+As part of onboarding to Office 365 DoD, you need to add your SMTP and SIP domains to your Online Services tenant. You do this using the New-MsolDomain cmdlet in Azure AD PowerShell or use the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership.

+Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organizationΓÇÖs needs with respect to one or more inbound MX records and any existing Exchange Autodiscover records you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.

+| MX | 0 | @ | *tenant*.mail.protection.office365.us (for more information, see below) | One Hour |

+If you have Exchange Server on-premises, we recommend leaving your existing record in place while you migrate to Exchange Online, and update that record once you complete your migration.

+## External DNS records required for Teams

+> If you have an existing *msoid* CNAME record in your DNS zone, you must **remove** the record from DNS at this time. The msoid record is incompatible with Microsoft 365 Enterprise Apps *(formerly Office 365 ProPlus)* and will prevent activation from succeeding.

+As part of onboarding to Office 365 GCC High, you need to add your SMTP and SIP domains to your Online Services tenant. You do this using the New-MsolDomain cmdlet in Azure AD PowerShell or using the [Azure Government Portal](https://portal.azure.us) to start the process of adding the domain and proving ownership.

+Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organizationΓÇÖs needs with respect to one or more inbound MX records and any existing Exchange Autodiscover records you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.

+| MX | 0 | @ | *tenant*.mail.protection.office365.us (for more information, see below) | One Hour |

+If you have Exchange Server on-premises, we recommend leaving your existing record in place while you migrate to Exchange Online, and update that record once you complete your migration.

+## External DNS records required for Teams

+> If you have an existing *msoid* CNAME record in your DNS zone, you must **remove** the record from DNS at this time. The msoid record is incompatible with Microsoft 365 Enterprise Apps *(formerly Office 365 ProPlus)* and will prevent activation from succeeding.

+- essentials-get-started

+- essentials-manage

+- essentials-overview

+- essentials-get-started

+- essentials-get-started

+**Applies to:**

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)

+- Microsoft Defender Antivirus

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+Many of these engines are built into the client and provide advanced protection against most threats in real time.

+These next-generation protection engines provide [industry-best](/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) detection and blocking capabilities and ensure that protection is:

+Microsoft Defender Antivirus does hybrid detection and protection. What this means is, detection and protection occur on the client device first, and works with the cloud for newly developing threats, which results in faster, more effective detection and protection.

+When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources.

+|On the client|In the cloud|

+|**Machine learning (ML) engine** <br/> A set of light-weight machine learning models make a verdict within milliseconds. These models include specialized models and features that are built for specific file types commonly abused by attackers. Examples include models built for portable executable (PE) files, PowerShell, Office macros, JavaScript, PDF files, and more.|**Metadata-based ML engine** <br/> Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened [monotonic models](https://www.microsoft.com/security/blog/2019/07/25/new-machine-learning-model-sifts-through-the-good-to-unearth-the-bad-in-evasive-malware/), analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution.|

+|**Behavior monitoring engine** <br/> The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules.|**Behavior-based ML engine** <br/> Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration.|

+|**Memory scanning engine** <br/> This engine scans the memory space used by a running process to expose malicious behavior that could be hiding through code obfuscation.|**Antimalware Scan Interface (AMSI)-paired ML engine** <br/> Pairs of client-side and cloud-side models perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks. These models include a pair of models for each of the scripting engines covered, including PowerShell, JavaScript, VBScript, and Office VBA macros. Integrations include both dynamic content calls and/or behavior instrumentation on the scripting engines.|

+|**AMSI integration engine** <br/> Deep in-app integration engine enables detection of fileless and in-memory attacks through [AMSI](/windows/desktop/AMSI/antimalware-scan-interface-portal), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side.|**File classification ML engine** <br/> Multi-class, deep neural network classifiers examine full file contents, provides an extra layer of defense against attacks that require more analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file.|

+|**Heuristics engine** <br/> Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.|**Detonation-based ML engine** <br/> Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.|

+|**Emulation engine** <br/> The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.|**Reputation ML engine** <br/> Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Defender for Office 365 for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.|

+|**Network engine** <br/> Network activities are inspected to identify and stop malicious activities from threats.|**Smart rules engine** <br/> Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.|

+Together with [attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), which includes advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall, [next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows) engines deliver Microsoft Defender for Endpoint's prebreach capabilities, stopping attacks before they can infiltrate devices and compromise networks.

+These protections are further amplified through [Microsoft Defender XDR](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-xdr), Microsoft's comprehensive, end-to-end security solution for the modern workplace. Through [signal-sharing and orchestration of remediation across Microsoft's security technologies](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783), Microsoft Defender XDR secures identities, endpoints, email and data, apps, and infrastructure.

+## Memory protection and memory scanning

+Microsoft Defender Antivirus (MDAV) provides memory protection with different engines:

+|Behavior Monitoring|Behavior-based Machine Learning|

+|Antimalware Scan Interface(AMSI) integration|AMSI-paired Machine Learning|

+|Emulation|Detonation-based Machine Learning|

+|Memory scanning|N/A|

+### How many malware threats does Microsoft Defender Antivirus block per month?

+### How does Microsoft Defender Antivirus memory protection help?

+### Do you all focus your detections/preventions in one specific geographic area?

+No, we are in all the geographical regions (Americas, EMEA, and APAC).

+### Do you all focus on specific industries?

+We focus on every industry.

+### Do your detection/protection require a human analyst?

+When you're pen-testing, you should demand where no human analysts are engaged on detect/protect, to see how the actual antivirus engine (prebreach) efficacy truly is, and a separate one where human analysts are engaged.You can add [Microsoft Defender Experts for XDR](/microsoft-365/security/defender/dex-xdr-overview) a managed extended detection and response service to augment your SOC.

+The ***continuous iterative enhancement*** each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent [top scores in industry tests](/microsoft-365/security/defender/top-scoring-industry-tests), but more importantly, translate to [threats and malware outbreaks](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) stopped and [more customers protected](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/).

+ Title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"

+ms.localizationpriority:

+search.appverid: MET150

+f1.keywords:

+audience:

+ai-usage:

+- ai-assisted

+__Platforms:__

+Because memory is volatile, and fileless malware doesn't place files on disk, establishing persistence by using fileless malware can be tricky. One example of how fileless malware achieved persistence was to create a registry run key that launches a ΓÇ£one-linerΓÇ¥ PowerShell cmdlet. This command launched an obfuscated PowerShell script that was stored in the registry BLOB. The obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry. The script stored in the registry ensured the malware persisted.

+Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:

+- **Reflective DLL injection** Reflective DLL injection involves the manual loading of malicious DLLs into a processΓÇÖ memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.

+- **Memory exploits** Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, which lives entirely in the kernelΓÇÖs memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.

+- **Script-based techniques** Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.

+Microsoft Defender Antivirus blocks most malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Microsoft Defender Antivirus protects against fileless malware through these capabilities:

+- Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation

+- Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed

+- Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring

+integration.

+- [Windows Defender Application Control and AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). Enforces strong code Integrity policies and to allow only trusted applications to run. In the context of fileless malware, WDAC locks down PowerShell to Constrained Language Mode, which limits the extended language features that can lead to unverifiable code execution, such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects. This essentially mitigates PowerShell-based reflective DLL injection attacks.

+- [Enable virtualization-based protection of code integrity](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity). Mitigates kernel-memory exploits through Hypervisor Code Integrity (HVCI), which makes it difficult to inject malicious code using kernel-mode software vulnerabilities.

+|Name|Type|Description|

+|:|:|:|

+|Authorization | String | Bearer {token}. **Required**.|

+ "IndicatorIds": [ "1", "2", "5" ]

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+Behavior monitoring is a critical detection and protection functionality of Microsoft Defender Antivirus.

+Monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on signature-based detection (which identifies known malware patterns), behavior monitoring focuses on observing how software behaves in real-time. HereΓÇÖs what it entails:

+1. Real-Time Threat Detection:

+ - Continuously observe processes, file system activities, and interactions within the system.

+ - Defender Antivirus can identify patterns associated with malware or other threats. For example, it looks for processes making unusual changes to existing files, modifying or creating automatic startup registry (ASEP) keys, and other alterations to the file system or structure.

+2. Dynamic Approach:

+- Unlike static, signature-based detection, behavior monitoring adapts to new and evolving threats.

