deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

content

Browse Source
This commit is contained in:
Joey Caparas 2020-01-14 18:11:04 -08:00
parent 2fc8f0eb63
commit 06c098a1e7
5 changed files with 430 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/threat-protection/TOC.md
View File

@ -156,6 +156,7 @@
## [Deployment guide]()
### [Product brief](microsoft-defender-atp/product-brief.md)
### [Prepare deployment](microsoft-defender-atp/prepare-deployment.md)
### [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
### [Production deployment](microsoft-defender-atp/production-deployment.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/sccm-device-collections.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

164
windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
View File

@ -0,0 +1,164 @@
---
title: Prepare Microsoft Defender ATP deployment
description: Prepare stakeholder sign-off, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP
keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: artilce
---
# Prepare Microsoft Defender ATP deployment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Stakeholders and Sign-off
The following section serves to identify all the stakeholders that are involved
in this project and need to sign-off, review, or stay informed. Add stakeholders
to the table below as appropriate for your organization.
- SO = Sign-off on this project
- R = Review this project and provide input
- I = Informed of this project
| Name | Role | Action |
|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
| Enter name and email | **Chief Information Security Officer (CISO)** *An executive representative who serves as sponsor inside the organization for the new technology deployment.* | SO |
| Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.* | SO |
| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the customers organization.* | R |
| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the customers organization.* | R |
| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I |
## Project Management
### In Scope
The following is in scope for this project:
- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
capabilities
- Next Generation Protection
- Attack Surface Reduction
- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
capabilities including automatic investigation and remediation
- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
- Use of System Center Configuration Manager to onboard endpoints into the service.
### Out of scope
The following are out of scope of this project:
- Configuration of third-party solutions that might integrate with Microsoft
Defender ATP.
- Penetration testing in production environment.
## Environment
This section is used to ensure your environment is deeply understood by the
stakeholders which will help identify potential dependencies and/or changes
required in technologies or processes.
| What | Description |
|---------------------------------------|-------------|
| Endpoint count | |
| Server count | |
| Management engine | |
| CDOC distribution | |
| Security information and event (SIEM) | |
## Role-based access control
Microsoft recommends using the concept of least privileges. Microsoft Defender
ATP leverages built-in roles within Azure Active Directory. Microsoft recommend
[review the different roles that are
available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal)
and choose the right one to solve your needs for each persona for this
application. Some roles may need to be applied temporarily and removed after the
deployment has been completed.
| Personas | Roles | Azure AD Role (if required) | Assign to |
|------------------------------|-------|-----------------------------|-----------|
| Security Administrator | | | |
| Security Analyst | | | |
| Endpoint Administrator | | | |
| Infrastructure Administrator | | | |
| Business Owner/Stakeholder | | | |
Microsoft recommends using [Privileged Identity
Management](https://docs.microsoft.com/azure/active-directory/active-directory-privileged-identity-management-configure)
to manage your roles to provide additional auditing, control, and access review
for users with directory permissions.
Microsoft Defender ATP supports two ways to manage permissions:
- **Basic permissions management**: Set permissions to either full access or
read-only. In the case of basic permissions management users with Global
Administrator or Security Administrator role in Azure Active Directory have
full access while the Security reader role has read-only access.
- **Role-based access control (RBAC)**: Set granular permissions by defining
roles, assigning Azure AD user groups to the roles, and granting the user
groups access to machine groups. For more information on RBAC, see [Manage
portal access using role-based access
control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection).
Microsoft recommends leveraging RBAC to ensure that only users that have a
business justification can access Microsoft Defender ATP.
You can find details on permission guidelines
[here](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
The following example table serves to identify the Cyber Defense Operations
Center structure in your environment that will help you determine the RBAC
structure required for your environment.
| Tier | Description | Permission Required |
|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Tier 1 | **Local security operations team / IT team**  <br> This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | |
| Tier 2 | **Regional security operations team**  <br> This team can see all the machines for their region and perform remediation actions. | View data |
| Tier 3 | **Global security operations team** <br> This team consists of security experts and are authorized to see and perform all actions from the portal. | View data <br> Alerts investigation Active remediation ctions <br> Alerts investigation Active remediation actions <br> Manage portal system settings <br> Manage security settings |
## Adoption Order
In many cases organizations will have existing endpoint security products in
place. The bare minimum every organization should have is an antivirus solution. But in some cases an organization might also already implanted an EDR solution.
Historically, replacing any security solution was time intensive and difficult
to achieve due to the tight hooks into the application layer and infrastructure
dependencies. However, because Microsoft Defender ATP is built into the
operating system, replacing third-party solutions is easy to achieve.
Choose which component of Microsoft Defender ATP to be used and remove the ones
that do not apply. The table below indicates the Microsoft recommendation on the
order on how the endpoint security suite should be enabled.
| Component | Description | Adoption Order Rank |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes: | 2 |
| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 3 |
| Threat & Vulnerability Management (TVM) | Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: | 4 |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments dont get missed. [Learn more.](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
## Related topic
- [Production deployment](production-deployment.md)

