mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-17 07:47:22 +00:00
Merge pull request #3428 from MicrosoftDocs/master
Publish 8/3/2020 10:30 AM PT
This commit is contained in:
Tina Burden
GitHub
commit
516c12f502
@ -573,7 +573,7 @@
|
||||
###### [Vulnerability]()
|
||||
####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
|
||||
####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
|
||||
####### [List vulnerabilities by Machine and Software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
|
||||
####### [List vulnerabilities by machine and software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
|
||||
####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
|
||||
####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
|
||||
|
||||
|
||||
@ -42,7 +42,8 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators
|
||||
|
||||
## Configure web protection
|
||||
Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
|
||||
[!NOTE]
|
||||
|
||||
>[!NOTE]
|
||||
> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
|
||||
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
|
||||
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 13 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 43 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 50 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 74 KiB |
@ -74,7 +74,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
|
||||
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
|
||||
|
||||
```bash
|
||||
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
|
||||
curl -o test.txt https://www.eicar.org/download/eicar.com.txt
|
||||
```
|
||||
|
||||
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
|
||||
|
||||
@ -747,7 +747,7 @@ The following templates contain entries for all settings described in this docum
|
||||
The property list must be a valid *.plist* file. This can be checked by executing:
|
||||
|
||||
```bash
|
||||
$ plutil -lint com.microsoft.wdav.plist
|
||||
plutil -lint com.microsoft.wdav.plist
|
||||
com.microsoft.wdav.plist: OK
|
||||
```
|
||||
|
||||
|
||||
@ -53,7 +53,7 @@ You can configure how PUA files are handled from the command line or from the ma
|
||||
In Terminal, execute the following command to configure PUA protection:
|
||||
|
||||
```bash
|
||||
$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
|
||||
mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]
|
||||
```
|
||||
|
||||
### Use the management console to configure PUA protection:
|
||||
|
||||
@ -30,7 +30,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
|
||||
1. Increase logging level:
|
||||
|
||||
```bash
|
||||
$ mdatp --log-level verbose
|
||||
mdatp --log-level verbose
|
||||
Creating connection to daemon
|
||||
Connection established
|
||||
Operation succeeded
|
||||
@ -38,10 +38,10 @@ If you can reproduce a problem, please increase the logging level, run the syste
|
||||
|
||||
2. Reproduce the problem
|
||||
|
||||
3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
|
||||
3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
|
||||
|
||||
```bash
|
||||
$ sudo mdatp --diagnostic --create
|
||||
sudo mdatp --diagnostic --create
|
||||
Creating connection to daemon
|
||||
Connection established
|
||||
```
|
||||
@ -49,7 +49,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
|
||||
4. Restore logging level:
|
||||
|
||||
```bash
|
||||
$ mdatp --log-level info
|
||||
mdatp --log-level info
|
||||
Creating connection to daemon
|
||||
Connection established
|
||||
Operation succeeded
|
||||
|
||||
@ -36,8 +36,8 @@ While you can start a threat scan at any time with Microsoft Defender ATP, your
|
||||
<key>ProgramArguments</key>
|
||||
<array>
|
||||
<string>sh</string>
|
||||
<string>-c<string>
|
||||
<string>/usr/local/bin/mdatp --scan --quick<string>
|
||||
<string>-c</string>
|
||||
<string>/usr/local/bin/mdatp --scan --quick</string>
|
||||
</array>
|
||||
<key>RunAtLoad</key>
|
||||
<true/>
|
||||
|
||||
@ -30,7 +30,7 @@ For manual installation, the Summary page of the installation wizard says, "An e
|
||||
While we do not display an exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file. You can use `sed` to output the last installation session only:
|
||||
|
||||
```bash
|
||||
$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
|
||||
sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
|
||||
|
||||
preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804
|
||||
INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695
|
||||
@ -45,7 +45,7 @@ The installation failed because a downgrade between these versions is not suppor
|
||||
## MDATP install log missing or not updated
|
||||
|
||||
In rare cases, installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
|
||||
You can verify that an installation happened and analyze possible errors by querying macOS logs (this is helpful in case of MDM deployment, when there is no client UI). We recommend that you use a narrow time window to run a query, and that you filter by the logging process name, as there will be a huge amount of information.
|
||||
You can verify that an installation happened and analyze possible errors by querying macOS logs (this is helpful in MDM deployment, when there is no client UI). We recommend that you use a narrow time window to run a query, and that you filter by the logging process name, as there will be a huge amount of information.
|
||||
|
||||
```bash
|
||||
grep '^2020-03-11 13:08' /var/log/install.log
|
||||
|
||||
@ -34,7 +34,7 @@ If you did not approve the kernel extension during the deployment / installation
|
||||
You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device.
|
||||
|
||||
```bash
|
||||
$ mdatp --health
|
||||
mdatp --health
|
||||
...
|
||||
realTimeProtectionAvailable : false
|
||||
realTimeProtectionEnabled : true
|
||||
@ -63,7 +63,7 @@ In this case, you need to perform the following steps to trigger the approval fl
|
||||
1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again.