+- Microsoft Defender Antivirus uses predefined patterns, and observes how software behaves during execution. For malware that doesnΓÇÖt fit any predefined pattern, Microsoft Defender Antivirus uses anomaly detection.

+- If a program shows suspicious behavior (for example, attempting to modify critical system files), Microsoft Defender Antivirus can take action to prevent further harm, and revert some previous malware actions.

+Behavior monitoring enhances Defender AntivirusΓÇÖs ability to proactively detect emerging threats by focusing on real-time actions and behaviors rather than relying solely on known signatures.

+The following features depend on behavior monitoring.

+**Anti-malware**:

+- Indicators, File hash, allow/block

+**Network Protection**:

+- Indicators, IP address/URL, allow/block

+> [!NOTE]

+> Behavior monitoring is protected by tamper protection.

+||||

+```powershell

+Set-MpPreference -DisableBehaviorMonitoring <true | false>

+```

+- `True` disables Behavior monitoring.

+For more information, see [Set-MpPreference](/powershell/module/defender/set-mppreference#-disablebehaviormonitoring).

+```powershell

+Get-MpComputerStatus | Format-Table BehaviorMonitorEnabled

+```

+If the value returned is `true`, behavior monitoring is enabled.

+```kusto

+let EvalTable = DeviceTvmSecureConfigurationAssessment

+| where ConfigurationId in ("scid-91")

+| summarize arg_max(Timestamp,IsCompliant, IsApplicable) by DeviceId, ConfigurationId,tostring(Context)

+| extend Test = case(

+ConfigurationId == "scid-91" , "BehaviorMonitoring",

+"N/A"),

+Result = case(IsApplicable == 0,"N/A",IsCompliant == 1 , "Enabled", "Disabled")

+| extend packed = pack(Test,Result)

+| summarize Tests = make_bag(packed) by DeviceId

+| evaluate bag_unpack(Tests);

+let DefUpdate = DeviceTvmSecureConfigurationAssessment

+| where ConfigurationId == "scid-2011"

+// | where isnotnull(Context)

+| extend Definition = parse_json(Context[0][0])

+| extend LastUpdated = parse_json(Context[0][2])

+| project DeviceId,Definition,LastUpdated;

+let DeviceInformation = DeviceInfo

+| where isnotempty(OSPlatform)

+| summarize arg_max(Timestamp,*) by DeviceId, DeviceName

+| project DeviceId, DeviceName, MachineGroup;

+let withNames = EvalTable

+| join kind = inner DeviceInformation on DeviceId

+| project-away DeviceId1

+| project-reorder DeviceName, MachineGroup;

+withNames | join kind = fullouter DefUpdate on DeviceId

+| project-away DeviceId1

+For more information, see [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+- essentials-privacy

+- essentials-security

+- essentials-compliance

+ Title: Device control policies in Microsoft Defender for Endpoint

+description: Learn about Device control policies in Defender for Endpoint

+f1.keywords: NOCSH

+This article describes device control policies, rules, entries, groups, and advanced conditions. Essentially, device control policies define access for a set of devices. The devices that are in scope are determined by a list of included device groups and a list of excluded device groups. A policy applies if the device is in all of the included device groups and none of the excluded device groups. If no policies apply, then the default enforcement is applied.

+When device control is enabled, it's enabled for all device types by default. The default enforcement can also be changed from *Allow* to *Deny*. Your security team can also configure the types of devices that device control protects. The following table below illustrates how various combinations of settings change the access control decision.

+| Yes | Deny removable media devices and printers | - Printers and removable media devices (blocked) <br/>- CD/DVD drives and Windows portable devices (allowed) |

+> [!NOTE]

+> In the articles related to device control, groups of users are referred to as <i>user groups</i>. The term <i>groups</i> refer to [groups](#groups) defined in the device control policy.

+On Windows, a user or user group can be a condition on an [entry](#entries) in a policy.

+Entries with user or user groups can reference objects from either Entra Id or a local Active Directory.

+A rule defines the list of included groups and a list of excluded groups. For the rule to apply, the device must be in all of the included groups and none of the excluded groups. If the device matches the rule, then the entries for that rule are evaluated. An entry defines the action and notification options applied, if the request matches the conditions. If no rules apply or no entries match the request then the default enforcement is applied.

+ ...

+ ...

+ ...

+Device control policies define access (called an entry) for a set of devices. Entries define the action and notification options for devices that match the policy and the conditions defined in the entry.

+> [!NOTE]

+- **Print** (Print = 64).

+| `Sid` | Local user SID or user SID group, or the SID of the Microsoft Entra object or the Object ID. It defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the device. | SID |

+| `ComputerSid` | Local computer SID or computer SID group, or the SID of the Microsoft Entra object or the Object Id. It defines whether to apply this policy over a specific device or device group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the device. If you want to apply an Entry to a specific user and specific device, add both SID and ComputerSID into the same Entry. | SID |

+Device control applies an access mask to determine if the request matches the entry. The following actions are available on `CdRomDevices`, `RemovableMediaDevices`, and `WpdDevices`:

+You can have multiple access settings by performing a binary OR operation. Here's an example:

+| `enforcement $type` | Defines the action for the removable storage groups in `includedGroups`. <br/>- `allow` <br/>- `deny` <br/>- `auditAllow`: Defines notification and event when access is allowed <br/>- `AuditDeny`: Defines notification and event when access is denied; has to work together with the Deny entry. <br/><br/>When there are conflict types for the same media, the system applies the first one in the policy. An example of a conflict type is Allow and Deny. | The `enforcement $type` attribute can be one of the following values:<br/>- `allow`<br/>- `deny`<br/>- `auditAllow`<br/>- `auditDeny` |

+| `$type` | The type of entry. The type determines the operations that can be protected by device control | The `$type` attributes can be any of the following values:<br/>- `removableMedia`<br/>- `appleDevice`<br/>- `PortableDevice`<br/>- `bluetoothDevice` |

+| `access` | A list of operations that this entry grants | See the next section, "Understand access on Mac" |

+There are two kinds of access for an entry: generic and device type specific.

+| `appleDevice` | `backup_device` | | X | | |

+| `appleDevice` | `update_device` | | | X | |

+| `appleDevice` | `download_photos_from_device` | download photo(s) from the specific iOS device to local device | X | | |

+| `appleDevice` | `download_files_from_device` | download file(s) from the specific iOS device to local device | X | | |

+| `portableDevice` | `download_files_from_device` | X | | |

+| `portableDevice` | `send_files_to_device` | | | X | |

+| `portableDevice` | `download_photos_from_device` | | X | | |

+| `removableMedia` | `read` | | X | | |

+| `removableMedia` | `write` | | | X | |

+| `bluetoothDevice` | `send_files_to_device` | | | X | |

+Groups define criteria for filtering objects by their properties. The object is assigned to the group if its properties match the properties defined for the group.

+> Groups in this section **do not** refer to [user groups](#users).

+- Allowed printers are all the devices that match any of these VID/PID

+| Device (default) | Filter devices and printers | Windows/Mac | X | |

+For Windows devices, you can use Device Manager to understand the properties of devices.

+2. In the Property list, select **Device instance path**.

+> The `Group Id` in XML and `id` in JSON is used to identify the group within device control. Its not a reference to any other such as a [user group](#users) in Entra Id.

+There are two types of groups: Printer Device and Removable Storage. The following table lists the properties for these groups.

+ ...

+ ...

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender for Business

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender for Individual

+- Windows 11, Windows 10, Windows 8.1, Windows 8

+- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

+Detecting malware that starts early in the boot cycle was a challenge before Windows 8. In August 2012, Microsoft Defender Antivirus (MDAV) for Windows 8 or later, and Windows Server 2012 and later incorporated a new feature called the [Early Launch Antimalware (ELAM)](/windows/compatibility/early-launch-antimalware) driver. ELAM combats early boot threats (for example, rootkits or malicious drivers that can hide from detection) by using a Wdboot.sys driver that starts before other boot-start drivers. ELAM enables the evaluation of other drivers, and helps the Windows kernel decide whether those drivers should be initialized.

+## Where are the ELAM detections logged?

+The ELAM detection is logged in the same location as the other Microsoft Defender Antivirus threats, such as [Event ID 1006](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus).

+## How do I keep the MDAV ELAM driver up to date?

