From 3f5210413e25fcb251c65cdf08fa67c700d79924 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Wed, 18 Sep 2019 18:21:07 +0530 Subject: [PATCH 1/4] Add documentation for passive mode --- .../microsoft-defender-atp-mac-preferences.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md index 8d22a596c8..f4eb17be06 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md @@ -62,6 +62,23 @@ Whether real-time protection (scan files as they are accessed) is enabled or not | **Data type** | Boolean | | **Possible values** | true (default)
false | +#### Enable / disable passive mode + +Whether the antivirus engine runs in passive more or not. In passive mode: +- Real-time protection is turned off +- On demand scanning is turned on +- Automatic threat remediation is turned off +- Security intelligence updates are turned on +- Status menu icon is hidden + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | passiveMode | +| **Data type** | Boolean | +| **Possible values** | false (default)
true | +| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. | + #### Scan exclusions Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names. @@ -213,6 +230,28 @@ Determines whether suspicious samples (that are likely to contain threats) are s | **Data type** | Boolean | | **Possible values** | true (default)
false | +### User interface preferences + +The *userInterface* section of the configuration profile is used to manage the preferences of the user interface of the product. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | userInterface | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +#### Show / hide status menu icon + +Whether the status menu icon (shown in the top right corner of the screen) is hidden or not. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | hideStatusMenuIcon | +| **Data type** | Boolean | +| **Possible values** | false (default)
true | + ## Recommended configuration profile To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. @@ -357,6 +396,8 @@ The following configuration profile contains entries for all settings described enableRealTimeProtection + passiveMode + exclusions @@ -411,6 +452,11 @@ The following configuration profile contains entries for all settings described automaticSampleSubmission + userInterface + + hideStatusMenuIcon + + ``` @@ -465,6 +511,8 @@ The following configuration profile contains entries for all settings described enableRealTimeProtection + passiveMode + exclusions @@ -519,6 +567,11 @@ The following configuration profile contains entries for all settings described automaticSampleSubmission + userInterface + + hideStatusMenuIcon + + From 15d6700492ef9900814162db6692914790003ec0 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Thu, 19 Sep 2019 13:45:52 +0530 Subject: [PATCH 2/4] Update privacy with latest fields --- .../microsoft-defender-atp-mac-privacy.md | 72 +++++++++++-------- 1 file changed, 41 insertions(+), 31 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md index 7cf18820f8..ab8df0eee5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md @@ -116,6 +116,7 @@ The following fields are collected: | Field | Description | | --------------------------------------------------- | ----------- | | antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. | +| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. | | cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. | | cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. | | cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. | @@ -123,6 +124,8 @@ The following fields are collected: | cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | | cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. | | edr.early_preview | Whether the machine should run EDR early preview features. | +| edr.group_id | Group identifier used by the detection and response component. | +| edr.tags | User defined tags. | | features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | #### Product and service performance data events @@ -230,37 +233,44 @@ The following fields are collected: | Field | Description | | ------------------------------ | ----------- | | pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. | -| pkt_ack_conn_timeout | | -| ipc.ack_pkts | | -| ipc.nack_pkts | | -| ipc.send.ack_no_conn | | -| ipc.send.nack_no_conn | | -| ipc.send.ack_no_qsq | | -| ipc.send.nack_no_qsq | | -| ipc.ack.no_space | | -| ipc.ack.timeout | | -| ipc.ack.ackd_fast | | -| ipc.ack.ackd | | -| ipc.recv.bad_pkt_len | | -| ipc.recv.bad_reply_len | | -| ipc.recv.no_waiter | | -| ipc.recv.copy_failed | | -| ipc.kauth.vnode.mask | | -| ipc.kauth.vnode.read | | -| ipc.kauth.vnode.write | | -| ipc.kauth.vnode.exec | | -| ipc.kauth.vnode.del | | -| ipc.kauth.vnode.read_attr | | -| ipc.kauth.vnode.write_attr | | -| ipc.kauth.vnode.read_ex_attr | | -| ipc.kauth.vnode.write_ex_attr | | -| ipc.kauth.vnode.read_sec | | -| ipc.kauth.vnode.write_sec | | -| ipc.kauth.vnode.take_own | | -| ipc.kauth.vnode.denied | | -| ipc.kauth.file_op.mask | | -| ipc.kauth_file_op.open | | -| ipc.kauth.file_op.close | | +| pkt_ack_conn_timeout | | +| ipc.ack_pkts | | +| ipc.nack_pkts | | +| ipc.send.ack_no_conn | | +| ipc.send.nack_no_conn | | +| ipc.send.ack_no_qsq | | +| ipc.send.nack_no_qsq | | +| ipc.ack.no_space | | +| ipc.ack.timeout | | +| ipc.ack.ackd_fast | | +| ipc.ack.ackd | | +| ipc.recv.bad_pkt_len | | +| ipc.recv.bad_reply_len | | +| ipc.recv.no_waiter | | +| ipc.recv.copy_failed | | +| ipc.kauth.vnode.mask | | +| ipc.kauth.vnode.read | | +| ipc.kauth.vnode.write | | +| ipc.kauth.vnode.exec | | +| ipc.kauth.vnode.del | | +| ipc.kauth.vnode.read_attr | | +| ipc.kauth.vnode.write_attr | | +| ipc.kauth.vnode.read_ex_attr | | +| ipc.kauth.vnode.write_ex_attr | | +| ipc.kauth.vnode.read_sec | | +| ipc.kauth.vnode.write_sec | | +| ipc.kauth.vnode.take_own | | +| ipc.kauth.vnode.denied | | +| ipc.kauth.file_op.mask | | +| ipc.kauth_file_op.open | | +| ipc.kauth.file_op.close | | +| ipc.kauth.file_op.close_modified | | +| ipc.kauth.file_op.move | | +| ipc.kauth.file_op.link | | +| ipc.kauth.file_op.exec | | +| ipc.kauth.file_op.remove | | +| ipc.kauth.file_op.fork | | +| ipc.kauth.file_op.create | | ## Resources From eab27446533f1064ab46c717de9b21c0f2810cac Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Thu, 19 Sep 2019 17:31:26 +0530 Subject: [PATCH 3/4] Styling --- .../microsoft-defender-atp-mac-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md index ab8df0eee5..0c56970e6f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md @@ -125,7 +125,7 @@ The following fields are collected: | cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. | | edr.early_preview | Whether the machine should run EDR early preview features. | | edr.group_id | Group identifier used by the detection and response component. | -| edr.tags | User defined tags. | +| edr.tags | User-defined tags. | | features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | #### Product and service performance data events From f3b96587d9a1c3b06d04423136d659642233aa24 Mon Sep 17 00:00:00 2001 From: Tami Fosmark Date: Thu, 19 Sep 2019 10:57:20 -0700 Subject: [PATCH 4/4] typo fix --- .../microsoft-defender-atp-mac-preferences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md index f4eb17be06..ffa0df06d3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md @@ -64,7 +64,7 @@ Whether real-time protection (scan files as they are accessed) is enabled or not #### Enable / disable passive mode -Whether the antivirus engine runs in passive more or not. In passive mode: +Whether the antivirus engine runs in passive mode or not. In passive mode: - Real-time protection is turned off - On demand scanning is turned on - Automatic threat remediation is turned off