|
||||
|
||||
```bash
|
||||
$ sudo kextutil /Library/Extensions/wdavkext.kext
|
||||
sudo kextutil /Library/Extensions/wdavkext.kext
|
||||
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
|
||||
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
|
||||
Diagnostics for /Library/Extensions/wdavkext.kext:
|
||||
@ -76,13 +76,13 @@ In this case, you need to perform the following steps to trigger the approval fl
|
||||
4. In Terminal, install the driver again. This time the operation will succeed:
|
||||
|
||||
```bash
|
||||
$ sudo kextutil /Library/Extensions/wdavkext.kext
|
||||
sudo kextutil /Library/Extensions/wdavkext.kext
|
||||
```
|
||||
|
||||
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
|
||||
|
||||
```bash
|
||||
$ mdatp --health
|
||||
mdatp --health
|
||||
...
|
||||
realTimeProtectionAvailable : true
|
||||
realTimeProtectionEnabled : true
|
||||
|
||||
@ -42,7 +42,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
|
||||
- From the Terminal. For security purposes, this operation requires elevation.
|
||||
|
||||
```bash
|
||||
$ mdatp --config realTimeProtectionEnabled false
|
||||
mdatp --config realTimeProtectionEnabled false
|
||||
```
|
||||
|
||||
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
|
||||
|
||||
@ -64,7 +64,7 @@ The `Production` channel contains the most stable version of the product.
|
||||
>[!WARNING]
|
||||
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender ATP for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
|
||||
> ```bash
|
||||
> $ defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
|
||||
> defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
|
||||
> ```
|
||||
|
||||
### Set update check frequency
|
||||
|
||||
@ -112,7 +112,11 @@ From there, select **Go to related security recommendation** to go to the [secur
|
||||
|
||||
To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages)
|
||||
|
||||
A full page will appear with all the details of a specific software, including an event timeline tab. From there you can view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
|
||||
A full page will appear with all the details of a specific software. Mouse over the graph to see the timeline of events for that specific software.
|
||||
|
||||
|
||||
|
||||
You can also navigate to the event timeline tab to view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -25,9 +25,9 @@ ms.topic: conceptual
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Threat and vulnerability management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
|
||||
Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
|
||||
|
||||
The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights.
|
||||
The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
|
||||
@ -50,21 +50,21 @@ Go to the threat and vulnerability management navigation menu and select **Weakn
|
||||
### Vulnerabilities in global search
|
||||
|
||||
1. Go to the global search drop-down menu.
|
||||
2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
|
||||
2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
|
||||
|
||||
3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
|
||||
3. Select the CVE and a flyout panel opens up with more information, including the vulnerability description, details, threat insights, and exposed devices.
|
||||
|
||||
To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
|
||||
To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
|
||||
|
||||
## Weaknesses overview
|
||||
|
||||
If the **Exposed Devices** column shows 0, that means you are not at risk. If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization.
|
||||
If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you are not at risk.
|
||||
|
||||
|
||||
|
||||
|
||||
### Breach and threat insights
|
||||
|
||||
You can view the related breach and threat insights in the **Threat** column when the icons are colored red.
|
||||
View related breach and threat insights in the **Threat** column when the icons are colored red.
|
||||
|
||||
>[!NOTE]
|
||||
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .
|
||||
@ -76,6 +76,14 @@ The threat insights icon is highlighted if there are associated exploits in the
|
||||
|
||||
|
||||
|
||||
### Gain vulnerability insights
|
||||
|
||||
If you select a CVE, a flyout panel will open with more information, including the vulnerability description, details, threat insights, and exposed devices.
|
||||
|
||||
The "OS Feature" category is shown in relevant scenarios.
|
||||
|
||||
|
||||
|
||||
## View Common Vulnerabilities and Exposures (CVE) entries in other places
|
||||
|
||||
### Top vulnerable software in the dashboard
|
||||
@ -84,9 +92,9 @@ The threat insights icon is highlighted if there are associated exploits in the
|
||||
|
||||
|
||||
|
||||
2. Select the software that you want to investigate to go a drill down page.
|
||||
2. Select the software you want to investigate to go to a drill down page.
|
||||
3. Select the **Discovered vulnerabilities** tab.
|
||||
4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
|
||||
4. Select the vulnerability you want to investigate for more information on vulnerability details
|
||||
|
||||
|
||||
|
||||
@ -102,7 +110,7 @@ View related weaknesses information in the device page.
|
||||
3. The device page will open with details and response options for the device you want to investigate.
|
||||
4. Select **Discovered vulnerabilities**.
|
||||
|
||||
[Screenshot of the device page with details and response options](images/tvm-discovered-vulnerabilities.png)
|
||||
|
||||
|
||||
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
|
||||
|
||||
@ -110,7 +118,9 @@ View related weaknesses information in the device page.
|
||||
|
||||
Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source.
|
||||
|
||||
|
||||
The "OS Feature" category is also shown in relevant scenarios. For example, a CVE affects devices that run a vulnerable OS, only if a specific OS component is enabled on these devices. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll attach this CVE only to the Windows Server 2019 devices with DNS capability enabled in their OS.
|
||||
|
||||
|
||||
|
||||
## Report inaccuracy
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user