-only**.
+ - **Authorization and settings/Security settings/Core Security settings (read)**.
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): - *Add and remove entries from the Tenant Allow/Block List*: Membership in one of the following role groups: - **Organization Management** or **Security Administrator** (Security admin role).
security Zero Trust With Microsoft 365 Defender Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-trust-with-microsoft-365-defender-office-365.md
Title: Zero Trust with Microsoft Defender for Office 365 description: Microsoft Defender for Office 365 contributes to a strong Zero Trust strategy and architecture
-search.product: eADQiWindows 10XVcnh
search.appverid: met150 f1.keywords:
syntex Archive Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-compliance.md
- Title: Compliance features in Microsoft 365 Archive (Preview)---- Previously updated : 11/15/2023----
- - m365initiative-syntex
-description: Learn about compliance features for archived sites in Microsoft 365 Archive.
--
-# Compliance features in Microsoft 365 Archive
-
-> [!NOTE]
-> Microsoft Purview features work seamlessly with archived content. For example, you can apply retention hold on archived content without needing to unarchive it. Likewise, you can also archive content in retention hold without needing to move or delete it from retention scope.
-
-Archived SharePoint sites, just like active SharePoint sites, maintain a baseline level of data promises. These promises include the following considerations:
--- **Durability** ΓÇô All archived data is equally as durable as active SharePoint data.--- **Security** ΓÇô Archived sites or data have the same level of security as active sites or data.--- **Geo residence** ΓÇô All archived data stays within your geo compliance boundary.--- **Microsoft EU data boundary** ΓÇô All archived data complies with the EU data boundary promise.-
-The affect of Microsoft 365 Archive on compliance offerings includes the following elements:
--- **Data lifecycle management and records management** ΓÇô Archived sites still honor the retention and deletion periods from any retention policies or retention labels. For more information, see [How retention works with Microsoft 365 Archive](/purview/retention-policies-sharepoint#how-retention-works-with-microsoft-365-archive).--- **eDiscovery** ΓÇô eDiscovery still finds all content even if archived. However, eDiscovery won't be able to directly reactivate located files. Before exporting or viewing content of an eDiscovery case, the SharePoint admin has to reactivate the relevant sites.--- **Bring your own key (BYOK)** ΓÇô All archived content will comply with the BYOK promises, for any tenant who already uses the BYOK feature or enables it after archiving sites.--- **Permissions and access policies** ΓÇô These settings and policies are retained on the site throughout the archive and reactivation lifecycle (that is, archiving the site and then reactivating doesn't change the application of permissions or related access policies).
syntex Archive End User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-end-user.md
- Title: End user experience in Microsoft 365 Archive (Preview)---- Previously updated : 11/15/2023----
- - m365initiative-syntex
-description: Learn about end-user features for archived sites in Microsoft 365 Archive.
--
-# End user experience in Microsoft 365 Archive
-
-> [!NOTE]
-> This feature is currently in preview and subject to change. The feature is currently rolling out and might not yet be fully available to all organizations.
-
-End users aren't able to access or search for any content that has been archived. Whenever users try to access archived content, they see a message stating that the site has been archived.
-
-![Screenshot of the Site is archived message end users receive when they try to access content that has been archived.](../../media/content-understanding/site-is-archived-message.png)
-
-In Microsoft 365 Archive, admins have an option to set a custom URL where the users will be taken if they select **Request to reactivate** when they encounter archived content. As an admin, you can choose to send the end users to a form, ticketing system etc. This can take users to any place you choose, such as a form, a ticketing system, or other location. This custom URL can be set via a flag (``-ArchiveRedirectUrl``) in the Set-SPOTenant PowerShell cmdlet starting in version 16.0.23408.12000.
-
-For a multi-geo tenant, the URL needs to be set for each geo location.
-
-The **Request to reactivate** button won't be visible if a redirect URL hasn't been set.
-
syntex Archive Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-faq.md
- Title: Frequently asked questions about Microsoft 365 Archive (Preview)---- Previously updated : 12/15/2023----
- - m365initiative-syntex
-description: Read frequently asked questions about Microsoft 365 Archive.
