Merge branch 'master' into fpfn-mdav-mdatp

2025-06-21 21:33:38 +00:00 · 2021-01-26 16:41:00 -08:00
parent 88c2ccb91f 7f07577a1a
commit 42c90e51f8
4 changed files with 7 additions and 0 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@ -33,6 +33,8 @@ ms.custom: FPFN

 In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).

+![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png)
+
 Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process:

 1.	[Review and classify alerts](#part-1-review-and-classify-alerts) 
@ -43,6 +45,8 @@ Fortunately, steps can be taken to address and reduce these kinds of issues. If

 And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article.

+![Steps to address false positives and negatives](images/false-positives-step-diagram.png)
+
 > [!NOTE]
 > This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md).

@ -189,10 +193,13 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c
 - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)

 You can create indicators for:
+
 - [Files](#indicators-for-files)
 - [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
 - [Application certificates](#indicators-for-application-certificates)

+![Indicator types diagram](images/false-positives-indicators.png)
+
 #### Indicators for files

 When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. 
--- a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png
--- a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png
+++ b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png