deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into nimishasatapathy-4749599-ASCIIimageconversion

Browse Source
This commit is contained in:
Daniel Simpson 2021-01-05 08:20:56 -08:00 committed by GitHub
commit 1bd6cf7441
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 283 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/threat-protection/TOC.md
View File

@ -302,6 +302,7 @@
##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
##### [Troubleshoot missing events issues](microsoft-defender-atp/linux-support-events.md)
#### [Privacy](microsoft-defender-atp/linux-privacy.md)

6
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -11,9 +11,9 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
ms.reviewer: pahuijbr, shwjha
manager: dansimp
ms.date: 12/20/2020
ms.date: 01/04/2021
---
# Microsoft Defender Antivirus compatibility
@ -47,7 +47,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode |
(<a id="fn1">1</a>) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive or disabled mode automatically when you install non-Microsoft antivirus product. In those cases, [disable Microsoft Defender Antivirus, or set it to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a server.
(<a id="fn1">1</a>) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server.
If you are using Windows Server, version 1803 or Windows Server 2019, you set Microsoft Defender Antivirus to passive mode by setting this registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

41
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
View File

@ -10,8 +10,8 @@ ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 12/17/2020
ms.reviewer: pahuijbr
ms.date: 01/04/2021
ms.reviewer: pahuijbr, shwjha
manager: dansimp
---
@ -34,19 +34,13 @@ While the functionality, configuration, and management are largely the same for
The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019)
2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019)
2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running)
3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence)
4. (As needed) [Submit samples](#submit-samples)
5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions)
6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus)
1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019).
2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019).
3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running).
4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence).
5. (As needed) [Submit samples](#submit-samples).
6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions).
7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode).
## Enable the user interface on Windows Server 2016 or 2019
@ -171,11 +165,11 @@ To help ensure security and performance, certain exclusions are automatically ad
See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
## Need to uninstall Microsoft Defender Antivirus?
## Need to set Microsoft Defender Antivirus to passive mode?
If you are using a non-Microsoft antivirus product as your primary antivirus solution, you can either disable Microsoft Defender Antivirus, or set it to passive mode, as described in the following procedures.
If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode.
### Set Microsoft Defender Antivirus to passive mode
### Set Microsoft Defender Antivirus to passive mode using a registry key
If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
@ -193,17 +187,6 @@ If you are using Windows Server, version 1803 or Windows Server 2019, you can se
Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
### Disable Microsoft Defender Antivirus using PowerShell
>[!NOTE]
>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016 or 2019:
```PowerShell
Uninstall-WindowsFeature -Name Windows-Defender
```
### Turn off the Microsoft Defender Antivirus user interface using PowerShell
To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:

16
windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
View File

@ -37,17 +37,19 @@ You can use either of the following solutions:
For granular control over permissions, [switch to role-based access control](rbac.md).
## Assign user access using Azure PowerShell
You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read-only access
### Before you begin
- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0).
**Full access** <br>
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
@ -61,19 +63,23 @@ Assigning read-only access rights requires adding the users to the "Security Rea
Use the following steps to assign security roles:
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
```PowerShell
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
```
- For **read-only** access, assign users to the security reader role by using the following command:
```text
```PowerShell
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
```
For more information, see, [Add, or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal).
## Assign user access using the Azure portal
For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
## Related topic
- [Manage portal access using RBAC](rbac.md)

19
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
View File

@ -46,12 +46,13 @@ Permission type | Permission | Permission display name
Application | Ip.Read.All | 'Read IP address profiles'
Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
>[!Note]
>[!NOTE]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
```
```http
GET /api/ips/{ip}/stats
```
@ -75,7 +76,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no
Here is an example of the request.
```
```http
GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
```
@ -84,7 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
Here is an example of the response.
```
```http
HTTP/1.1 200 OK
Content-type: application/json
{
@ -95,3 +96,13 @@ Content-type: application/json
"orgLastSeen": "2017-08-29T13:32:59Z"
}
```
| Name | Description |
| :--- | :---------- |
| Org prevalence | the distinct count of devices that opened network connection to this IP. |
| Org first seen | the first connection for this IP in the organization. |
| Org last seen | the last connection for this IP in the organization. |
> [!NOTE]
> This statistic information is based on data from the past 30 days.