--
-# Frequently asked questions about Microsoft 365 Archive
-
-> [!NOTE]
-> This feature is currently in preview and subject to change. The feature is currently rolling out and might not yet be fully available to all organizations. Before you begin, read the [Microsoft 365 Archive preview terms and conditions](archive-preview-terms.md).
-
-#### What is the difference between Microsoft 365 Archive and SharePoint Advanced Management?
--- Microsoft 365 Archive gives the ability to archive a site in SharePoint.--- Storage for archived sites is metered and charged at a $0.05/GB/month rate vs. the normal standard storage rate of $0.20/GB/month. For more information, see [Pricing model for Microsoft 365 Archive (Preview)](archive-pricing.md).--- The site lifecycle management feature in SharePoint Advanced Management is a separate licensed offering that helps automate and orchestrate the movement of sites into the archive tier via admin-defined policies to remove manual operations. In other words, the site lifecycle management in SharePoint Advanced Management operates in conjunction with Microsoft 365 Archive.-
-#### How does Azure Blob compare to Microsoft 365 Archive?
-
-Microsoft 365 Archive allows you to keep your data in place in SharePoint, providing the following benefits not possible when the data is migrated elsewhere:
--- Archiving happens very quickly, usually withing minutes, regardless of the amount or size of content being archived.--- No need to manage data in a separate security and compliance domain, thereby allowing your security and compliance tooling to operate seamlesslyΓÇöincluding eDiscovery, retention policies, and more.--- Admin search indexes remain intact.--- Sites are archived and rehydrated without loss of metadata, security versioning, and more.-
-#### Can content in legal hold be archived?
-
-Yes, nearly all Microsoft Purview features will continue to operate as normal.
-
-#### Is content in archived sites searchable?
-
-Admin-level search and Purview-based search will operate like normal. End-user search is not currently supported, but end-user search is on our roadmap.
-
-#### Can I archive at the site-level and file-level?
-
-Currently, only full-site archiving and reactivating is possible in this offering. File-level granular archiving support will be released later in 2024.
-
-#### WhatΓÇÖs the availability timing of Microsoft 365 Archive for Microsoft Government Community Cloud (GCC) customers?
-
-Standard GCC rollout times apply.
syntex Archive Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-manage.md
- Title: Manage Microsoft 365 Archive (Preview)---- Previously updated : 11/15/2023----
- - m365initiative-syntex
-description: Learn how to archive, reactivate, and manage sites in Microsoft 365 Archive.
--
-# Manage Microsoft 365 Archive
-
-> [!NOTE]
-> This feature is currently in preview and subject to change. The feature is currently rolling out and might not yet be fully available to all organizations.
-
-## Archive a site
-
-Global admins and SharePoint admins can archive both non-group connected sites and group-connected sites from the SharePoint admin center. Archiving group-connected sites will archive only the site, and the rest of the group will continue being active. As soon as a site is archived, it stops consuming storage from active storage quota, and the storage starts being counted towards Microsoft 365 Archive storage. (There might be a delay in the change in storage being reflected in the admin center.)
-
-To learn more about different archive states, see [Archive states in Microsoft 365 Archive (Preview)](archive-states.md).
-
-When a site is archived, compliance features such as eDiscovery and retention labels continue to be applied to the site.
-
-1. In the SharePoint admin center, go to [**Active sites**](https://go.microsoft.com/fwlink/?linkid=2185220), and sign in with an account that has [admin permissions](/sharepoint/sharepoint-admin-role) for your organization.
-
- > [!NOTE]
- > If you have Office 365 operated by 21Vianet (China), sign in to the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=850627), then browse to the SharePoint admin center and open the **Active sites** page.
-
-2. In the left column, select one or more sites.
-
-3. Select **Archive**, and to confirm, select **Archive**.
-
-4. Archived sites can be seen on the **Archived sites** page in the SharePoint admin center.
-
- ![Screenshot of the Archived sites page in the SharePoint admin center.](../../media/content-understanding/archived-sites-page.png)
-
- > [!NOTE]
- > To archive a hub site, you first need to unregister it as a hub site. Archiving Microsoft Teams-connected sites with private or shared channel sites is not supported. Teams sites with standard channels are supported.
