From 2bf88f17813e0fc39f5e9b9419737a2cc0565f2e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:47:33 -0800 Subject: [PATCH 01/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...anted-apps-microsoft-defender-antivirus.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 77a4285b90..caf97b9841 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: +ms.date: 11/30/2020 ms.reviewer: manager: dansimp --- @@ -31,23 +31,23 @@ manager: dansimp Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior. -For example: +Here are some examples: -* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages. -* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. -* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. +- **Advertising software** that displays advertisements or promotions, including software that inserts advertisements to webpages. +- **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +- **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. -## How it works +PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016. -### Microsoft Edge +## Microsoft Edge The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). -#### Enable PUA protection in Chromium-based Microsoft Edge +### Enable PUA protection in Chromium-based Microsoft Edge Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. @@ -58,7 +58,7 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium > [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). -#### Blocking URLs with Windows Defender SmartScreen +### Blocking URLs with Windows Defender SmartScreen In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. @@ -68,7 +68,7 @@ Defender SmartScreen available, including [one for blocking PUA](https://docs.mi Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Windows Defender SmartScreen will respect the new settings. -### Microsoft Defender Antivirus +## Microsoft Defender Antivirus The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. @@ -81,7 +81,7 @@ When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection in Microsoft Defender Antivirus +### Configure PUA protection in Microsoft Defender Antivirus You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. @@ -92,11 +92,11 @@ You can also use the PUA audit mode to detect PUAs without blocking them. The de PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. -##### Use Intune to configure PUA protection +#### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -##### Use Configuration Manager to configure PUA protection +#### Use Configuration Manager to configure PUA protection PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch). @@ -107,7 +107,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw > [!NOTE] > PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. -##### Use Group Policy to configure PUA protection +#### Use Group Policy to configure PUA protection 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. @@ -121,23 +121,23 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. -##### Use PowerShell cmdlets to configure PUA protection +#### Use PowerShell cmdlets to configure PUA protection -###### To enable PUA protection +##### To enable PUA protection ```PowerShell Set-MpPreference -PUAProtection enable ``` Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. -###### To set PUA protection to audit mode +##### To set PUA protection to audit mode ```PowerShell Set-MpPreference -PUAProtection auditmode ``` Setting `AuditMode` will detect PUAs without blocking them. -###### To disable PUA protection +##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: @@ -148,7 +148,7 @@ Setting the value for this cmdlet to `Disabled` will turn the feature off if it See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -#### View PUA events +### View PUA events PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. @@ -156,7 +156,7 @@ You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. -#### Allow-listing apps +### Allow-listing apps Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. From 0e11dd7a8d90b05ff76f2343773270843170e450 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:51:05 -0800 Subject: [PATCH 02/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...potentially-unwanted-apps-microsoft-defender-antivirus.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index caf97b9841..cc8d638985 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -37,7 +37,8 @@ Here are some examples: - **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. - **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. -For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). +> [!TIP] +> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. @@ -45,7 +46,7 @@ PUA protection is supported on Windows 10, Windows Server 2019, and Windows Serv ## Microsoft Edge -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). +The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-know-microsoft-edge-3f4bb0ff-58de-2188-55c0-f560b7e20bea), which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). ### Enable PUA protection in Chromium-based Microsoft Edge From b16dfd9bea897667dd380506b4e487b4cbe366ff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:52:26 -0800 Subject: [PATCH 03/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...-potentially-unwanted-apps-microsoft-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index cc8d638985..a3f6d01c30 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -53,8 +53,8 @@ The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-kno Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. 1. Select the ellipses, and then choose **Settings**. -2. Select **Privacy and services**. -3. Under the **Services** section, turn on **Block potentially unwanted apps**. +2. Select **Privacy, search, and services**. +3. Under the **Security** section, turn on **Block potentially unwanted apps**. > [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). From bbabd50e30c149f5df744cd306e4b9044ccd976c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:54:19 -0800 Subject: [PATCH 04/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...lly-unwanted-apps-microsoft-defender-antivirus.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index a3f6d01c30..446eb85451 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -57,17 +57,17 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium 3. Under the **Security** section, turn on **Block potentially unwanted apps**. > [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/). -### Blocking URLs with Windows Defender SmartScreen +### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can -[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. +[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Windows Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. ## Microsoft Defender Antivirus From 71315724d3355c82e013ef7b4c9ed6dd8c9db445 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:55:57 -0800 Subject: [PATCH 05/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...otentially-unwanted-apps-microsoft-defender-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 446eb85451..cb1802350e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -63,18 +63,18 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. ## Microsoft Defender Antivirus The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] -> This feature is available in Windows 10, Windows Server 2016 and Windows Server 2019. +> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. From 52dd1c5cdca64ef02096b02842f22488a8fe07d0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:00:16 -0800 Subject: [PATCH 06/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ially-unwanted-apps-microsoft-defender-antivirus.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index cb1802350e..4f07727faf 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -78,7 +78,7 @@ The potentially unwanted application (PUA) protection feature in Microsoft Defen Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content. The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). @@ -91,7 +91,7 @@ You can also use the PUA audit mode to detect PUAs without blocking them. The de > [!TIP] > You can visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. -PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. #### Use Intune to configure PUA protection @@ -114,14 +114,16 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. +3. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. -4. Double-click **Configure protection for potentially unwanted applications**. +4. Double-click **Configure detection for potentially unwanted applications**. 5. Select **Enabled** to enable PUA protection. 6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +7. Deploy your Group Policy object as you normally do. + #### Use PowerShell cmdlets to configure PUA protection ##### To enable PUA protection From f5b81edeb6c204d2edc41c9926ff68bd593cb363 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:11:59 -0800 Subject: [PATCH 07/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...otentially-unwanted-apps-microsoft-defender-antivirus.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 4f07727faf..8a4c1bedf3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -122,7 +122,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. -7. Deploy your Group Policy object as you normally do. +7. Deploy your Group Policy object as you usually do. #### Use PowerShell cmdlets to configure PUA protection @@ -161,7 +161,9 @@ See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for d ### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. + +For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). ## Related articles From 2c040a199e742ea9108bfeff6a0e031d349bdb64 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:17:05 -0800 Subject: [PATCH 08/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...otentially-unwanted-apps-microsoft-defender-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 8a4c1bedf3..efd4782497 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -84,12 +84,12 @@ The notification appears in the usual [quarantine list within the Windows Securi ### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps). -You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. > [!TIP] -> You can visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. +> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. From 38a67b4d009e032b8b831bc5ba1871bc1763983a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:34:35 -0800 Subject: [PATCH 09/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ck-potentially-unwanted-apps-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index efd4782497..bd0e3070aa 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -84,7 +84,7 @@ The notification appears in the usual [quarantine list within the Windows Securi ### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps). +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps). You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. From c9261008570f2864b9ea23305915320365185aff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:36:59 -0800 Subject: [PATCH 10/10] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ck-potentially-unwanted-apps-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index bd0e3070aa..cb05c08abe 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -84,7 +84,7 @@ The notification appears in the usual [quarantine list within the Windows Securi ### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps). +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log.