mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 14:57:23 +00:00
Edited block at first sight for content reorg.
This commit is contained in:
Andrea Bichsel
parent
58533be489
commit
295c33fb0f
@ -14,24 +14,15 @@ ms.author: v-anbic
|
||||
ms.date: 05/02/2018
|
||||
---
|
||||
|
||||
# Enable the Block at First Sight feature
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10, version 1703 and later
|
||||
|
||||
**Audience**
|
||||
|
||||
- Enterprise security administrators
|
||||
# Enable block at first sight
|
||||
|
||||
**Manageability available with**
|
||||
|
||||
- Intune
|
||||
- Microsoft Intune
|
||||
- Group Policy
|
||||
- Windows Defender Security Center app
|
||||
|
||||
|
||||
Block at first sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds.
|
||||
Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds.
|
||||
|
||||
It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
|
||||
|
||||
@ -40,128 +31,117 @@ You can [specify how long the file should be prevented from running](configure-c
|
||||
You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
|
||||
|
||||
> There is no specific individual setting in System Center Configuration Manager to enable or disable block at first sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
|
||||
|
||||
>[!TIP]
|
||||
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
|
||||
|
||||
>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
|
||||
|
||||
## How it works
|
||||
|
||||
When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
|
||||
When antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
|
||||
|
||||
In Windows 10, version 1803, the Block at First Sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
|
||||
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
|
||||
|
||||
The Block at First Sight feature only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
|
||||
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
|
||||
|
||||
If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe.
|
||||
If the cloud backend is unable to make a determination, antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
|
||||
|
||||
In many cases this process can reduce the response time for new malware from hours to seconds.
|
||||
In many cases, this process can reduce the response time for new malware from hours to seconds.
|
||||
|
||||
## Confirm and validate that block at first sight is enabled
|
||||
|
||||
## Confirm and validate Block at First Sight is enabled
|
||||
Block at first sight requires a number of Group Policy settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise antivirus deployments.
|
||||
|
||||
Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks.
|
||||
|
||||
### Confirm Block at First Sight is enabled with Intune
|
||||
### Confirm block at first sight is enabled with Intune
|
||||
|
||||
1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**.
|
||||
|
||||
> [!NOTE]
|
||||
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
|
||||
> [!NOTE]
|
||||
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
|
||||
|
||||
2. Verify these settings are configured as follows:
|
||||
|
||||
- **Cloud-delivered protection**: **Enable**
|
||||
- **File Blocking Level**: **High**
|
||||
- **Time extension for file scanning by the cloud**: **50**
|
||||
- **Prompt users before sample submission**: **Send all data without prompting**
|
||||
- **Cloud-delivered protection**: **Enable**
|
||||
- **File Blocking Level**: **High**
|
||||
- **Time extension for file scanning by the cloud**: **50**
|
||||
- **Prompt users before sample submission**: **Send all data without prompting**
|
||||
|
||||
For more information about configuring Windows Defender AV device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
|
||||
For more information about configuring antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
|
||||
|
||||
For a list of Windows Defender AV device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus).
|
||||
For a list of antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus).
|
||||
|
||||
### Confirm block at first sight is enabled with Group Policy
|
||||
|
||||
### Confirm Block at First Sight is enabled with Group Policy
|
||||
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
3. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
|
||||
|
||||
5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
|
||||
|
||||
1. Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
|
||||
|
||||
1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
|
||||
|
||||
1. Send safe samples (1)
|
||||
|
||||
1. Send all samples (3)
|
||||
1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
|
||||
|
||||
2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
|
||||
|
||||
- Send safe samples (1)
|
||||
- Send all samples (3)
|
||||
|
||||
> [!WARNING]
|
||||
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
|
||||
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means block at first sight will not function.
|
||||
|
||||
1. Click **OK**.
|
||||
3. Click **OK**.
|
||||
|
||||
1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
|
||||
|
||||
1. Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
|
||||
|
||||
1. Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**.
|
||||
4. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
|
||||
|
||||
1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**. Click **OK**.
|
||||
|
||||
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**. Click **OK**.
|
||||
|
||||
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
|
||||
|
||||
### Confirm block at first sight is enabled with the Windows Defender Security Center app
|
||||
|
||||
### Confirm Block at First Sight is enabled with the Windows Defender Security Center app
|
||||
You can confirm that block at first sight is enabled in Windows Settings.
|
||||
|
||||
You can confirm that Block at First Sight is enabled in Windows Settings.
|
||||
|
||||
The feature is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
|
||||
Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
|
||||
|
||||
**Confirm Block at First Sight is enabled on individual clients**
|
||||
|
||||
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
|
||||
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar.
|
||||
|
||||
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
|
||||
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Virus & threat protection settings**:
|
||||
|
||||
|
||||
|
||||
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
|
||||
|
||||
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
|
||||
|
||||
> [!NOTE]
|
||||
> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
|
||||
|
||||
### Validate block at first sight is working
|
||||
|
||||
### Validate Block at First Sight is working
|
||||
You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate).
|
||||
|
||||
You can validate that the feature is working by following the steps outlined in the [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate) topic.
|
||||
|
||||
|
||||
## Disable Block at First Sight
|
||||
## Disable block at first sight
|
||||
|
||||
> [!WARNING]
|
||||
> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network.
|
||||
> Disabling block at first sight will lower the protection state of the endpoint and your network.
|
||||
|
||||
You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
|
||||
You may choose to disable block at first sight if you want to retain the pre-requisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
|
||||
|
||||
**Disable Block at First Sight with Group Policy**
|
||||
**Disable block at first sight with Group Policy**
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
5. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
|
||||
3. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
|
||||
|
||||
1. Double-click the **Configure the 'Block at First Sight' feature** setting and set the option to **Disabled**.
|
||||
4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
|
||||
|
||||
> [!NOTE]
|
||||
> Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
|
||||
|
||||
> Disabling block at first sight will not disable or alter the pre-requisite group policies.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
|
||||
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
|
||||
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user