22
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
View File

@ -24,7 +24,6 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
@ -37,8 +36,29 @@ To test if Defender for Endpoint for Linux can communicate to the cloud with the
mdatp connectivity test
```
expected output:
```output
Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK]
Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK]
Testing connection with https://eu-v20.events.data.microsoft.com/ping ... [OK]
Testing connection with https://us-v20.events.data.microsoft.com/ping ... [OK]
Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK]
Testing connection with https://v20.events.data.microsoft.com/ping ... [OK]
```
If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allow list.
## Troubleshooting steps for environments without proxy or with transparent proxy
To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:

94
windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Troubleshoot missing events or alerts issues for Microsoft Defender ATP for Linux
description: Troubleshoot missing events or alerts issues in Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, events
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
mms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal.
Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages.
In case events are not appearing or some types of events are missing, that could indicate some problem.
## Missing network and login events
Microsoft Defender for Endpoint utilized `audit` framework from linux to track network and login activity.
1. Make sure audit framework is working.
```bash
service auditd status
```
expected output:
```output
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 16666 (auditd)
Tasks: 25
CGroup: /system.slice/auditd.service
├─16666 /sbin/auditd
├─16668 /sbin/audispd
├─16670 /usr/sbin/sedispatch
└─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d
```
2. If auditd is stopped, please start it.
```bash
service auditd start
```
**On SLES15** systems, SYSCALL auditing in `auditd` is disabled by default and can explain missing events.
1. To validate that SYSCALL auditing is not disabeld, list the current audit rules:
```bash
sudo auditctl -l
```
if the following line is present, please remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.
```output
-a task, never
```
audit rules are located at `/etc/audit/rules.d/audit.rules`.
## Missing file events
File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux.md#system-requirements).
List the filesystems on the machine with:
```bash
df -Th
```

37
windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
View File

@ -24,7 +24,6 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
@ -36,9 +35,11 @@ An error in installation may or may not result in a meaningful error message by
```bash
sudo journalctl | grep 'microsoft-mdatp' > installation.log
```
```bash
grep 'postinstall end' installation.log
```
```Output
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
```
@ -47,6 +48,20 @@ An output from the previous command with correct date and time of installation i
Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.
## Make sure you have the correct package
Please mind that the package you are installing is matching the host distribution and version.
| package | distribution |
|-------------------------------|------------------------------------------|
| mdatp-rhel8.Linux.x86_64.rpm | Oracle, RHEL and CentOS 8.x |
| mdatp-sles12.Linux.x86_64.rpm | SuSE Linux Enterprise Server 12.x |
| mdatp-sles15.Linux.x86_64.rpm | SuSE Linux Enterprise Server 15.x |
| mdatp.Linux.x86_64.rpm | Oracle, RHEL and CentOS 7.x |
| mdatp.Linux.x86_64.deb | Debian and Ubuntu 16.04, 18.04 and 20.04 |
For [manual deployment](linux-install-manually.md), make sure the correct distro and version had been chosen.
## Installation failed
Check if the mdatp service is running:
@ -54,6 +69,7 @@ Check if the mdatp service is running:
```bash
systemctl status mdatp
```
```Output
● mdatp.service - Microsoft Defender for Endpoint
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
@ -69,26 +85,33 @@ systemctl status mdatp
## Steps to troubleshoot if mdatp service isn't running
1. Check if "mdatp" user exists:
```bash
id "mdatp"
```
If theres no output, run
```bash
sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
```
2. Try enabling and restarting the service using:
```bash
sudo systemctl enable mdatp
```
```bash
sudo systemctl restart mdatp
```
3. If mdatp.service isn't found upon running the previous command, run:
```bash
sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
```
where ```<systemd_path>``` is
```/lib/systemd/system``` for Ubuntu and Debian distributions and
```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES.
@ -100,16 +123,21 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`.
6. Ensure that the daemon has executable permission.
```bash
ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
```
```Output
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
```
If the daemon doesn't have executable permissions, make it executable using:
```bash
sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
```
and retry running step 2.
7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec".
@ -117,24 +145,31 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
## If mdatp service is running, but EICAR text file detection doesn't work
1. Check the file system type using:
```bash
findmnt -T <path_of_EICAR_file>
```
Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
## Command-line tool “mdatp” isn't working
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
```bash
sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
```
and try again.
If none of the above steps help, collect the diagnostic logs:
```bash
sudo mdatp diagnostic create
```
```Output
Diagnostic file created: <path to file>
```
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.