47
windows/security/threat-protection/microsoft-defender-atp/product-brief.md
View File

@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender Security Center product brief
# Microsoft Defender Advanced Threat Protection product brief
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -27,13 +27,48 @@ Microsoft Defender ATP is a platform designed to
help enterprise networks prevent, detect, investigate, and respond to advanced
threats.
![Image of the Microosft Defender ATP components](images/mdatp-platform.png)
![Image of the Microsoft Defender ATP components](images/mdatp-platform.png)
## Platform capabilities
Capability | Description
:---|:---
adsfads | Threat and Vulnerability Management This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and
remediation of endpoint vulnerabilities and misconfigurations.
sdfsd | **Attack Surface Reduction** The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
asdfasdf | **Next Generation Protection** To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
**Threat and Vulnerability Management** | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
**Attack Surface Reduction** | The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
**Next Generation Protection** | To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
**Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
**Secure Score** | Microsoft Defender ATP includes a secure score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization.
**Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization.
**Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows.
**Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization. | |
Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
- **Cloud security analytics**: Leveraging big-data, machine-learning, and
unique Microsoft optics across the Windows ecosystem,
enterprise cloud products (such as Office 365), and online assets, behavioral signals
are translated into insights, detections, and recommended responses
to advanced threats.
- **Threat intelligence**: Generated by Microsoft hunters, security teams,
and augmented by threat intelligence provided by partners, threat
intelligence enables Microsoft Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these
are observed in collected sensor data.
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- Microsoft 365 A5 (M365 A5)
## Related topic
- [Prepare deployment](prepare-deployment.md)