-
-## Manage archived sites
-
-Archived sites can be reactivated or deleted. Deletion of archived sites follows the same behavior as that of active sites; that is, a site doesn't need to be reactivated before being deleted. However, sites in the ΓÇ£ReactivatingΓÇ¥ state can't be deleted until reactivation completes.
-
-Admins can view details of the site, such as the URL, Archive Status, or Storage, from the **Archived sites** page.
-
-## Reactivate a site
-
-If there's a need to access the site content again, the sites need to be reactivated. After a site is archived, it stays in the ΓÇ£Recently ArchivedΓÇ¥ state for seven days. All reactivations from this state are free of cost and instantaneous. After seven days, the site enters the ΓÇ£ArchivedΓÇ¥ state. Reactivations might take up to 24 hours, and have an associated reactivation cost. To learn more about the costs and how pricing works, see [Pricing model](archive-pricing.md).
-
-After reactivation, the site will move back to the **Active sites** page. The site will resume its normal function, and the users will have the same access rights to the site and its content as they did before the site was archived. After reactivation is complete, the storage consumed by the site will accrue to your storage quota consumption.
-
-1. In the SharePoint admin center, go to [**Active sites**](https://go.microsoft.com/fwlink/?linkid=2185220), and sign in with an account that has [admin permissions](/sharepoint/sharepoint-admin-role) for your organization.
-
- > [!NOTE]
- > If you have Office 365 operated by 21Vianet (China), sign in to the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=850627), then browse to the SharePoint admin center and open the **Active sites** page.
-
-2. In the left column, select a site that needs to be reactivated.
-
-3. On the command bar, select **Archive**.
-
-4. On the **Archive** pane, select **Reactivate**.
-
-5. If you're trying to reactivate a site from ΓÇ£ArchivedΓÇ¥ state, you'll see a confirmation pop-up that shows an estimated price for reactivation. Select **Confirm** to reactivate. The site will enter the ΓÇ£ReactivatingΓÇ¥ state. It will move to active sites once reactivation is complete.
-
- ![Screenshot of an example site that you are reactivating in the SharePoint admin center.](../../media/content-understanding/reactivate-site-example.png)
-
-When you reactivate a site, its permissions, lists, pages, files, folder-structure, site-level policies, and other metadata will revert to the prearchival state, except if files are deleted from archived sites. The only two exceptions are when files are deleted while the site is archived:
--- Content in the recycle bin expires naturally, and that expiration continues while archived.-- Content marked to be deleted by retention policies will still be deleted as normal.-
-Other than these two exceptions, you can expect the site to be unchanged.
-
-## Change the archive status of site via PowerShell
-
-You can also change the status of an archived site by using the PowerShell cmdlet [**Set-SPOSiteArchiveState**](/powershell/module/sharepoint-online/set-spositearchivestate?view=sharepoint-ps&preserve-view=true).
-
-## Site templates supported
-
-|Template ID |Template |
-|||
-|1 |Document Workspace |
-|4 |Wiki Site |
-|9 |Blog |
-|32 |News Site |
-|64 |Team Site |
-|68 |Communication Site |
-
-
-<!
-|Template ID |Template |
-|||
-|0 |Global |
-|1 |Team Site |
-|2 |Meeting Workspace |
-|4 |Wiki Site |
-|7 |Document Center |
-|53 |Publishing Site |
-|60 | |
-|61 |Visio Process Repository |
-|64 |Group |
-|68 |Site Page Publishing / Comms Site |
-|95 |Developer Site |
-|2009 |Team Site ΓÇô SharePoint Online configuration |
-|6001 |Content Center |
-|6115 |Project Site |
-|6215 |Microsoft Project Site |
-|14483 |Records Center |
->
syntex Archive Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-overview.md
- Title: Overview of Microsoft 365 Archive (Preview)---- Previously updated : 11/15/2023----
- - m365initiative-syntex
-description: Learn about how Microsoft 365 Archive can provide your with organization cost-effective storage solutions.
--
-# Overview of Microsoft 365 Archive
-
-> [!NOTE]
-> This feature is currently in preview and subject to change. The feature is currently rolling out and might not yet be fully available to all organizations. Before you begin, read the [Microsoft 365 Archive preview terms and conditions](archive-preview-terms.md).
