From 7ee517141105189af4ae2c76a995bb6ded3a85d2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 26 Aug 2020 16:17:44 +0500 Subject: [PATCH 1/5] Update configure-block-at-first-sight-microsoft-defender-antivirus.md --- ...t-first-sight-microsoft-defender-antivirus.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 88892bd4a0..1fe1a15f6f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -86,7 +86,7 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) -6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. +6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) 7. Click **OK** to create the policy. @@ -99,9 +99,9 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. + 1 Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. + 2 Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. > [!WARNING] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. @@ -112,6 +112,12 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. +5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**: + + 1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**. + + 2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**. + If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered. ### Confirm block at first sight is turned on with Registry editor @@ -129,7 +135,9 @@ If you had to change any of the settings, you should redeploy the Group Policy O 1. **DisableIOAVProtection** key is set to **0** 2. **DisableRealtimeMonitoring** key is set to **0** - + +4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that **MpCloudBlockLevel** key is set to **2** + ### Confirm Block at First Sight is enabled on individual clients You can confirm that block at first sight is enabled on individual clients using Windows security settings. From f0afb702a490f4a298c7d9467d272506562034c2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 26 Aug 2020 08:03:53 -0700 Subject: [PATCH 2/5] Update configure-block-at-first-sight-microsoft-defender-antivirus.md --- ...re-block-at-first-sight-microsoft-defender-antivirus.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 1fe1a15f6f..83ec4426af 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -12,6 +12,7 @@ ms.author: deniseb ms.reviewer: manager: dansimp ms.custom: nextgen +ms.date: 08/26/2020 --- # Turn on block at first sight @@ -31,10 +32,10 @@ You can [specify how long the file should be prevented from running](configure-c When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. +In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files. Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. @@ -177,7 +178,7 @@ You may choose to disable block at first sight if you want to retain the prerequ 4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. > [!NOTE] - > Disabling block at first sight will not disable or alter the prerequisite group policies. + > Disabling block at first sight does not disable or alter the prerequisite group policies. ## See also From 25a0c40bf09c8432ce86590a33afb0be3e0fa217 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 26 Aug 2020 08:05:07 -0700 Subject: [PATCH 3/5] Update windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nfigure-block-at-first-sight-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 83ec4426af..be7223aa23 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -100,7 +100,7 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - 1 Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. + 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. 2 Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. From af4ba4b8e89c86e243e5651bddc88722b02ad795 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 26 Aug 2020 08:05:16 -0700 Subject: [PATCH 4/5] Update windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nfigure-block-at-first-sight-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index be7223aa23..51df0c5151 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -102,7 +102,7 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - 2 Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. + 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. > [!WARNING] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. From e78c7ea09bccfea07e5233f1e99776f412743083 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 26 Aug 2020 08:06:25 -0700 Subject: [PATCH 5/5] Update windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nfigure-block-at-first-sight-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 51df0c5151..f11dc35650 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -137,7 +137,7 @@ If you had to change any of the settings, you should redeploy the Group Policy O 2. **DisableRealtimeMonitoring** key is set to **0** -4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that **MpCloudBlockLevel** key is set to **2** +4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2** ### Confirm Block at First Sight is enabled on individual clients