224
windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
View File

@ -0,0 +1,224 @@
---
title: Microsoft Defender ATP production deployment
description:
keywords:
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: artilce
---
# Microsoft Defender ATP production deployment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on:
- Tenant configuration
- Network configuration
- Onboarding using System Center Configuration Manager
>[!NOTE]
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
## Tenant Configuration
When accessing [Microsoft Defender Security
Center](https://securitycenter.windows.com/) for the first time there will be a
setup wizard that will guide you through some initial steps. At the end of the
setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP
created. The easiest method is to perform these steps from a Windows 10 client
machine.
1. From a web browser, navigate to <https://securitycenter.windows.com>.
![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png)
2. If going through a TRIAL license, go to the link (<https://signup.microsoft.com/Signup?OfferId=6033e4b5-c320-4008-a936-909c2825d83c&dl=WIN_DEF_ATP&pc=xxxxxxx-xxxxxx-xxx-x>)
Once the authorization step is completed, the **Welcome** screen will be displayed.
3. Go through the authorization steps.
![Image of Welcome screen for portal set up](images/welcome1.png)
4. Set up preferences.
**Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this setup and Microsoft will not transfer the data from the specified geolocation.
**Data retention** - The default is 6 months.
**Enable preview features** - The default is on, can be changed later.
![Image of geographic location in set up](images/setup-preferences.png)
5. Select **Next**.
![Image of final preference set up](images/setup-preferences2.png)
6. Select **Continue**.
## Network configuration
If the organization does not require the endpoints to use a Proxy to access the
Internet, skip this section.
The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to
report sensor data and communicate with the Microsoft Defender ATP service. The
embedded Microsoft Defender ATP sensor runs in the system context using the
LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP)
to enable communication with the Microsoft Defender ATP cloud service. The
WinHTTP configuration setting is independent of the Windows Internet (WinINet)
internet browsing proxy settings and can only discover a proxy server by using
the following discovery methods:
**Auto-discovery methods:**
- Transparent proxy
- Web Proxy Auto-discovery Protocol (WPAD)
If a Transparent proxy or WPAD has been implemented in the network topology,
there is no need for special configuration settings. For more information on
Microsoft Defender ATP URL exclusions in the proxy, see the
[Appendix](#Appendix) section in this document for the URLs Whitelisting or on
[Microsoft
Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server)
**Manual static proxy configuration:**
- Registry based configuration
- WinHTTP configured using netsh command Suitable only for desktops in a
stable topology (for example: a desktop in a corporate network behind the
same proxy)
### Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Microsoft Defender ATP
sensor to report diagnostic data and communicate with Microsoft Defender ATP
services if a computer is not permitted to connect to the Internet. The static
proxy is configurable through Group Policy (GP). The group policy can be found
under:
- Administrative Templates \> Windows Components \> Data Collection and
Preview Builds \> Configure Authenticated Proxy usage for the Connected User
Experience and Telemetry Service
- Set it to **Enabled** and select **Disable Authenticated Proxy usage**
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
![Image of Group Policy setting](images/atp-gpo-proxy1.png)
4. Select **Enabled**.
5. Select **Disable Authenticated Proxy usage**.
6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
![Image of Group Policy setting](images/atp-gpo-proxy2.png)
7. Select **Enabled**.
8. Enter the **Proxy Server Name**.
The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
The registry value `TelemetryProxyServer` takes the following string format:
```text
<server name or ip>:<port>
```
For example: 10.0.0.6:8080
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
### Configure the proxy server manually using netsh command
Use netsh to configure a system-wide static proxy.
> [!NOTE]
> - This will affect all applications including Windows services which use WinHTTP with default proxy.</br>
> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
1. Open an elevated command-line:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
```PowerShell
netsh winhttp set proxy <proxy>:<port>
```
For example: netsh winhttp set proxy 10.0.0.6:8080
### Proxy Configuration for down-level machines
Down-Level machines include Windows 7 SP1 and Windows 8.1 workstations as well
as Windows Server 2008 R2, Windows Sever 2012, Windows Server 2012 R2, and
versions of Windows Server 2016 prior to Windows Server CB 1803. These operating
systems will have the proxy configured as part of the Microsoft Management Agent
to handle communication from the endpoint to Azure. Refer to the
Microsoft Management Agent Fast Deployment Guide for information on how a proxy
is configured on these machines.
### Proxy Service URLs
URLs that include v20 in them are only needed if you have Windows 10, version
1803 or later machines. For example, `us-v20.events.data.microsoft.com` is only
needed if the machine is on Windows 10, version 1803 or later.
Service location | Microsoft.com DNS record
-|-
Common URLs for all locations | ```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```<br>```notify.windows.com```<br> ```settings-win.data.microsoft.com```
European Union | ```eu.vortex-win.data.microsoft.com``` <br> ```eu-v20.events.data.microsoft.com``` <br> ```usseu1northprod.blob.core.windows.net``` <br>```usseu1westprod.blob.core.windows.net``` <br> ```winatp-gw-neu.microsoft.com``` <br> ```winatp-gw-weu.microsoft.com``` <br>```wseu1northprod.blob.core.windows.net``` <br>```wseu1westprod.blob.core.windows.net```
United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com``` <br>```ussuk1southprod.blob.core.windows.net``` <br>```ussuk1westprod.blob.core.windows.net``` <br>```winatp-gw-uks.microsoft.com``` <br>```winatp-gw-ukw.microsoft.com``` <br>```wsuk1southprod.blob.core.windows.net``` <br>```wsuk1westprod.blob.core.windows.net```
United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.blob.core.windows.net``` <br> ```ussus1westprod.blob.core.windows.net``` <br> ```ussus2eastprod.blob.core.windows.net``` <br> ```ussus2westprod.blob.core.windows.net``` <br> ```ussus3eastprod.blob.core.windows.net``` <br> ```ussus3westprod.blob.core.windows.net``` <br> ```ussus4eastprod.blob.core.windows.net``` <br> ```ussus4westprod.blob.core.windows.net``` <br> ```us-v20.events.data.microsoft.com``` <br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com``` <br> ```wsus1eastprod.blob.core.windows.net``` <br> ```wsus1westprod.blob.core.windows.net``` <br> ```wsus2eastprod.blob.core.windows.net``` <br> ```wsus2westprod.blob.core.windows.net```
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
### Microsoft Defender ATP service backend IP range
If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
- \+\<Region Name="uswestcentral">
- \+\<Region Name="useast2">
- \+\<Region Name="useast">
- \+\<Region Name="europenorth">
- \+\<Region Name="europewest">
- \+\<Region Name="uksouth">
- \+\<Region Name="ukwest">
You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
## Onboarding using System Center Configuration Manager
### Collection creation
To onboard Windows 10 devices with System Center Configuration Manager, the
deployment can target either and existing collection or a new collection can be
created for testing. The onboarding like group policy or manual method does
not install any agent on the system. Within the Configuration Manager console
the onboarding process will be configured as part of the compliance settings
within the console. Any system that receives this required configuration will
maintain that configuration for as long as the Configuration Manager client
continues to receive this policy from the management point. Follow the steps
below to onboard systems with Configuration Manager.
1. In System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
![Image of System Center Configuration Manager wizard](images/sccm-device-collections.png)