-
-Microsoft 365 Archive offers cost-effective storage for inactive SharePoint sites.
-
-Your organization might need to keep inactive or aging data for long periods of time in case you need to retrieve it later. You might prefer to store the data in SharePoint to simplify searchability, security, compliance, and data lifecycle management.
-
-Microsoft 365 Archive allows you to retain this inactive data by moving it into a cold storage tier (archive) within SharePoint. Any data archived with Microsoft 365 Archive will have the same searchability, security, and [compliance](archive-compliance.md) standards applied automatically at a much reduced cost.
-
-Some additional advantages of using Microsoft 365 Archive are:
--- **Speed** ΓÇô Ultra-fast archive of sites of any size and any number of sites.--- **Cost savings** ΓÇô A lower list price on storage consumption beyond your license-allocated Microsoft 365 storage quota.--- **Lossless metadata** ΓÇô A site will retain all of its metadata and permissions upon reactivation.--- **Decluttering** ΓÇô Explicit separation between active and inactive content to help you manage your site's lifecycle.-
-Microsoft 365 Archive, coupled with the Microsoft 365 search index and the [Microsoft Purview](/purview/purview) feature set, provides a powerful combination for your long-term data management needs at a price point that matches the lifecycle of your content. Microsoft 365 Archive is controlled in the SharePoint admin center by global or SharePoint admins.
-
-When a site is archived, it goes into an explicitly colder tier, no longer consumes a tenantΓÇÖs active storage quota, and instead drives Microsoft 365 Archive storage consumption. Being in this colder tier means the site is no longer accessible by anyone in the organization outside of Microsoft Purview or admin search.
-
-Archiving a site archives everything within it, including:
--- Document libraries and files-- Lists and list data-
-> [!NOTE]
-> Microsoft 365 Archive (Preview) is currently rolling out. More features will be rolled out as they become available.
-
-Administrators should notify the site owners and end users before a site is archived so they're aware that the site won't be accessible.
-
-## Preview limitations
-
-> [!NOTE]
-> These limitations are temporary during the preview. Unless otherwise stated, these limitations will be resolved when the product is available for general release.
--- As a part of the preview, tenants with more than 50,000 sites might face issues while trying to enumerate archived sites on the **Archived sites** page. Applicable enhancements are scheduled to roll out in the future. In this scenario, PowerShell can be used to more efficiently archive sites and manage archived content.--- Currently, archived content exported via eDiscovery doesn't require site reactivation for exporting, but will require it before general release.--- Currently, end user search results won't show any archived content.--- Columns such as Archived Date and Archived By aren't currently available but are planned and will be rolled out when available.--- For multi-geo tenants, while data residency requirements are honored, site moves aren't supported. Archived sites will need to be reactivated prior to any move.--- Currently, tenant rename isn't supported on archived sites. Sites will need to be reactivated before a tenant rename is triggered.--- Archiving a site that is currently enrolled in Microsoft 365 Backup will be blocked.--- If you archive a site that has a library syncing to a device, that device's sync client will display errors after the site is archived. We recommend that you remove syncing libraries before archiving a site.
syntex Archive Preview Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-preview-terms.md
- Title: Microsoft 365 Archive public preview terms and conditions---- Previously updated : 11/15/2023----
- - m365initiative-syntex
-description: Read the preview terms and conditions for Microsoft 365 Archive (Preview).
--
-# Microsoft 365 Archive preview terms
-
-Effective Date: November 15, 2023
-
-"Company" means the Enterprise customer that uses this Preview Feature.
-
-**By using this Preview Feature, you accept these Terms and Conditions and all rights and obligations within. If you do not agree to these Terms and Conditions, DO NOT use the Preview Feature.** These Terms and Conditions govern the use of the Preview Feature offerings as described below.
-
-"Feedback" is all suggestions, comments, feedback, ideas, or know how, in any form, that Company provides to Microsoft. It doesn't include sales forecasts, financial results, future release scheduled, marketing plans and high-level product plans or feature lists for anticipated products.