+## Can the Early Launch Antimalware (ELAM) policy be modified?

+ELAM can be modified here:

+**Computer Configuration** \> **Administrative Templates** \> **System** \> **Early Launch Antimalware**

+## How can I check that the MDAV ELAM driver is loaded?

+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch

+BackupPath (string) C:\Windows\\[ELAMBKUP](/windows-hardware/drivers/install/elam-driver-requirements)\WdBoot.sys (value)

+## How do I revert the MDAV ELAM driver to a previous version?

+C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>\MpCmdRun.exe -[RevertPlatform](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus).

+```dos

+C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24010.12-0\MpCmdRun.exe -RevertPlatform

+```

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)

+- Ability to control and manage the frequency of signature downloads on the local server & the frequency at which endpoints pull the signatures from the local server.

+- Reduces network bandwidth as now only one local server will poll MS cloud to get the latest signatures on behalf of your entire fleet.

+- Provides the most up to date antivirus protection as signatures are always downloaded along with the latest compatible AV engine.

+- Linux endpoints running Defender for Endpoint pull the downloaded signatures from this Mirror Server at a user-defined time interval.

+- Defender for Endpoint version "101.24022.0001" or higher needs to be installed on the Linux endpoints.

+ - `https://github.com/microsoft/mdatp-xplat.git`

+ - `https://go.microsoft.com/fwlink/?linkid=2144709`

+ - Linux (Any Flavor)

+ - Windows (Any Version)

+ - Mac (Any version)

+ | CPU Core| RAM | Free disk | Swap |

+ | 2 cores (Preferred 4 Core) | 1 GB Min (Preferred 4 GB) | 2 GB | System Dependent|

+```console

+ ```bash

+ ./xplat_offline_updates_download.sh

+ ```

+ ```powershell

+ ./xplat_offline_updates_download.ps1

+ ```

+```json

+To test if the settings are applied correctly on the Linux endpoints, run the following command:

+```bash

+```console

+ ```bash

+ mdatp definitions update

+ ```

+ ```console

+- Check the status of the offline security intelligence update feature by using the command:

+ ```bash

+ mdatp health --details definitions

+ ```

+ - This command should provide us with some user-friendly message in the `definitions_update_fail_reason` section.

+ - Check if `offline_definition_update` and `offline_definition_update_verify_sig` is enabled.

+ - Check if `definitions_update_source_uri` is equal to `offline_definition_url_configured`

+ - `definitions_update_source_uri` is the source from where the signatures were downloaded.

+ - `offline_definition_url_configured` is the source from where signatures should be downloaded, the one mentioned in the managed config file.

+- Try performing the connectivity test to check if Mirror Server is reachable from the host:

+ ```bash

+ mdatp connectivity test

+ ```

+- Try to trigger manual update using the command:

+ ```bash

+ mdatp definitions update

+ ```

+|Wildcard|Description|Examples|

+||||

+|\*|Matches any number of any characters including none (note if this wildcard is not used at the end of the path then it will substitute only one folder)| `/var/*/tmp` includes any file in `/var/abc/tmp` and its subdirectories, and `/var/def/tmp` and its subdirectories. It does not include `/var/abc/log` or `/var/def/log` <p> <p> `/var/*/` includes any file in `/var` and its subdirectories.|

+|?|Matches any single character|`file?.log` includes `file1.log` and `file2.log`, but not `file123.log`|

+>

+> The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.

+## Best practices for adding antimalware exclusions for Microsoft Defender for Endpoint on macOS.

+1. Write down why an exclusion was added to a central location where only SecOps and/or Security Administrator have access.

+ e.g. Submitter, date, app name, reason, and exclusion information.

+1. Make sure to have an expiration date* for the exclusions

+ *except for apps that the ISV stated that there is no additional tweaking that could be done to prevent the false positive or higher cpu utilization from occurring.

+1. Avoid migrating 3rd party antimalware exclusions since they may no longer be applicable nor applicable to Microsoft Defender for Endpoint on macOS.

+1. Order of exclusions to consider top (more secure) to bottom (least secure):

+ 1. Indicators - Certificate - allow

+ 1. Add an extended validation (EV) code signing.

+ 1. Indicators - File hash - allow

+ 1. If a process or daemon doesn't change often, e.g. the app doesn't have a monthly security update.

+ 1. Path & Process

+ 1. Process

+ 1. Path

+ :::image type="content" source="mediatp-37-exclusions.png":::

+For example, if the tamper protection is enabled, certain settings can't be modified or turned off, but you can use troubleshooting mode on the device to edit those settings temporarily.

+- Use Microsoft Defender for Endpoint on macOS functional troubleshooting /application compatibility (false positives).

+- Local admins, with appropriate permissions, can change the following policy locked configurations on individual endpoints:

+ | realTimeProtectionStatistics | `mdatp config real-time-protection-statistics --value enabled` | `mdatp config real-time-protection-statistics --value disabled` |

+- Disable tamper protection for Microsoft Defender for Endpoint on macOS.

+- Microsoft Defender for Endpoint must be tenant-enrolled and active on the device.

+or newer.

+2. Navigate to the device page you would like to turn on troubleshooting mode. Then, select the ellipses(...) and select **Turn on troubleshooting mode**.

+5. Once complete, the device page shows that the device is now in troubleshooting mode.

+ *Troubleshooting mode has started. This mode allows you to temporarily change settings that are managed by your Administrator. Expires at YEAR-MM-DDTHH:MM:SSZ.*

+There are some prebuilt advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can use these queries to [create detection rules](../defender/custom-detection-rules.md) to generate alerts when devices are in troubleshooting mode.

+//let deviceName = "<deviceName>"; // update with device name

+let deviceId = "<deviceID>"; // update with device id

+DeviceEvents

+| where DeviceId == deviceId

+//| where DeviceName == deviceName

+| where ActionType == "AntivirusTroubleshootModeEvent"

+| extend _tsmodeproperties = parse_json(AdditionalFields)

+| project Timestamp,DeviceId, DeviceName, _tsmodeproperties,

+ _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime,

+ _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes,

+ _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource

+DeviceEvents

+| where Timestamp > ago(3h) // troubleshooting mode automatically disables after 4 hours

+| where ActionType == "AntivirusTroubleshootModeEvent"

+| extend _tsmodeproperties = parse_json(AdditionalFields)

+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"

+|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId

+| order by Timestamp desc

+### Count of troubleshooting mode instances by device

+DeviceEvents

+| where ActionType == "AntivirusTroubleshootModeEvent"

+| extend _tsmodeproperties = parse_json(AdditionalFields)

+| where Timestamp > ago(30d) // choose the date range you want

+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"

+| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId

+| sort by count_

+DeviceEvents

+| where ActionType == "AntivirusTroubleshootModeEvent"

+| extend _tsmodeproperties = parse_json(AdditionalFields)

+| where Timestamp > ago(2d) //beginning of time range

+| where Timestamp < ago(1d) //end of time range

+| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started"

+| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count()

+| where count_ > 5 // choose your max # of TS mode instances for your time range

+- [Get to know the innovative features in Microsoft Edge](https://www.microsoft.com/edge/features?form=MW00UY)

+Platform updates and engine updates are released on a monthly cadence. Security intelligence updates are delivered multiple times a day, but this delta package doesn't contain an engine update. See [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md).

+ Title: Microsoft Defender Core service overview

+description: Get an overview of Microsoft Defender Core service.

+search.appverid: met150

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier2

+# Microsoft Defender Core service overview

+Microsoft Defender Core service

+To enhance your endpoint security experience, Microsoft is releasing the Microsoft Defender Core service to help with the stability and performance of Microsoft Defender Antivirus.

+The Microsoft Defender Core service is releasing with [Microsoft Defender Antivirus platform version 4.18.23110.2009](./msda-updates-previous-versions-technical-upgrade-support.md#october-2023-platform-418231002009--engine-11231002009).

+- Rollout begins in:

+ - November 2023 to prerelease customers,

+

+ - Mid April 2024 to Enterprise customers running Windows clients.

+

+ - Mid May 2024 to Enterprise customers running Windows Servers.

+

+ - Mid June 2024 to U.S. Government customers running Windows clients and Windows Servers.

+

+- Enterprise customers should allow the following URLs:

+ - `*.events.data.microsoft.com`

+

+ - `*.endpoint.security.microsoft.com`

+

+ - `*.ecs.office.com`

+

+- Enterprise U.S. Government customers should allow the following URLs:

+ - `*.events.data.microsoft.com`

+

+ - `*.endpoint.security.microsoft.us (GCC-H & DoD)`

+

+ - `*.gccmod.ecs.office.com (GCC-M)`

+

+ - `*.config.ecs.gov.teams.microsoft.us (GCC-H)`

+

+ - `*.config.ecs.dod.teams.microsoft.us (DoD)`

+

+- If you're using [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac), or you're running non-Microsoft antivirus or endpoint detection and response software, make sure to add the processes mentioned earlier to your allowlist.

+- Consumers don't need to take any actions to prepare.

+## Microsoft Defender Antivirus processes and services

+The following table summarizes where you can view Microsoft Defender Antivirus processes and services (`MdCoreSvc`) using Task Manager on Windows devices.

+| Process or service | Where to view its status |

+|--|--|

+| `Antimalware Core Service` | **Processes** tab |

+| `MpDefenderCoreService.exe` | **Details** tab |

+| `Microsoft Defender Core Service` | **Services** tab |

+To learn more about the Microsoft Defender Core service configurations and experimentation (ECS), see [Microsoft Defender Core service configurations and experimentation](microsoft-defender-core-service-configurations-and-experimentation.md).

+This article describes how to migrate (reonboard) devices that are currently onboarded to Defender for Endpoint to use the streamlined device connectivity method. For more information on streamlined connectivity, see [Onboarding devices using streamlined connectivity](configure-device-connectivity.md). Devices must meet the prerequisites listed in [Streamlined connectivity](configure-device-connectivity.md#prerequisites).

+> Preview limitations and known issues:

+>

+> - For device migrations (reonboarding): Offboarding is not required to switch over to streamlined connectivity method. Once the updated onboarding package is run, a full device reboot is required for Windows devices and a service restart for macOS and Linux. For more information, see the details included in this article.

+> - Windows 10 versions 1607, 1703, 1709, and 1803 do not support reonboarding. Offboard first and then onboard using the updated package. These versions also require a longer URL list.

+### Migration recommendation

+- **Start small**. It's recommended to start with a small set of devices first, apply the onboarding blob using any of the supported deployment tools, then monitor for connectivity. If you are using a new onboarding policy, to prevent conflicts make sure to exclude device from any other existing onboarding policies.

+- **Validate and monitor**. After onboarding the small set of devices, validate that devices have successfully onboarded and are communicating with the service.

+Validate [device prerequisites](configure-device-connectivity.md#prerequisites) before proceeding with any migrations. This information builds upon the previous article by focusing on migrating existing devices.

+ 1. `sudo launchctl unload /Library/LaunchDaemons/com.microsoft.fresno.plist`

+ 2. `sudo launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist`

+The following table lists migration instructions for the available onboarding tools based on the device's operating system.

+> [!IMPORTANT]

+> Windows 10 version 1607, 1703, 1709, and 1803 do not support reonboarding. To migrate existing devices, you will need to fully offboard and onboard using the streamlined onboarding package.

+### Microsoft Configuration Manager

+The streamlined connectivity method isn't currently supported through Microsoft Defender for Cloud.

+### Microsoft Configuration Manager

+Confirm prerequisites are met: [Prerequisites for streamlined method](configure-device-connectivity.md#prerequisites).

+After completing the steps, you must either reboot the device or restart the service for connectivity to switch over.

+1. In Microsoft Intune, create a new onboarding policy using Custom Configuration profile. Don't assign it yet. Follow the instructions under [Intune-based deployment for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-intune).

+2. Create a new onboarding policy for the streamlined connectivity approach.

+ 1. `sudo launchctl unload /Library/LaunchDaemons/com.microsoft.fresno.plist`

+ 2. `sudo launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist`

+For general information on onboarding Linux devices, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).

+Confirm prerequisites are met: [Prerequisites for streamlined method](configure-device-connectivity.md#prerequisites).

+You can follow the same instructions as in [Verify client connectivity to Microsoft Defender for Endpoint service](verify-connectivity.md). The script automatically uses the onboarding package configured on the device (should be streamlined version) to test connectivity.

+Ensure connectivity is established with the appropriate URLs.

+You can use advanced hunting in Microsoft Defender portal to view the connectivity type status.

+For devices that have not yet attempted reonboard, the value will remain blank.

+2. In the log list, under **Log Summary**, scroll down until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to open the log.

+ :::image type="content" source="media/log-summary-event-viewer.png" alt-text="Screenshot of Event Viewer with log summary section":::

+ You can also access the log by expanding**Applications and Services Logs>Microsoft>Windows>SENSE** and select **Operational**.

+ ```

+ Contacted server 6 times, all succeeded, URI: <region>.<geo>.endpoint.security.microsoft.com.

+ <EventData>

+ <Data Name="UInt1">6</Data>

+ <Data Name="Message1">https://<region>.<geo>.endpoint.security.microsoft.com>

+ </EventData>

+ ```

+5. Event ID 5 tracks errors if applicable.

+### Run tests to confirm connectivity with Defender for Endpoint services

+Check the Device Page Timeline tab to confirm events are flowing from the device.

+#### Live Response

+#### Automated investigation and response

+#### Cloud-delivered protection

+2. Right-click the item in the Start menu, select **Run as administrator** then select **Yes** at the permissions prompt.

+3. Use the following argument with the Microsoft Defender Antivirus command-line utility (mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:

+ ```dos

+ "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection

+ ```

+ > This command will only work on Windows 10, version 1703 or higher, or Windows 11.

+ > For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).

+#### Test Block at First Sight

+#### Test SmartScreen

+Follow instructions in [Microsoft Defender SmartScreen Demo (msft.net)](https://demo.smartscreen.msft.net/).

+Run `mdatp health -details features` to confirm simplified_connectivity: "enabled".

+2. Run `mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU>` (where parameter is of GW_US, GW_EU, GW_UK). GW refers to the streamlined option. Run with applicable tenant geo.

+### Apps required to exclude

+2. **TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196)**

+### Steps to exclude

+- Release date: **December 5, 2023 (Platform)** / **December 6, 2023 (Engine)**

+- Resolved deadlock issue that occurred on systems with multiple filter drivers reading a file when the file is copied

+- Added the `InitializationProgress` field to [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) output

+- Fixed installation failure on Windows Server 2016 due to existing Defender EventLog registry key

+- Added the ability to have [quick scans](schedule-antivirus-scans.md) ignore Microsoft Defender Antivirus exclusions

+- Fixed remediation for long running [on-demand scans](run-scan-microsoft-defender-antivirus.md) where the service may have been restarted

+- Fixed an issue with Microsoft Defender Vulnerability Management to allow the execution of a [blocked application](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps) when the [warn option](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps#block-or-warn-mitigation-action) is selected

+- Added support for managing schedule day/time for [signature updates in Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-windows#updates) and [Defender for Endpoint security settings management](/mem/intune/protect/mde-security-integration)

+- Released: **July 10, 2023 (Engine only)**

+### What's new

+### Known Issues

+### What's new

+### Known Issues

+- Security intelligence update version: **1.391.64.0**

+- Released: **May 31, 2023**

+- Platform: **4.18.23050.3**

+- Engine: **1.1.23050.2**

+- Support phase: **Technical upgrade support (only)**

+### What's new

+- Improved processing of SmartLockerMode

+- Fixed input parameters for DefinitionUpdateChannel cmdlet in [Set-MpPreference](/powershell/module/defender/set-mppreference)

+- Improved installation experience for [Windows Server 2012 R2 and Windows Server 2016](microsoft-defender-antivirus-on-windows-server.md)

+- Added ability to disable Defender task maintenance tasks programmatically

+- Fixed WDFilter 0x50 bug check

+- Fixed print enforcement issue for device control

+- Fixed scan randomization issue when setting Intune policy

+- Fixed sense offboarding on Windows Server 2016 when [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled

+- Fixed inconsistent results of caching files with the internal Defender file cache

+- Augmented attack surface reduction telemetry with more data related to an ASR detection

+- Fixed memory leaked in ASR logic

+### Known Issues

+- Platform: **4.18.2304.8**

+- **Beginning in May 2023, the Platform and Engine version schema have a new format**. Here's what the new version format looks like:

+ - Platform: `4.18.23050.1`

+ - Engine: `1.1.23050.63000`

+- Added new device control status fields under Get-MpComputerStatus in Defender PowerShell module.

+ Title: Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration

+1. Visit [Microsoft XDR portal](https://security.microsoft.com/) and sign-in.

+ On the landing page, you'll see the **Devices with active malware** card with the following information:

+ - A bar with the Active and Malware remediated portions as per your scan.

+2. In the navigation pane, select **Endpoint security**.

+ For example, when you can select a device that is listed under the **Active malware** tab, you can choose one action from the list of actions provided:

+2. Select **Export**.

+### In the devices with malware detections report, why canΓÇÖt I see any information about which malware was detected on the device.

+Use the following Advanced Hunting query:

+DeviceInfo

+| where Timestamp > startofday(datetime(2024-01-29 00:00:00))

+| where OnboardingStatus == "Onboarded"

+| where SensorHealthState == "Active"

+| distinct DeviceId, DeviceName

+| join kind=innerunique (

+AlertEvidence

+| where Timestamp > ago(15d)

+| where ServiceSource == "Microsoft Defender for Endpoint"

+| where DetectionSource == "Antivirus"

+DeviceName

+| distinct DeviceName, DeviceId, Title, AlertId, Timestamp

+### I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?

+3. Click on the ellipses **(...)**.

+> [!TIP]

+> If you have a Network-Attached Storage (NAS) or Storage Area Network (SAN), you can use Internet Content Adaption Protocol (ICAP) scanning with the Microsoft Defender Antivirus engine. For more information, see [Tech Community Blog: MetaDefender ICAP with Windows Defender Antivirus: World-class security for hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/metadefender-icap-with-windows-defender-antivirus-world-class/ba-p/800234).

+ Title: Security Intelligence update troubleshooting from Microsoft Update source

+description: Learn how to troubleshoot security intelligence updates from your Microsoft Update source.

+ms.localizationpriority: medium

+- partner-contribution

+search.appverid: MET150

+f1.keywords: NOCSH

+audience: ITPro

+# Troubleshooting Security Intelligence Updates from Microsoft Update source

+**Applies to:**

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+- [Microsoft Defender for Endpoint Plan 1 and 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+- Microsoft Defender Antivirus

+Use this article to learn how to troubleshoot security intelligence updates for Microsoft Defender Antivirus when the first source is from Microsoft Update (formerly known as Windows Update). Follow these steps to troubleshoot issues with getting your security intelligence updates:

+1. Make sure that the URLs needed for security intelligence updates are allowed thru the firewall or proxy. See the Defender for Endpoint URL spreadsheets in [Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).

+ If you're only using Microsoft Defender Antivirus, see the **Windows Update** section in [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints).

+2. Make sure that the URLs you reviewed during the previous step aren't SSL inspected. Otherwise, you might see the following error in the event log:

+ ```properties

+ Source: Windows Defender

+

+ Event ID: 2001

+ Microsoft Defender Antivirus has encountered an error trying to update security intelligence.

+ Error code: 0x80072ee7

+ Error description: The server name or address could not be resolved.

+ ```

+ What is error code `0x80072ee7`?

+ ```properties

+ C:\>err 0x80072ee7

+ # as an HRESULT: Severity: FAILURE (1), Facility: 0x7, Code 0x2ee7

+ # for hex 0x2ee7 / decimal 12007 :

+ ERROR_INTERNET_NAME_NOT_RESOLVED inetmsg.h

+ ERROR_INTERNET_NAME_NOT_RESOLVED wininet.h

+ ```

+3. Make sure that the services needed for Windows Update are started. These services include:

+ - Windows Update service

+ - Background Intelligence Transfer Service (BITS)

+4. If you're using a [Fallback order](/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus) policy, make sure that *Microsoft Update* (`MicrosoftUpdateServer`) is the first item in the list.

+5. Gather diagnostic data from the [Microsoft Defender for Endpoint Client Analyzer tool](download-client-analyzer.md).

+ - If you have Microsoft Defender for Endpoint Plan 2 and access to Live Response, you can gather the diagnostic data remotely. See [Collect support logs in Microsoft Defender for Endpoint using live response](troubleshoot-collect-support-log.md).

+ - If you have Microsoft Defender for Endpoint Plan 1 or only Microsoft Defender Antivirus, you can gather the diagnostic data using the client analyzer on Windows. See [Run the client analyzer on Windows](run-analyzer-windows.md).

+ - If either method doesn't work for you, use Microsoft Defender Antivirus diagnostic data collection. See [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md).

+6. When you have your diagnostic data, convert the `WindowsUpdate.etl` logs into a human readable format by using the PowerShell command, [Get-WindowsUpdateLog](/powershell/module/windowsupdate/get-windowsupdatelog). Use that information to troubleshoot issues with security intelligence updates.

+## See also

+- [Troubleshoot Microsoft Defender Antivirus settings](troubleshoot-settings.md)

+- [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)

+3. Excluding an entire process. For more information, see [Microsoft Defender Antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md).

+To attempt to solve these issues, change Network Protection from ΓÇÿblock modeΓÇÖ to either ΓÇÿ[audit mode](troubleshoot-np.md)ΓÇÖ or 'disabled'. If your network issues are fixed, follow the next steps to find out which component in Network Protection is contributing to the behavior.

+1. [Disable Datagram Processing on Windows Server](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable Network Protection Perf Telemetry](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable FTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable SSH parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable RDP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable HTTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable SMTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable DNS over TCP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable DNS parsing ](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable inbound connection filtering](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+1. [Disable TLS parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true)

+ms.localizationpriority: medium

+> For best results, use one method of managing Microsoft Defender Antivirus.

+1. Microsoft Configuration Manager co-management

+1. Microsoft Configuration Manager (standalone)

+1. Microsoft Intune (MDM)

+1. Microsoft Configuration Manager with Tenant Attach

+1. PowerShell ([Set-MpPreference](/powershell/module/defender/set-mppreference)), [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md), or [Windows Management Instrumentation](use-wmi-microsoft-defender-antivirus.md) (WMI).

+ - Want to try our endpoint protection capabilities

+ - Have Microsoft 365 E3, and

+ - Don't yet have Microsoft 365 E5

+ For more information on Defender for Endpoint Plan 1 (preview), see [Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md).

+ Existing [Defender for Endpoint](microsoft-defender-endpoint.md) capabilities will be known as Defender for Endpoint Plan 2.

+- [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API <br> Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.

+- [Remediation activity](get-remediation-methods-properties.md) API <br> Adds a collection of APIs with responses that contain threat and vulnerability management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.

+- [Jailbreak detection on iOS](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios) <br> Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see [Setup Conditional Access Policy based on device risk signals](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios).

+- [Threat & Vulnerability Management role-based access controls](user-roles.md) <BR>Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so that only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.

+- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md) <BR> You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.

+- [Connected Azure AD applications](connected-applications.md)<br> The **Connected applications** page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization.

+- [Microsoft Threat Experts](endpoint-attack-notifications.md)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides an additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.

+ - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.

+ - [Configure CPU priority settings](configure-advanced-scan-types-microsoft-defender-antivirus.md) for Microsoft Defender Antivirus scans.

+- [Attack surface reduction rules](attack-surface-reduction.md)<BR>The newly introduced attack surface reduction rules are:

+- Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) and executable files. For more information, see [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).

+> [!NOTE]

+| Inaccuracy report ID | Description | Fix date |

+||||

+| - | Defender Vulnerability Management doesn't currently support CVE-2023-4966 | 05-Mar-24 |

+| 47296 | Defender Vulnerability Management doesn't currently support Bitdefender Vulnerabilities - CVE-2017-17408, CVE-2017-17409 & CVE-2017-17410 | 05-Mar-24 |

+| 45748 | Fixed inaccuracy in Zscaler Client Connector | 14-Mar-24 |

+| 49672 | Fixed inaccuracy in CVE-2024-0819 | 20-Mar-24 |

+| 30583 | Fixed inaccuracy in Opera Browser | 21-Mar-24 |

+| - | Fixed inaccuracy in Autodesk Civil 3D and Anydesk | 21-Mar-24 |

+| 44979 | Defender Vulnerability Management doesn't currently support CVE-2017-13774 | 26-Mar-24 |

+| 46812 | Fixed inaccuracy in Dell Supportassist | 26-Mar-24 |

+| 48178 | Fixed inaccuracy in RuneLite | 26-Mar-24 |

+| 49660 | Fixed inaccuracy in RSUPPORT RemoteView Agent | 26-Mar-24 |

+| 46828 | Defender Vulnerability Management doesn't currently support OsiSoft Pi Server | 26-Mar-24 |

+| 48034 | Defender Vulnerability Management doesn't currently support CVE-2023-35637 | 26-Mar-24 |

+| - | Fixed inaccuracy in Adobe Acrobat Reader and Reader DC | 26-Mar-24 |

+| 46021 | Defender Vulnerability Management doesn't currently support CVE-2023-6129 | 26-Mar-24 |

+| - | Fixed inaccuracy in Ultraedit | 26-Mar-24 |

+| - | Defender Vulnerability Management doesn't currently support CVE-2023-47248 | 26-Mar-24 |

+| - | Fixed inaccuracy in Mitel 6920 & 6930 Firmwares | 31-Mar-24 |

+| Inaccuracy report ID | Description | Fix date |

+||||

+| - | Fixed inaccuracy in Snow Inventory Agent | 06-Feb-24 |

+| 42360 | Fixed inaccuracy in GitHub vulnerabilities - CVE-2020-10519 and CVE-2021-22863 | 12-Feb-24 |

+| 44875 | Fixed inaccuracy in Zoom Meetings for macOS | 14-Feb-24 |

+| 45686 | Fixed inaccuracy in ConnectWise Control (Formerly known as ScreenConnect) | 14-Feb-24 |

+| 45559 | Added Microsoft Defender Vulnerability Management support to Forta GoAnyWhere MFT | 14-Feb-24 |

+| - | Added Microsoft Defender Vulnerability Management support to BeyondTrust Remote Support Jump Client | 14-Feb-24 |

+| - | Fixed inaccuracy in Ignite Real Time | 14-Feb-24 |

+| - | Added Microsoft Defender Vulnerability Management support to Ivanti (Pulse Secure) February released Vulnerabilities | 20-Feb-24 |

+| - | Defender Vulnerability Management doesn't currently support SAP GUI | 21-Feb-24 |

+| 46606 | Defender Vulnerability Management doesn't currently support Postgresql | 21-Feb-24 |

+| 47700 | Defender Vulnerability Management doesn't currently support Adobe Digital Editions | 21-Feb-24 |

+| 45297 | Fixed inaccuracy in Tera Term vulnerability - CVE-2023-48995 | 22-Feb-24 |

+| - | Fixed invalid version detections in Control & Control Client | 23-Feb-24 |

+| - | Added Microsoft Defender Vulnerability Management support to ConnectWise Control vulnerabilities - CVE-2024-1708 & CVE-2024-1709 | 23-Feb-24 |

+| 43472 | Added correct version details in all FortiClient CVEs | 25-Feb-24 |

+| 45727 | Added Microsoft Defender Vulnerability Management support to Box Tools & Box for Office products | 26-Feb-24 |

+| 47045 | Fixed inaccuracy issues in April 2021 GitLab Vulnerabilities | 26-Feb-24 |

+| 47174 | Added accurate EOS details for SQL Server Editions | 26-Feb-24 |

+| 46416 | Fixed inaccuracy in Oracle Kernel-uek-modules | 28-Feb-24 |

+| Inaccuracy report ID | Description | Fix date |

+||||

+| 30873 | Fixed inaccuracy in Apache Tomcat | 08-Jan-24 |

+| 31664 | Fixed inaccuracy in OpenSSL | 08-Jan-24 |

+| 30674 | Fixed inaccuracy in Microsoft Visio | 08-Jan-24 |

+| 30674 | Fixed inaccuracy in Microsoft Office | 08-Jan-24 |

+| 35382 | Fixed inaccuracy in MySQL connector | 08-Jan-24 |

+| 38235 | Fixed inaccuracy in Python | 10-Jan-24 |

+| - | Defender Vulnerability Management doesn't currently support Atlassian Confluence | 10-Jan-24 |

+| - | Fixed inaccuracy in JetBrains TeamCity and JetBrains IntelliJ IDEA | 10-Jan-24 |

+| 41860 | Defender Vulnerability Management doesn't currently support Lenovo ThinkPad T480 Firmware | 10-Jan-24 |

+| 41049 | Defender Vulnerability Management doesn't currently support Lenovo ThinkCentre M700 Firmware | 10-Jan-24 |

+| 25969 | Defender Vulnerability Management doesn't currently support Siemens Sinec NMS | 10-Jan-24 |

+| 39167 | Defender Vulnerability Management doesn't currently support Avaya IP Office | 10-Jan-24 |

+| - | Fixed inaccuracy in Palo Alto Networks - Global Protect | 10-Jan-24 |

+| 38038 | Fixed inaccuracy in CVE-2022-3167 | 16-Jan-24 |

+| 40269 | Fixed inaccuracy in CVE-2023-46587 | 16-Jan-24 |

+| 36968 | Fixed inaccuracies in Lenovo August 2021 released Vulnerabilities | 16-Jan-24 |

+| 41041 | Fixed inaccurate CVEs of Samsung Health | 16-Jan-24 |

+| 38717 | Defender Vulnerability Management doesn't currently support CVE-2023-36397 | 17-Jan-24 |

+| 43673 | Defender Vulnerability Management doesn't currently support Lenovo ThinkPad T14 Gen 2 Firmware | 17-Jan-24 |

+| 43513 | Fixed inaccuracies in OpenSSL invalid file detections | 17-Jan-24 |

+| 41204 | Fixed inaccuracy in Affinity photo | 21-Jan-24 |

+| 40584 | Fixed inaccuracy in Veeam One Client | 21-Jan-24 |

+| 40704 | Fixed inaccuracy in Windows Subsystem for Linux(WSL) | 21-Jan-24 |

+| 43600 | Fixed inaccuracy in Dell RVTools | 21-Jan-24 |

+| 43378 | Fixed inaccuracy in Decisive Tactics Serial | 21-Jan-24 |

+| 43466 | Fixed inaccuracy in Intel- Dynamic Tuning Technology (DTT) | 21-Jan-24 |

+| 35750 | Fixed inaccuracy in Bitdefender Internet Security | 21-Jan-24 |

+| 44190 | Fixed inaccuracy in CVE-2023-48670 | 29-Jan-24 |

+| 43565 | Fixed inaccuracy in WinSCP Vulnerability - CVE-2023-48795 | 30-Jan-24 |

+| - | Fixed detection issues in Ignite Realtime Openfire | 30-Jan-24 |

+| - | Fixed inaccuracy in GitLab | 30-Jan-24 |

+| - | Added Microsoft Defender Vulnerability Management support to SAP Business Client | 30-Jan-24 |

+| - | Added Microsoft Defender Vulnerability Management support to SAP GUI | 30-Jan-24 |

+| - | Added Microsoft Defender Vulnerability Management support to PostgreSQL | 30-Jan-24 |

+| - | Added Microsoft Defender Vulnerability Management support to Adobe Digital Editions | 30-Jan-24 |

+| - | Fixed inaccuracy in Python Anaconda3 | 30-Jan-24 |

+| Inaccuracy report ID | Description | Fix date |

+||||

+| - | Added Microsoft Defender Vulnerability Management support to SysAid Server | 05-Dec-23 |

+| - | Removed CVE 'TVM-0001-00000000' from Defender Vulnerability Management | 05-Dec-23 |

+| 33439 | Fixed inaccuracies in IBM Maximo CVEs | 05-Dec-23 |

+| 38186 | Fixed inaccuracy in CVE-2020-36160 | 05-Dec-23 |

+| 38705 | Fixed inaccuracies in November released Veeam ONE CVEs | 05-Dec-23 |

+| - | Added End of Support details for Intel HAXM | 05-Dec-23 |

+| 36856 | Defender Vulnerability Management doesn't currently support Click Studios-Passwordstate | 05-Dec-23 |

+| 33377 | Defender Vulnerability Management doesn't currently support IBM Db2 | 05-Dec-23 |

+| 35256 | Fixed inaccuracy in Techsmith Snagit | 10-Dec-23 |

+| 39620 | Fixed inaccuracy in Adobe Audition | 10-Dec-23 |

+| 39542 | Fixed inaccuracy in Splunk Vulnerabilities- CVE-2021-22570, CVE-2022-31799, CVE-2023-24329, CVE-2023-3817, CVE-2023-3446 | 19-Dec-23 |

+| 39620 | Fixed inaccuracy in CVE-2023-28388 | 19-Dec-23 |

+| 35256 | Fixed inaccuracy in CVE-2020-11541 | 19-Dec-23 |

+| 41330 | Fixed inaccuracy in CVE-2023-22524 | 19-Dec-23 |

+| - | Fixed inaccuracy in Progress OpenEdge | 20-Dec-23 |

+| 27605 | Fixed inaccuracy in Maltego | 20-Dec-23 |

+| Inaccuracy report ID | Description | Fix date |

+||||

+| 35498 | Fixed inaccuracy in CVE-2023-38802 | 05-Nov-23 |

+| 34698 | Fixed normalization inaccuracy in Condor Team | 05-Nov-23 |

+| 36594 | Fixed inaccurate file path detections in Cisco Secure Client | 12-Nov-23 |

+| 37041 | Fixed inaccuracy in OpenVPN | 12-Nov-23 |

+| 36808 | Fixed inaccurate file path detections in Zoom Meetings | 15-Nov-23 |

+| 33837 | Defender Vulnerability Management doesn't currently support IBM Cognos Analytics | 15-Nov-23 |

