deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Adding art for false positive/negatives for Denise

Browse Source
This commit is contained in:
Samantha Robertson
2021-01-26 14:54:57 -08:00
parent 1c893101fd
commit 76d679eb59
4 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
View File

@ -33,8 +33,13 @@ ms.custom: FPFN
In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution.
![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png)
If youre using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include:
![Steps to address false positives and negatives](images/false-positives-step-diagram.png)
1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts)
2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions)
@ -184,10 +189,13 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c
- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
You can create indicators for:
- [Files](#indicators-for-files)
- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
- [Application certificates](#indicators-for-application-certificates)
![Indicator types diagram](images/false-positives-indicators.png)
#### Indicators for files
When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB