From 80a4d5bfe4edf99e72c39aa3b01f06e9e6375a7d Mon Sep 17 00:00:00 2001 From: schmurky Date: Wed, 21 Oct 2020 17:33:29 +0800 Subject: [PATCH 01/24] Replace for json --- .../microsoft-defender-atp/linux-support-perf.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 8390f37105..44a7b84113 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -32,7 +32,7 @@ This article provides some general steps that can be used to narrow down perform Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. -Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux. +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues. The following steps can be used to troubleshoot and mitigate these issues: @@ -54,7 +54,7 @@ The following steps can be used to troubleshoot and mitigate these issues: > [!NOTE] > This feature is available in version 100.90.70 or newer. - This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: + This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: ```bash mdatp config real-time-protection-statistics --value enabled @@ -78,8 +78,10 @@ The following steps can be used to troubleshoot and mitigate these issues: To collect current statistics, run: ```bash - mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file + mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs ``` + > [!NOTE] + > Adding ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). @@ -88,6 +90,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. +4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues +5. Re-enable real-time protection. - For more details, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). From 397c7a4c475b6cd473c33ad90e6f64837ff699b2 Mon Sep 17 00:00:00 2001 From: schmurky Date: Wed, 21 Oct 2020 17:37:59 +0800 Subject: [PATCH 02/24] Replace add with use --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 44a7b84113..d9b56bf731 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -81,7 +81,7 @@ The following steps can be used to troubleshoot and mitigate these issues: mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs ``` > [!NOTE] - > Adding ```--output json``` (note the double dash) ensures that the output format is ready for parsing. + > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). From cc82b538cccd6c73a28ff5bb36f550a411628a51 Mon Sep 17 00:00:00 2001 From: schmurky Date: Thu, 22 Oct 2020 17:34:09 +0800 Subject: [PATCH 03/24] More details --- .../linux-support-perf.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index d9b56bf731..2e16c94605 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -83,14 +83,23 @@ The following steps can be used to troubleshoot and mitigate these issues: > [!NOTE] > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. - The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + The output of this command will show all processes and their associated scan activity. +3. You can then run a script to parse the output. + + To do this, in your Windows system, create a folder in ```C:\temp\High_CPU_util_parser_for_Linux```. + + Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. + + You can then use this sample Powershell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. + + Run the Powershell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. -3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. +4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues 5. Re-enable real-time protection. - For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + From f2ff564c5c96e7f01321988d4fb0c3971e62e4ee Mon Sep 17 00:00:00 2001 From: schmurky Date: Thu, 22 Oct 2020 17:36:07 +0800 Subject: [PATCH 04/24] PowerShell caps --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 2e16c94605..f52e335011 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -91,9 +91,9 @@ The following steps can be used to troubleshoot and mitigate these issues: Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. - You can then use this sample Powershell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. + You can then use this sample PowerShell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. - Run the Powershell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + Run the PowerShell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. From 2015a7ce2829bbc4b29f754f7d34411494ddc263 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:28:16 +0800 Subject: [PATCH 05/24] New updates --- .../linux-support-perf.md | 42 +++++++++++++------ 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index d0a4e97401..86995376ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -78,32 +78,48 @@ The following steps can be used to troubleshoot and mitigate these issues: To collect current statistics, run: ```bash - mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs + mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json ``` > [!NOTE] > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. -3. You can then run a script to parse the output. - - To do this, in your Windows system, create a folder in ```C:\temp\High_CPU_util_parser_for_Linux```. +3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. + ```bash + wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py + ``` + The output of this command should be something similar to: - Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. + ```Output + --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.196.133 + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.196.133| :443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1020 [text/plain] + Saving to: 'high_cpu_parser.py' - You can then use this sample PowerShell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. - The output of this command will show all processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + 100%[===========================================>] 1,020 --.