+| 37041 | Fixed inaccuracy in CVE-2021-3606 | 15-Nov-23 |

+| 37408 | Fixed inaccuracy in Kernel Module Core | 15-Nov-23 |

+| 37440 | Added accurate End of Life details for Oracle JDK versions | 26-Nov-23 |

+| - | Fixed inaccuracy in CVE-2023-47246 | 26-Nov-23 |

+| 36774 | Fixed inaccuracies in October released Node.js CVEs | 26-Nov-23 |

+| 29643 | Fixed inaccurate detections in Palo Alto Networks - Global Protect | 29-Nov-23 |

+| 36459 | Defender Vulnerability Management doesn't currently support Siemens Simatic WinCC Runtime | 29-Nov-23 |

+| 36348 | Fixed inaccurate file path detections in PHP | 29-Nov-23 |

+| Inaccuracy report ID | Description | Fix date |

+||||

+| 32689 | Fixed inaccuracy in Kernel Module Extra | 11-Oct-23 |

+| - | Fixed inaccuracies in Exim vulnerabilities | 11-Oct-23 |

+| 33312 | Updated End of Support details for acrobat and acrobat reader version 2017 | 11-Oct-23 |

+| - | Fixed inaccuracy in CVE-2023-38545 | 12-Oct-23 |

+| 32734 | Fixed inaccuracy in Thunderbird | 19-Oct-23 |

+| - | Added Microsoft Defender Vulnerability Management support to Jetbrains Teamcity | 22-Oct-23 |

+| 36144 | Fixed inaccuracy in CVE-2023-3935 | 23-Oct-23 |

+| 32979 | Fixed inaccuracy in Bloomberg | 25-Oct-23 |

+| - | Fixed inaccuracy in Curl normalization | 25-Oct-23 |

+| - | Fixed inaccuracy in Progress - WS FTP Server | 25-Oct-23 |

+| - | Added Microsoft Defender Vulnerability Management support to SQL server 2022 | 26-Oct-23 |

+| - | Added accurate End of Life details for Flash Player | 30-Oct-23 |

+| 32020 | Fixed inaccuracy in Fiddler Everywhere | 30-Oct-23 |

+| 35189 |Fixed inaccuracy in OpenSSL for Magnet Forensics | 30-Oct-23 |

+| 31139 | Fixed inaccuracy in CVE-2023-3935 | 31-Oct-23 |

+| - | Fixed inaccuracy in CVE-2023-31102 | 31-Oct-23 |

+| - | Fixed inaccuracy in CVE-2022-43946 | 31-Oct-23 |

+| 33380 | Fixed inaccuracy in CVE-2023-32558 | 31-Oct-23 |

+| - | Fixed inaccuracy in CVE-2014-5455 | 31-Oct-23 |

+| Inaccuracy report ID | Description | Fix date |

+||||

+| - |Added accurate EOS details for Redis| 04-Sep-23 |

+| 31688 |Fixed inaccuracy in CVE-2023-38831 and CVE-2023-40477| 05-Sep-23 |

+| 31898 |Fixed Inaccuracy in CVE-2023-4373| 05-Sep-23 |

+| 30809 |Fixed inaccuracy in FireEye path of OpenSSL| 05-Sep-23 |

+| 31651 |Microsoft Defender Vulnerability Management doesn't currently support </br> CVE-2022-0778| 12-Sep-23 |

+| 31590 |Fixed inaccuracy in Dell Command Update| 12-Sep-23 |

+| 30966 |Microsoft Defender Vulnerability Management doesn't currently support </br> Lenovo ThinkPad models: X1 Yoga 3rd Gen and X13 3rd Gen| 12-Sep-23 |

+| 29892 |Microsoft Defender Vulnerability Management doesn't currently support OpenBSI| 12-Sep-23 |

+| 29634 |Fixed inaccuracy in CVE-2019-14568| 13-Sep-23 |

+| - |Microsoft Defender Vulnerability Management doesn't currently support </br> IBM Business Process Monitor| 12-Sep-23 |

+| 27242 |Fixed inaccuracy in Forticlient| 13-Sep-23 |

+| 30770 |Fixed inaccuracy in MySQL WorkBench| 13-Sep-23 |

+| 32471 |Fixed inaccuracy in CVE-2023-40481| 19-Sep-23 |

+| 32114 |Microsoft Defender Vulnerability Management doesn't currently support</br> MitsubishiElectric GX Works3| 19-Sep-23 |

+| 30581 |Fixed inaccuracy in CVE-2022-35909| 21-Sep-23 |

+| - |Fixed Inaccuracy in Cisco Secure Client| 21-Sep-23 |

+| Inaccuracy report ID | Description | Fix date |

+||||

+| - |Fixed inaccuracy in Acrobat Reader DC| 02-Aug-23 |

+| 29672 |Fixed inaccuracy in RedHat Kernel Devel and CentOS Kernel Devel| 03-Aug-23 |

+| - |Fixed inaccuracy in NetScaler Gateway Plugin| 03-Aug-23 |

+| - |Added Microsoft Defender Vulnerability Management support for Azul products| 09-Aug-23 |

+| 30082 |Fixed inaccuracy in CVE-2022-43946| 09-Aug-23 |

+| - |Added accurate EOS details for Outlook (2010 & 2013) and Office build versions: </br> (2304,2305,1902,1908,2008,2202)| 10-Aug-23 |

+| 30002 |Fixed inaccuracy in KeePass versions| 10-Aug-23 |

+| - |Added Microsoft Defender Vulnerability Management support to ODBC and OLEDB| 10-Aug-23 |

+| 29552 |Fixed inaccuracy in Dell Command Update| 14-Aug-23 |

+| - |Fixed inaccuracy in CVE-2021-36234| 22-Aug-23 |

+| - |Fixed inaccuracy in CVE-2021-36283| 22-Aug-23 |

+| 30303 | Microsoft Defender Vulnerability Management doesn't currently support </br> Lenovo ThinkPad models: E15-gen 4, L13, L490, T490, T490s, and T470s| 29-Aug-23 |

+| 29397 | Fixed inaccuracy in Microsoft PowerShell| 29-Aug-23 |

+| 31279 | Fixed inaccuracy in Azul Zulu| 29-Aug-23 |

+| - |Fixed inaccuracy in CVE-2021-36324| 30-Aug-23 |

+| Inaccuracy report ID | Description | Fix date |

+||||

+| 24162 |Fixed inaccuracy in MYSQL Workbench| 04-Jul-23|

+| 25736 | Fixed inaccuracy in KeePass | 04-Jul-23|

+| 24598 | Fixed inaccuracy in Adobe Flash Player plugins |04-Jul-23|

+| 27379 | Fixed inaccuracy in Adobe Animate | 06-Jul-23|

+| 26391 | Fixed inaccuracy in CVE-2020-26941 | 09-Jul-23|

+| 25245 | Fixed inaccuracy in CVE-2022-40011 | 11-Jul-23|

+| - |Added Defender Vulnerability Management support for </br> Microsoft PowerBI Desktop | 13-Jul-23|

+| 26421 |Defender Vulnerability Management doesn't currently support: </br> ThinkCentre M75q Gen 2 & ThinkPad l390 Firmware| 14-Jul-23|

+| 23876 |Fixed inaccurate recommendation in Microsoft Teams CVE-2023-24881 | 20-Jul-23|

+| 25969 |Fixed inaccuracy in Siemens Sinec NMS | 24-Jul-23|

+| 29096 | Fixed inaccurate detection of Slack version 1.0.0.0 | 25-Jul-23|

+| 27941 | Defender Vulnerability Management doesn't currently support </br> Application Performance Management| 25-Jul-23|

+| 26116 | Fixed inaccuracy in HP CVEs: </br> CVE-2021-33159, CVE-2022-26845, CVE-2022-27497, CVE-2022-29893 | 27-Jul-23|

+| 25809 | Defender Vulnerability Management doesn't currently support: </br> Visio 2010, 2013, 2016 & 2019 | 31-Jul-23|

+| 25810 | Defender Vulnerability Management doesn't currently support Project 2019| 31-Jul-23|

+| 28176 | Fixed inaccuracy in VMWare Tools CVE-2021-31693 | 31-Jul-23|

+| 29089 | Fixed inaccuracy in CVE-2023-24329| 31-Jul-23|

+| 28489 | Fixed inaccuracy in CVE-2020-9484 | 31-Jul-23|

+| 28385 | Fixed inaccuracy in CVE-2023-28759| 31-Jul-23|

+| Inaccuracy report ID | Description | Fix date |

+||||

+| 24147 | Fixed inaccuracy in CVE-2023-29338 | 5-Jun-23 |

+| 24145 | Fixed inaccurate detections in product - dbeaver | 06-Jun-23 |

+| 23877 | Disabled Defender Vulnerability Management assessment for oracle_ bpftool | 06-Jun-23 |

+| 24620 | Disabled Defender Vulnerability Management for synology_chat | 12-Jun-23 |

+| 25091 | Updated inaccurate EOS date for oracle_jdk version 7 | 15-Jun-23 |

+| 23425 | Fixed inaccurate detections in mongodb & mongosh | 21-Jun-23 |

+| 23188 | Fixed inaccurate detections in oracle: vm_virtualbox & vm_virtualbox_guest_additions | 21-Jun-23 |