16
windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
View File

@ -23,7 +23,6 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
@ -34,6 +33,8 @@ Real-time protection (RTP) is a feature of Defender for Endpoint for Linux that
Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint for Linux.
Before starting, **please make sure that other security products are not currenly running on the device**. Multilpe security products may conflict and impact the host performance.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint for Linux is contributing to the performance issues.
@ -43,12 +44,15 @@ The following steps can be used to troubleshoot and mitigate these issues:
```bash
mdatp config real-time-protection --value disabled
```
```Output
Configuration property updated
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case please contact customer support for further instructions and mitigation.
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux.
> [!NOTE]
@ -71,6 +75,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
```bash
mdatp config real-time-protection --value enabled
```
```Output
Configuration property updated
```
@ -80,6 +85,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
```bash
mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
```
> [!NOTE]
> Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing.
@ -90,6 +96,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
```bash
wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
```
The output of this command should be similar to the following:
```Output
@ -102,10 +109,13 @@ The following steps can be used to troubleshoot and mitigate these issues:
100%[===========================================>] 1,020 --.-K/s in 0s
```
4. Next, type the following commands:
```bash
chmod +x high_cpu_parser.py
```
```bash
cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log
```
@ -127,7 +137,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
4764 None 228
125  CrashPlanService 164
```
 
To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
>[!NOTE]
@ -136,5 +146,3 @@ The following steps can be used to troubleshoot and mitigate these issues:
5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).

35
windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
View File

@ -46,12 +46,12 @@ You can also submit files for deep analysis, to run the file in a secure cloud s
Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files:
Permission | PE files | Non-PE files
:---|:---|:---
View data | X | X
Alerts investigation | &#x2611; | X
Live response basic | X | X
Live response advanced | &#x2611; |&#x2611;
| Permission | PE files | Non-PE files |
| :--------------------- | :------: | :----------: |
| View data | X | X |
| Alerts investigation | &#x2611; | X |
| Live response basic | X | X |
| Live response advanced | &#x2611; | &#x2611; |
For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
@ -94,6 +94,7 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher
![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png)
The Action center shows the submission information:
![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)
- **Submission time** - Shows when the action was submitted.
@ -118,13 +119,13 @@ You can roll back and remove a file from quarantine if youve determined that
1. Open an elevated commandline prompt on the device:
a. Go to **Start** and type _cmd_.
1. Go to **Start** and type _cmd_.
b. Rightclick **Command prompt** and select **Run as administrator**.
1. Rightclick **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```Powershell
```powershell
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” Restore Name EUS:Win32/CustomEnterpriseBlock All
```
@ -133,7 +134,7 @@ You can roll back and remove a file from quarantine if youve determined that
>
> Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
> [!Important]
> [!IMPORTANT]
> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
## Add indicator to block or allow a file
@ -215,7 +216,7 @@ The Deep analysis summary includes a list of observed *behaviors*, some of which
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.<br/>
<br/>
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0]
@ -232,7 +233,7 @@ You can also manually submit a sample through the [Microsoft Security Center Por
When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
**Submit files for deep analysis:**
#### Submit files for deep analysis
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
@ -252,7 +253,7 @@ A progress bar is displayed and provides information on the different stages of
> [!NOTE]
> Depending on device availability, sample collection time can vary. There is a 3hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can resubmit files for deep analysis to get fresh data on the file.
**View deep analysis reports**
#### View deep analysis reports
View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
@ -268,16 +269,19 @@ The details provided can help you investigate if there are indications of a pote
![The deep analysis report shows detailed information across a number of categories](images/analysis-results-nothing.png)
**Troubleshoot deep analysis**
#### Troubleshoot deep analysis
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
```Powershell
```powershell
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: AllowSampleCollection
Type: DWORD
@ -287,6 +291,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
```
1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
## Related topics