-K/s in 0s + ``` +4. Next, type the following commands: + ```bash + chmod +x high_cpu_parser.py + ``` + ```bash + cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log + ``` - Run the PowerShell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + The output of the above command displays all the processes and their associated scan activity. + + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + + > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). +5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. -5. Re-enable real-time protection. + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). - -4. Configure Defender for Endpoint for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - For more details, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). From 8d26222842313aa52ee93cccace65e370ac416f3 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:30:46 +0800 Subject: [PATCH 06/24] added link to parser --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 86995376ac..808117dc1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,7 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. +3. On your Linux system, download the sample Python parser [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From d99b6ae0b04b5d9d45c0262d567917403fc5b6e9 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:35:05 +0800 Subject: [PATCH 07/24] add link --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 808117dc1e..da1c943252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,7 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). +3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. You can also download it from this link: [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From 00d43db17b9cb9e18d07cb202469d4b22423d064 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:36:03 +0800 Subject: [PATCH 08/24] removed link --- .../microsoft-defender-atp/linux-support-perf.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index da1c943252..17e0183fc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,8 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. You can also download it from this link: [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the following command: + ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From 88dfd49ccae54e3fe2e2fd28204e3abfda98555d Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:37:46 +0800 Subject: [PATCH 09/24] removed pii --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 17e0183fc5..b8eacdcd6e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -94,8 +94,8 @@ The following steps can be used to troubleshoot and mitigate these issues: ```Output --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py - Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.196.133 - Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.196.133| :443... connected. + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected. HTTP request sent, awaiting response... 200 OK Length: 1020 [text/plain] Saving to: 'high_cpu_parser.py' From 1432a9f501442e76608446f05e082c66aff6c028 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:56:25 +0800 Subject: [PATCH 10/24] minor edits --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index b8eacdcd6e..9f58beceba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,12 +85,12 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the following command: +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` - The output of this command should be something similar to: + The output of this command should be similar to the following: ```Output --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py From 9bff12a18bed12a9274e378d8111ef966888bbd1 Mon Sep 17 00:00:00 2001 From: schmurky Date: Fri, 27 Nov 2020 15:31:10 +0800 Subject: [PATCH 11/24] Update with sample --- .../linux-support-perf.md | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 9f58beceba..c2520ac1b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -113,11 +113,29 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of the above command displays all the processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - - - > [!NOTE] - > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + The output is list of the top contributors to the performance issues. The 1st column is the process identifier (PID), the 2nd column is te process name, and the last column is the number of scanned files, sorted by impact. + + For example, the output of the command will be something like the below: + + ```Output + mavel@mavel-mac:/Users/mavel > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + 27432 None 76703 + 73467 actool     1249 + 73914 xcodebuild 1081 + 73873 bash 1050 + 27475 None 836 + 1    launchd    407 + 73468 ibtool     344 + 549  telemetryd_v1   325 + 4764 None 228 + 125  CrashPlanService 164 + ``` +  + + +>[!NOTE] +> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. From c3b172ad575c07c9d9949cf9987319e4273141f9 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 30 Nov 2020 15:23:02 -0800 Subject: [PATCH 12/24] adding server as supported OS --- ...ck-potentially-unwanted-apps-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 4c9c47828e..77a4285b90 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -73,7 +73,7 @@ Although Microsoft Defender for Endpoint has its own block list, based upon a da The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] -> This feature is only available in Windows 10. +> This feature is available in Windows 10, Windows Server 2016 and Windows Server 2019. Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. From 2bf88f17813e0fc39f5e9b9419737a2cc0565f2e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:47:33 -0800 Subject: [PATCH 13/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...anted-apps-microsoft-defender-antivirus.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 77a4285b90..caf97b9841 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: +ms.date: 11/30/2020 ms.reviewer: manager: dansimp --- @@ -31,23 +31,23 @@ manager: dansimp Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior. -For example: +Here are some examples: -* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages. -* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. -* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. +- **Advertising software** that displays advertisements or promotions, including software that inserts advertisements to webpages. +- **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +- **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. -## How it works +PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016. -### Microsoft Edge +## Microsoft Edge The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). -#### Enable PUA protection in Chromium-based Microsoft Edge +### Enable PUA protection in Chromium-based Microsoft Edge Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. @@ -58,7 +58,7 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium > [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). -#### Blocking URLs with Windows Defender SmartScreen +### Blocking URLs with Windows Defender SmartScreen In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. @@ -68,7 +68,7 @@ Defender SmartScreen available, including [one for blocking PUA](https://docs.mi Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Windows Defender SmartScreen will respect the new settings. -### Microsoft Defender Antivirus +## Microsoft Defender Antivirus The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. @@ -81,7 +81,7 @@ When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection in Microsoft Defender Antivirus +### Configure PUA protection in Microsoft Defender Antivirus You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. @@ -92,11 +92,11 @@ You can also use the PUA audit mode to detect PUAs without blocking them. The de PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. -##### Use Intune to configure PUA protection +#### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -##### Use Configuration Manager to configure PUA protection +#### Use Configuration Manager to configure PUA protection PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch). @@ -107,7 +107,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw > [!NOTE] > PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. -##### Use Group Policy to configure PUA protection +#### Use Group Policy to configure PUA protection 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. @@ -121,23 +121,23 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. -##### Use PowerShell cmdlets to configure PUA protection +#### Use PowerShell cmdlets to configure PUA protection -###### To enable PUA protection +##### To enable PUA protection ```PowerShell Set-MpPreference -PUAProtection enable ``` Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. -###### To set PUA protection to audit mode +##### To set PUA protection to audit mode ```PowerShell Set-MpPreference -PUAProtection auditmode ``` Setting `AuditMode` will detect PUAs without blocking them. -###### To disable PUA protection +##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: @@ -148,7 +148,7 @@ Setting the value for this cmdlet to `Disabled` will turn the feature off if it See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -#### View PUA events +### View PUA events PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. @@ -156,7 +156,7 @@ You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. -#### Allow-listing apps +### Allow-listing apps Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. From 0e11dd7a8d90b05ff76f2343773270843170e450 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:51:05 -0800 Subject: [PATCH 14/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...potentially-unwanted-apps-microsoft-defender-antivirus.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index caf97b9841..cc8d638985 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -37,7 +37,8 @@ Here are some examples: - **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. - **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. -For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). +> [!TIP] +> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. @@ -45,7 +46,7 @@ PUA protection is supported on Windows 10, Windows Server 2019, and Windows Serv ## Microsoft Edge -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). +The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-know-microsoft-edge-3f4bb0ff-58de-2188-55c0-f560b7e20bea), which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). ### Enable PUA protection in Chromium-based Microsoft Edge From b16dfd9bea897667dd380506b4e487b4cbe366ff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:52:26 -0800 Subject: [PATCH 15/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...-potentially-unwanted-apps-microsoft-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index cc8d638985..a3f6d01c30 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -53,8 +53,8 @@ The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-kno Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. 1. Select the ellipses, and then choose **Settings**. -2. Select **Privacy and services**. -3. Under the **Services** section, turn on **Block potentially unwanted apps**. +2. Select **Privacy, search, and services**. +3. Under the **Security** section, turn on **Block potentially unwanted apps**. > [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). From bbabd50e30c149f5df744cd306e4b9044ccd976c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:54:19 -0800 Subject: [PATCH 16/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...lly-unwanted-apps-microsoft-defender-antivirus.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index a3f6d01c30..446eb85451 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -57,17 +57,17 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium 3. Under the **Security** section, turn on **Block potentially unwanted apps**. > [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/). -### Blocking URLs with Windows Defender SmartScreen +### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can -[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. +[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Windows Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. ## Microsoft Defender Antivirus From 71315724d3355c82e013ef7b4c9ed6dd8c9db445 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 17:55:57 -0800 Subject: [PATCH 17/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...otentially-unwanted-apps-microsoft-defender-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 446eb85451..cb1802350e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -63,18 +63,18 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. ## Microsoft Defender Antivirus The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] -> This feature is available in Windows 10, Windows Server 2016 and Windows Server 2019. +> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. From 52dd1c5cdca64ef02096b02842f22488a8fe07d0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:00:16 -0800 Subject: [PATCH 18/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ially-unwanted-apps-microsoft-defender-antivirus.