deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-22 18:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

some revions to wording before updates

Browse Source
This commit is contained in:
martyav 2019-08-05 18:09:08 -04:00
parent 003fa45ee7
commit 2f3117a01a
1 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
View File

@ -24,42 +24,42 @@ manager: dansimp
The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
These applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect their performance or use. _PUA_ can also refer to an application that has a poor reputation, due to certain kinds of undesirable behavior.
Typical PUA behavior includes:
- Various types of software bundling
- Ad injection into web browsers
- Various types of software bundling
- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
These applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning up the applications.
>[!TIP]
>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
> [!TIP]
> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm that the feature is working, and see how it works.
## How it works
Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantined.
Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.
When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:").
When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections, though prefaced with _PUA:_.
They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
The notification will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
## View PUA events
PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune.
PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune.
You can turn on email notifications for PUA detections.
You can turn on email notifications to receive mail about PUA detections.
See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
## Configure PUA protection
You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or PowerShell cmdlets.
You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets.
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log.
This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
### Use Intune to configure PUA protection
@ -67,20 +67,20 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic
### Use Configuration Manager to configure PUA protection
PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.
PUA protection is enabled by default in the System Center Configuration Manager (current branch), starting with version 1606.
See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch).
For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA).
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
**Use Group Policy to configure PUA protection:**
**Use Group Policy to configure PUA protection**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus**.
@ -100,7 +100,7 @@ Set-MpPreference -PUAProtection
Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled.
Setting `AuditMode` will detect PUAs but will not block them.
Setting `AuditMode` will detect PUAs without blocking them.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.