mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 02:13:43 +00:00
Merge branch 'master' into MDBranchADMXBackedPoliciesPhase1
This commit is contained in:
ManikaDhiman
@ -90,7 +90,7 @@ Secure Launch configuration:
|
||||
- 1 - Enables Secure Launch if supported by hardware
|
||||
- 2 - Disables Secure Launch.
|
||||
|
||||
For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows).
|
||||
For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
|
||||
|
||||
<!--/Description-->
|
||||
<!--ADMXMapped-->
|
||||
|
||||
@ -12,6 +12,7 @@ ms.author: deniseb
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.custom: nextgen
|
||||
ms.date: 08/26/2020
|
||||
---
|
||||
|
||||
# Turn on block at first sight
|
||||
@ -31,10 +32,10 @@ You can [specify how long the file should be prevented from running](configure-c
|
||||
|
||||
When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
|
||||
|
||||
Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
|
||||
Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
|
||||
|
||||
|
||||
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
|
||||
In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
|
||||
|
||||
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
|
||||
|
||||
@ -86,7 +87,7 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
|
||||
5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
|
||||
|
||||
|
||||
6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
|
||||
6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
|
||||
|
||||
|
||||
7. Click **OK** to create the policy.
|
||||
@ -99,9 +100,9 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
|
||||
|
||||
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
|
||||
|
||||
- Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
|
||||
1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
|
||||
|
||||
- Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
|
||||
2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
|
||||
|
||||
> [!WARNING]
|
||||
> Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
|
||||
@ -112,6 +113,12 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D
|
||||
|
||||
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
|
||||
|
||||
5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**:
|
||||
|
||||
1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**.
|
||||
|
||||
2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**.
|
||||
|
||||
If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered.
|
||||
|
||||
### Confirm block at first sight is turned on with Registry editor
|
||||
@ -129,7 +136,9 @@ If you had to change any of the settings, you should redeploy the Group Policy O
|
||||
1. **DisableIOAVProtection** key is set to **0**
|
||||
|
||||
2. **DisableRealtimeMonitoring** key is set to **0**
|
||||
|
||||
|
||||
4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2**
|
||||
|
||||
### Confirm Block at First Sight is enabled on individual clients
|
||||
|
||||
You can confirm that block at first sight is enabled on individual clients using Windows security settings.
|
||||
@ -169,7 +178,7 @@ You may choose to disable block at first sight if you want to retain the prerequ
|
||||
4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
|
||||
|
||||
> [!NOTE]
|
||||
> Disabling block at first sight will not disable or alter the prerequisite group policies.
|
||||
> Disabling block at first sight does not disable or alter the prerequisite group policies.
|
||||
|
||||
## See also
|
||||
|
||||
|
||||
@ -13,6 +13,7 @@ ms.author: deniseb
|
||||
ms.custom: nextgen
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.date: 08/26/2020
|
||||
---
|
||||
|
||||
# Microsoft Defender Antivirus compatibility
|
||||
@ -26,7 +27,7 @@ manager: dansimp
|
||||
Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
|
||||
- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
|
||||
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
|
||||
- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
|
||||
- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in preview) enabled, then whenever a malicious artifact is detected, Microsoft Defender ATP takes action to block and remediate the artifact.
|
||||
|
||||
## Antivirus and Microsoft Defender ATP
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Overview of advanced hunting in Microsoft Defender ATP
|
||||
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
|
||||
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
|
||||
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
@ -41,12 +41,16 @@ You can also go through each of the following steps to ramp up your advanced hun
|
||||
| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
|
||||
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
|
||||
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
|
||||
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
|
||||
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md) |
|
||||
|
||||
## Get help as you write queries
|
||||
Take advantage of the following functionality to write queries faster:
|
||||
- **Autosuggest** — as you write queries, advanced hunting provides suggestions from IntelliSense.
|
||||
- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
|
||||
## Data freshness and update frequency
|
||||
Advanced hunting data can be categorized into two distinct types, each consolidated differently:
|
||||
|
||||
- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
|
||||
- **Entity data**—populates tables with consolidated information about users and devices. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
|
||||
|
||||
## Time zone
|
||||
All time information in advanced hunting is currently in the UTC time zone.
|
||||
|
||||
## Related topics
|
||||
- [Learn the query language](advanced-hunting-query-language.md)
|
||||
|
||||
@ -144,11 +144,28 @@ Data in advanced hunting tables are generally classified into the following data
|
||||
| `int` | 32-bit numeric value |
|
||||
| `long` | 64-bit numeric value |
|
||||
|
||||
## Get help as you write queries
|
||||
Take advantage of the following functionality to write queries faster:
|
||||
|
||||
- **Autosuggest**—as you write queries, advanced hunting provides suggestions from IntelliSense.
|
||||
- **Schema tree**—a schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
|
||||
- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
|
||||
|
||||
## Work with multiple queries in the editor
|
||||
The query editor can serve as your scratch pad for experimenting with multiple queries. To use multiple queries:
|
||||
|
||||
- Separate each query with an empty line.
|
||||
- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
|
||||
|
||||
|
||||
_Query editor with multiple queries_
|
||||
|
||||
|
||||
## Use sample queries
|
||||
|
||||
The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
|
||||
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
|
||||
|
||||
@ -24,8 +24,6 @@ ms.topic: article
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
|
||||
|
||||
[!INCLUDE [Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
|
||||
|
||||
- View results as a table or chart
|
||||
|
||||
@ -29,7 +29,20 @@ ms.date: 01/14/2020
|
||||
|
||||
The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
|
||||
|
||||
## Schema tables
|
||||
## Get schema information in the security center
|
||||
While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:
|
||||
|
||||
- **Tables description**—type of data contained in the table and the source of that data.
|
||||
- **Columns**—all the columns in the table.
|
||||
- **Action types**—possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
|
||||
- **Sample query**—example queries that feature how the table can be utilized.
|
||||
|
||||
### Access the schema reference
|
||||
To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table.
|
||||
|
||||
|
||||
|
||||
## Learn the schema tables
|
||||
|
||||
The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ Check if network protection has been enabled on a local device by using Registry
|
||||
|
||||
1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
|
||||
1. Choose **HKEY_LOCAL_MACHINE** from the side menu
|
||||
1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager**
|
||||
1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Policy Manager**
|
||||
1. Select **EnableNetworkProtection** to see the current state of network protection on the device
|
||||
|
||||
* 0, or **Off**
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 67 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 78 KiB |
@ -139,7 +139,7 @@ Threat Analytics is a set of interactive reports published by the Microsoft Defe
|
||||
|
||||
- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
|
||||
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
|
||||
- Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/microsoft-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
|
||||
- Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
|
||||
- [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans.
|
||||
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ Describes the best practices, location, values, management, and security conside
|
||||
|
||||
## Reference
|
||||
|
||||
This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
|
||||
This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more details, see [Microsoft Accounts](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts).
|
||||
|
||||
There are two options if this setting is enabled:
|
||||
|
||||
|
||||
@ -39,7 +39,8 @@ To create a new GPO
|
||||
|
||||
4. In the **Name** text box, type the name for your new GPO.
|
||||
|
||||
>**Note:** Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
|
||||
> [!NOTE]
|
||||
> Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
|
||||
|
||||
5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user