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index cb1802350e..4f07727faf 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -78,7 +78,7 @@ The potentially unwanted application (PUA) protection feature in Microsoft Defen Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content. The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). @@ -91,7 +91,7 @@ You can also use the PUA audit mode to detect PUAs without blocking them. The de > [!TIP] > You can visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. -PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. #### Use Intune to configure PUA protection @@ -114,14 +114,16 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. +3. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. -4. Double-click **Configure protection for potentially unwanted applications**. +4. Double-click **Configure detection for potentially unwanted applications**. 5. Select **Enabled** to enable PUA protection. 6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +7. Deploy your Group Policy object as you normally do. + #### Use PowerShell cmdlets to configure PUA protection ##### To enable PUA protection From f5b81edeb6c204d2edc41c9926ff68bd593cb363 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:11:59 -0800 Subject: [PATCH 19/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...otentially-unwanted-apps-microsoft-defender-antivirus.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 4f07727faf..8a4c1bedf3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -122,7 +122,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. -7. Deploy your Group Policy object as you normally do. +7. Deploy your Group Policy object as you usually do. #### Use PowerShell cmdlets to configure PUA protection @@ -161,7 +161,9 @@ See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for d ### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. + +For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). ## Related articles From 2c040a199e742ea9108bfeff6a0e031d349bdb64 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:17:05 -0800 Subject: [PATCH 20/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...otentially-unwanted-apps-microsoft-defender-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 8a4c1bedf3..efd4782497 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -84,12 +84,12 @@ The notification appears in the usual [quarantine list within the Windows Securi ### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps). -You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. > [!TIP] -> You can visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. +> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. From 38a67b4d009e032b8b831bc5ba1871bc1763983a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:34:35 -0800 Subject: [PATCH 21/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ck-potentially-unwanted-apps-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index efd4782497..bd0e3070aa 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -84,7 +84,7 @@ The notification appears in the usual [quarantine list within the Windows Securi ### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps). +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps). You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. From c9261008570f2864b9ea23305915320365185aff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Nov 2020 18:36:59 -0800 Subject: [PATCH 22/24] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...ck-potentially-unwanted-apps-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index bd0e3070aa..cb05c08abe 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -84,7 +84,7 @@ The notification appears in the usual [quarantine list within the Windows Securi ### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps). +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. From a86bdcca8dda061766281db5f04efe271a66dc6b Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 1 Dec 2020 19:58:59 +0800 Subject: [PATCH 23/24] remove alias --- .../microsoft-defender-atp/linux-support-perf.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index c2520ac1b7..2281e692f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -110,16 +110,12 @@ The following steps can be used to troubleshoot and mitigate these issues: cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log ``` - The output of the above command displays all the processes and their associated scan activity. - - To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - - The output is list of the top contributors to the performance issues. The 1st column is the process identifier (PID), the 2nd column is te process name, and the last column is the number of scanned files, sorted by impact. + The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: ```Output - mavel@mavel-mac:/Users/mavel > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 27432 None 76703 73467 actool     1249 73914 xcodebuild 1081 @@ -131,11 +127,11 @@ The following steps can be used to troubleshoot and mitigate these issues: 4764 None 228 125  CrashPlanService 164 ``` -  - +   + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). ->[!NOTE] -> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + >[!NOTE] + > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. From e15a00e7e5a328e635cc204396a9373abfbc0d93 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 1 Dec 2020 20:02:54 +0800 Subject: [PATCH 24/24] removed indent --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 2281e692f9..e6585fc97f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -128,7 +128,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 125  CrashPlanService 164 ```   - To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). >[!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.