-
-**MICROSOFT OFFERING**: The goal of the Microsoft 365 Archive is to provide customers with a cost-effective, long-term storage for their inactive aging content. Customers can archive their SharePoint site using Microsoft 365 Archive from SharePoint Admin Center. Admins can also reactivate an archived site that will move the site and its contents from archived (cold tier) storage to SharePoint tenant (standard tier) storage.
-
-**PREVIEW FEATURE**: To terminate your Feature Preview during the Preview Period, stop using the Preview Feature. Microsoft may change or discontinue the Preview Feature at any time with or without notice. Microsoft may also choose not to make the Preview Feature commercially available.
-
-During the Preview Period, Company allows its SharePoint tenant admins to Archive SharePoint sites. Company must be aware that this is a preview service and all the limitations described in these Terms and Conditions, including but not limited, that Microsoft may change or discontinue the Preview Feature at any time and that Microsoft may also choose not to make the Preview Feature commercially available.
-
-Prerequisite Requirements to enable Microsoft 365 Archive pay-as-you-go are:
-
-1. An Azure subscription with admin access as owner or contributor on the subscription
-
-2. A Microsoft 365 tenancy with either Microsoft 365 admin access or SharePoint admin access
-
-3. An Azure resource group
-
-No SLA applies to this Feature Preview.
-
-THE PREVIEW FEATURE IS PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." Microsoft provides no performance guarantee for the Feature Preview (including accompanying URLs provided for embedded or unauthenticated viewing) and Company bear the risk of using it. The Feature Preview isn't included in the SLA for Microsoft Syntex and may not be covered by customer support.
-
-**<ins>LICENSE</ins>**
-
-If Company provides Feedback, Company grants to Microsoft, without charge, the nonexclusive License to make, modify, distribute, or otherwise commercialize the Input as part of any Microsoft offering.
-
-The above License doesn't extend to any technologies that may also be necessary to make or use any offering or portion thereof that incorporates the Feedback but aren't themselves expressly part of the Input (for example, enabling technologies).
-
-**<ins>PAYMENT TERMS</ins>**
-
-Microsoft 365 Archive use pay-as-you-go (PAYG) billing through an Azure subscription. Microsoft 365 Archive billing is determined by how much data in GB you archive using Microsoft 365 Archive. Company will be able to view this usage as meter events through the Azure subscription it chooses.
-
-Microsoft 365 Archive Feature Preview pricing is as follows:
--
-|Microsoft 365 Archive Meters |Meter Unit |Price |
-||||
-|Archive storage |$/GB/Month |$0.05 |
-|Restore |$/GB |$0.60 |
-
-Company won't be charged for reactivation of an archived content within the first seven days of free reactivation period. If they reactivate after the seven days period, the restore meter charge of $0.60/GB will apply.
-
-**<ins>LENGTH OF OBLIGATIONS; DISCLOSURE</ins>**
-
-**Preview Period.** The Preview Period continues in effect until <ins>June 30, 2024, or 30 days after Commercial General Availability of the Preview Feature, whichever is first</ins>. Company may terminate their use of the Preview Feature at any time. Terminating use of the Preview Feature won't change any of the rights, licenses granted, or duties made while the Preview Period is in effect. Termination is defined as i) the CompanyΓÇÖs termination of use of the Preview Feature and/or ii) the Preview Period ends.
-
-**Effects upon Termination.** Once terminated, Company will no longer have access to Microsoft 365 Archive and all the archived content if Microsoft doesn't continue with the then generally available Microsoft 365 Archive use pay-as-you-go (PAYG) billing through an Azure subscription should Microsoft choose to make the Microsoft 365 Archive service generally available.
-
-**<ins>TERMINATION FOR NON-PAYMENT</ins>**
-
-In case the CompanyΓÇÖs Azure subscription goes into an unhealthy stage of deleted or canceled or suspended, we'll prevent any future archival and restores until the subscription is back to a healthy state. Company has 30 days to recover any archived data and restores by bringing back the subscription to an active state. If no action is taken from the Company to bring subscription back to active state in 30 days, we'll soft delete the archived data from systems after this 30 days. Upon reactivation, Company must also pay for Microsoft 365 Archive usage for the days the subscription was in unhealthy state.