+| 25559 | Fixed inaccuracy in Halo version -1.0.0.0 | 22-Jun-23 |

+| 25762 | Fixed inaccuracy in CVE-2022-48435 | 28-Jun-23 |

+| 25639 | Fixed inaccurate file path detections in apache_commonsText | 28-Jun-23 |

+| 26367 | Fixed inaccurate file path detections in Winrar | 28-Jun-23 |

+| 27146 | Fixed inaccuracy in Windows 2012 r2 - KB5012170 | 28-Jun-23 |

+| 22866 | Fixed normalization issue in dell optiplex_7470_ firmware | 29-Jun-23 |

+- m365-security

+- tier1

+- essentials-manage

+- essentials-get-started

+determination|Enum|Specifies the determination of the incident. <p>Possible determination values for each classification are: <br><li> <b>True positive</b>: `MultiStagedAttack` (Multi staged attack), `MaliciousUserActivity` (Malicious user activity), `CompromisedAccount` (Compromised account) ΓÇô consider changing the enum name in public api accordingly, `Malware` (Malware), `Phishing` (Phishing), `UnwantedSoftware` (Unwanted software), and `Other` (Other). <li> <b>Informational, expected activity:</b> `SecurityTesting` (Security test), `LineOfBusinessApplication` (Line-of-business application), `ConfirmedActivity` (Confirmed activity) - consider changing the enum name in public api accordingly, and `Other` (Other). <li> <b>False positive:</b> `Clean` (Not malicious) - consider changing the enum name in public api accordingly, `NoEnoughDataToValidate` (Not enough data to validate), and `Other` (Other).

+### Request data example

+You can add new members to the channel by navigating to **Defender Experts team** \> **More options (...)** > **Manage team** > **Add member**.

+Use the guidance in [turning on Microsoft Defender XDR](m365d-enable.md) to capture the baseline set of configuration requirements. These steps help determine remediation activities the SOC teams have to carry out to effectively develop use cases.

+- essentials-overview

+- tier1

+f1.keywords:

+search.appverid:

+An [incident](incidents-overview.md) is a chain of processes created, commands, and actions that might not have coincided. An incident provides a holistic picture and context of suspicious or malicious activity. A single incident gives you an attack's complete context instead of triaging hundreds of alerts from multiple services.

+Incident prioritization varies per responder, security team, and organization. [Incident response plans](/security/operations/incident-response-planning) and security teams' direction can mandate incident priority.

+- [Analyze your first incident](respond-first-incident-analyze.md)

+1. Your commercially available security solution must provide real-time protection that detects, prevents, and remediates malicious software.

+2. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows.

+3. Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences, membership in industry organizations, or being reviewed in industry-standard reports such as AV-Comparatives, OPSWAT, or Gartner.

+4. Your organization must sign a non-disclosure agreement (NDA) with Microsoft.

+5. Your organization must sign a program license agreement.

+6. Your organization must be active in the program and meet all program requirements.

+7. Your security solution must meet all program requirements, which requires use of [Azure Code Signing](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669).

+8. Your security solution must have been certified within the last 12 months through independent testing by at least one of the organizations listed below. Yearly certification must be maintained.

+||||

+|[AV-Comparatives](https://www.av-comparatives.org/testmethod/real-world-protection-tests/)|Real-World Protection Test.|Approved rating|

+|[AV-Test](https://www.av-test.org/en/about-the-institute/certification/)|Must pass tests for Windows. Certifications for Mac and Linux aren't accepted.|<ul><li>AV-TEST Certified (home)<li></li>AV-TEST Approved (corporate)</li></ul>|

+|[SKD Labs](http://www.skdlabs.com/)|Certification Requirements Product: Anti-virus or Antimalware.|Score >= 98.5% with On Demand, On Access and Total Detection tests|

+|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/)|VB100 Certification Test V1.1|VB100 Certification|

+|[West Coast Labs](https://www.westcoastlabs.com/checkmark)|Checkmark Certified|Product validated minimum of grade A|

+|[SE Labs](https://selabs.uk/en/reports/consumers/)|Protection, Small Business, or Enterprise EP Protection Test.|<ul><li>Protection A rating<li></li>Small Business EP A rating<li></li>Enterprise EP Protection A rating</li></ul>|

+ - Blog announcement: [Unified security operations platform ready to revolutionize protection and efficiency](https://aka.ms/unified-soc-announcement)

+- **Notifications in the Microsoft Defender portal** are now available. On the top right-hand side of the Defender portal, select the bell icon to view all your active notifications. Different types of notifications are supported such as success, info, warning, and error. Dismiss individual notifications or dismiss all from the notifications tab.

+> The 2024-02 platform release causes inconsistent results for device control customers using removable media policies with disk/device-level access only (masks that are less of equal to 7). The enforcement might not work as expected.

+- **Defender Boxed is available for a limited period of time**. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. Take a moment to celebrate your organization's improvements in security posture, overall response to detected threats (manual and automatic), blocked emails, and more.

+ - Defender Boxed opens automatically when you go to the **Incidents** page in the Microsoft Defender portal.

+- (GA) **Activity log** is now available within an incident page. Use the activity log to view all audits and comments, and add comments to the log of an incident. For details, see [Activity log](manage-incidents.md#activity-log).

+- (Preview) [Custom functions](advanced-hunting-custom-functions.md) are now available in advanced hunting. You can now create your own custom functions so you can reuse any query logic when you hunt in your environment.

+## March 2023

+- (Preview) [Actions](advanced-hunting-take-action.md) can now be taken on email messages straight from hunting query results. Emails can be moved to other folders or deleted permanently.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell):

+ - *Add and remove entries from the Tenant Allow/Block List*: Membership assigned with the following permissions:

+ - **Authorization and settings/Security settings/Detection tuning (manage)**

+ - *Read-only access to the Tenant Allow/Block List*:

+ - **Authorization and settings/Security settings/Read-only**.

+ - **Authorization and settings/Security settings/Core Security settings (read)**.