-
-This Agreement can't be extended. Microsoft may also choose not to make the Preview Feature commercially available.
-
-**<ins>REPRESENTATIONS AND LIMITATIONS</ins>**
-
-**Input.** Company represents that it will not give any Feedback that:
-
-1. Violates any copyright or trade secret claim or right of any third party;
-
-2. It has reason to believe violates any patent claim or right of any third party; or
-
-3. Is subject to an excluded license.
-
-**Authority.** Company represents it has all rights and authority necessary to be legally bound to these Terms and Conditions and grant the rights described therein for itself and its affiliates.
-
-**Limitations.** All information, materials, and feedback are provided ΓÇ£as-isΓÇ¥ and Microsoft bears the risk of using them; Company gives no express warranties, guarantees, or conditions as to its Feedback; and to the extent permitted under local law, Company excludes the implied warranties of merchantability, fitness for a particular purpose, title, and noninfringement as to its Input.
-
-**<ins>LIMITATIONS ON AND EXCLUSIONS OF REMEDIES AND DAMAGES</ins>**
-
-Except as described herein, the only remedy for claims relating to these Terms and Conditions is for Company to terminate its use of the Preview Feature. Neither Party can recover any damages, including direct, consequential, lost profits, special, punitive, indirect, or incidental damages from the other. This limitation applies:
-
-1. To claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
-
-2. Even if one of us knew or should have known about the possibility of the damages.
-
-The limitations in this section don't apply to claims arising from or in connection with any infringement, misuse, or misappropriation by one of us of the otherΓÇÖs intellectual property rights.
syntex Archive Pricing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-pricing.md
- Title: Pricing model for Microsoft 365 Archive (Preview)---- Previously updated : 11/15/2023----
- - m365initiative-syntex
-description: Learn about the pricing model for storage consumption and site reactivation in Microsoft 365 Archive.
--
-# Pricing model for Microsoft 365 Archive
-
-> [!NOTE]
-> This feature is currently in preview and subject to change. The feature is currently rolling out and might not yet be fully available to all organizations.
-
-Microsoft 365 Archive charges you for storage and reactivation.
--- **Storage consumption** that is charged at a per-GB monthly rate. This meter is only charged when archived storage plus active storage in SharePoint exceeds a tenantΓÇÖs included or licensed allocated SharePoint storage capacity limit. In other words, there's no additional storage cost for archived sites if the tenant hasn't yet consumed its already licensed Storage quota. For more information about storage quota limits, see [SharePoint limits](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits).--- **Site reactivation** that is charged at a per-GB rate. The reactivation fee is charged regardless of whether a tenant is above or below its SharePoint capacity limit and only if reactivation is executed more than seven days after the site was most recently put into an archive state. This seven-day grace period provides you with the opportunity to reverse an accidental archival without reaction costs. -
-Monthly archive usage is calculated as the sum of the usage of all currently archived sites. Each siteΓÇÖs usage is equal to the site storage usage of that site, which can be seen on the site itself or from the Active sites page in the SharePoint admin center. The size of an archived site, and therefore the storage for which it's billed, can only change if the content in the site changes (for example, content naturally expiring in the recycle bin or a retention policy deleting content within the site directly from archive to the recycle bin).
-
-To see the pricing for Microsoft 365 Archive, see [Pay-as-you-go services and pricing for Microsoft Syntex](../syntex-pay-as-you-go-services.md).
-
-### Cost savings if you archive with Microsoft 365 Archive
-
-The following table helps visualize the savings you'll realize by archiving content based on the frequency and percent of all archived content you're restoring. The key takeaway is that if you are not reactivating more than 30% of your data more than twice a year, you'll achieve most of the savings offered by the product.
-
-![Table showing the COGS savings if you archive with Microsoft 365 Archive.](../../media/content-understanding/archive-cogs-savings.png)
syntex Archive Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-setup.md
- Title: Set up Microsoft 365 Archive (Preview)---- Previously updated : 11/15/2023----
- - m365initiative-syntex
-description: Learn how to set up and configure Microsoft 365 Archive.
--
-# Set up Microsoft 365 Archive
-
-> [!NOTE]
-> This feature is currently in preview and subject to change. The feature is currently rolling out and might not yet be fully available to all organizations.
-
-Microsoft 365 Archive follows a pay-as-you-go model, and is configured through the Microsoft 365 admin center. Before you begin, read the [Microsoft 365 preview terms and conditions](archive-preview-terms.md).
-
-![Diagram showing four steps of the setup process for Microsoft 365 Archive.](../../media/content-understanding/archive-setup-diagram.png)
-
-To set up Microsoft 365 Archive, follow these steps:
-
-1. Create an [Azure subscription](/azure/cloud-adoption-framework/ready/azure-best-practices/initial-subscriptions) and [resource group](/azure/azure-resource-manager/management/manage-resource-groups-portal).
-2. [Set up pay-as-you-go billing](../syntex-azure-billing.md) for Syntex in the Microsoft 365 admin center.
-3. [Turn on Microsoft 365 Archive](#set-up-microsoft-365-archive) in the Microsoft 365 admin center.
-4. [Manage Microsoft 365 Archive](archive-manage.md) in the SharePoint admin center.
-
-## Prerequisites
-
-### Licensing
-
-Before you can use Microsoft 365 Archive, you must first link your Azure subscription in [Syntex pay-as-you-go](../syntex-azure-billing.md). Microsoft 365 Archive is billed based on the number of gigabytes (GB) archived and number of gigabytes (GB) reactivated. For more information about pricing, see [Pricing model](archive-pricing.md).
-
-To set up pay-as-you-go billing, see [Configure Microsoft Syntex for pay-as-you-go billing at Syntex billing](../syntex-azure-billing.md).
-
-> [!NOTE]
-> Currently in Microsoft 365 Archive (Preview), you will not be able to set up pay-as-you-go billing for two regions: US_West or Canada_East.
-
-### Permissions
-
-You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up Microsoft 365 Archive.
-
-## Set up Microsoft 365 Archive
-
-Once pay-as-you-go billing has been enabled for Syntex on Microsoft 365 admin center, Microsoft 365 Archive can be enabled.
-
-1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>, and then select **Use content AI with Microsoft Syntex**.
-
-2. On the **Use content AI with Microsoft Syntex** page, select **Manage Microsoft Syntex**.
-
-3. On the **Manage Microsoft Syntex** page, select **Archive (Preview)**.
-
-4. On the **Archive (Preview)** page, select **Turn on**, and on the confirmation pane, select **Confirm**.
-
- ![Screenshot of the Microsoft 365 Archive page in the admin center showing how to turn on Archive.](../../media/content-understanding/turn-on-archive-admin-center.png)
-
-Microsoft 365 Archive is now enabled for you, and you're able to archive content from the SharePoint admin center.
-
-## Turn off Microsoft 365 Archive
-
-To turn off Microsoft 365 Archive:
-
-1. On the **Manage Microsoft Syntex** page, select **Archive (Preview)**.
-
-2. On the **Archive (Preview)** page, select **Turn off**.
-
-When you turn off Microsoft 365 Archive, any further archiving stops. The sites already archived will continue to be in an archive state, and will be billed. The sites can be reactivated with reactivation cost or deleted.
syntex Archive States https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-states.md
- Title: Archive states in Microsoft 365 Archive (Preview)---- Previously updated : 11/15/2023----
- - m365initiative-syntex
-description: Learn about the archive states and what they mean in Microsoft 365 Archive.
--
-# Archive states in Microsoft 365 Archive
-
-> [!NOTE]
-> This feature is currently in preview and subject to change. The feature is currently rolling out and might not yet be fully available to all organizations.
-
-The following table describes the archive states and allowed operations.
-
-|Archive state |Description |Allowed operations |
-||||
-|Recently Archived |This state is the first stage after a site is archived and is valid for seven days. A site in this stage can be reactivated without any cost and will be reactivated instantaneously. |Reactivate, Delete |
-|Archived |The site enters this state after seven days after being archived. In this stage, reactivations will be charged, and might take a few hours. |Reactivate, Delete |
-|Reactivating |If a site is reactivated from ΓÇ£ArchivedΓÇ¥ state, it will be in this stage until reactivation is complete. After this, the site will be active, and will be available in Active sites page. |None |