deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 14278: Adding in M365 metadata topic tagging

Browse Source 
M365 metadata topic tagging
This commit is contained in:
Beth Levin 2019-02-13 23:20:25 +00:00
commit 7727a5f0a9
27 changed files with 166 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/threat-protection/intelligence/coinminer-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Coin miners

5
windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 07/12/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Coordinated Malware Eradication

5
windows/security/threat-protection/intelligence/criteria.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/01/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# How Microsoft identifies malware and potentially unwanted applications

5
windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 07/12/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Industry collaboration programs

14
windows/security/threat-protection/intelligence/developer-faq.md
View File

@ -10,7 +10,10 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 07/01/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Software developer FAQ
@ -18,24 +21,29 @@ ms.date: 07/01/2018
This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
## Does Microsoft accept files for a known list or false-positive prevention program?
No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers.
## How do I dispute the detection of my program?
Submit the file in question as a software developer. Wait until your submission has a final determination.
Submit the file in question as a software developer. Wait until your submission has a final determination.
If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software.
## Why is Microsoft asking for a copy of my program?
This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
## Why does Microsoft classify my installer as a software bundler?
It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted.
## Why is the Windows Firewall blocking my program?
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.

11
windows/security/threat-protection/intelligence/developer-info.md
View File

@ -10,14 +10,19 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 07/13/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Information for developers
Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions.
## In this section
Topic | Description
## In this section
Topic | Description
:---|:---
[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.
[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest Security intelligence and cloud protection from Microsoft.

11
windows/security/threat-protection/intelligence/developer-resources.md
View File

@ -6,11 +6,14 @@ search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 07/13/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Software developer resources
@ -19,7 +22,9 @@ Concerned about the detection of your software?
If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
- [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission)
- [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory)
## Additional resources
@ -34,4 +39,4 @@ Find more guidance about the file submission and detection dispute process in ou
### Scan your software
Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) to check your software against the latest Security intelligence and cloud protection from Microsoft.
Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.

7
windows/security/threat-protection/intelligence/exploits-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Exploits and exploit kits
@ -26,7 +29,7 @@ The infographic below shows how an exploit kit might attempt to exploit a device
![example of how exploit kits work](./images/ExploitKit.png)
*Example of how exploit kits work*
*Figure 1. Example of how exploit kits work*
Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.

39
windows/security/threat-protection/intelligence/fileless-threats.md
View File

@ -6,12 +6,15 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
ms.author: eravena
author: eavena
ms.date: 09/14/2018
ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
#Fileless threats
# Fileless threats
What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate.
@ -24,50 +27,50 @@ To shed light on this loaded term, we grouped fileless threats into different ca
We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts.
Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads.
This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced.
From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
##Type I: No file activity performed
## Type I: No file activity performed
A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls.
Infections of this type can be extra difficult to detect and remediate. Antivirus products usually dont have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, its not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
##Type II: Indirect file activity
## Type II: Indirect file activity
There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type dont directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type dont directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
Its possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes its considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
##Type III: Files required to operate
## Type III: Files required to operate
Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
![Image of Kovter's registry key](images/kovter-reg-key.png)<br>
*Figure 2. Kovters registry key*
When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present.
##Categorizing fileless threats by infection host
## Categorizing fileless threats by infection host
Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.
###Exploits
### Exploits
**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file.
**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
###Hardware
### Hardware
**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/).
@ -79,7 +82,7 @@ Having described the broad categories, we can now dig into the details and provi
**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date.
###Execution and injection
### Execution and injection
**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes.
@ -89,8 +92,8 @@ Having described the broad categories, we can now dig into the details and provi
**Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but its accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
##Defeating fileless malware
## Defeating fileless malware
At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)

7
windows/security/threat-protection/intelligence/index.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Security intelligence
@ -19,6 +22,6 @@ Here you will find information about different types of malware, safety tips on
* [Submit files for analysis](submission-guide.md)
* [Safety Scanner download](safety-scanner-download.md)
Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Keep up with the latest malware news and research. Check out our [Windows security blogs](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).

5
windows/security/threat-protection/intelligence/macro-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Macro malware

5
windows/security/threat-protection/intelligence/malware-naming.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Malware names

5
windows/security/threat-protection/intelligence/phishing.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Phishing

15
windows/security/threat-protection/intelligence/prevent-malware-infection.md
View File

@ -8,14 +8,15 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Prevent malware infection
Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts.
You can also browse the many [software and application solutions](https://review.docs.microsoft.com/en-us/windows/security/intelligence/prevent-malware-infection?branch=wdsi-migration-stuff#software-solutions) available to you.
## Keep software up-to-date
[Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore.
@ -28,7 +29,7 @@ Email and other messaging tools are a few of the most common ways your device ca
* Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering.
For more information, see [Phishing](phishing.md).
For more information, see [phishing](phishing.md).
## Watch out for malicious or compromised websites
@ -50,7 +51,7 @@ Using pirated content is not only illegal, it can also expose your device to mal
Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/windows-10-s?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/en-us/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
## Don't attach unfamiliar removable drives
@ -94,7 +95,7 @@ Microsoft provides comprehensive security capabilities that help protect against
* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
* [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
* [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
* [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
@ -114,4 +115,4 @@ Microsoft provides comprehensive security capabilities that help protect against
Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects.
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).

5
windows/security/threat-protection/intelligence/ransomware-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Ransomware

7
windows/security/threat-protection/intelligence/rootkits-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Rootkits
@ -50,7 +53,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isnt detecting it, you might need an extra tool that lets you boot to a known trusted environment.
[Windows Defender Offline](https://windows.microsoft.com/windows/what-is-windows-defender-offline) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. Its designed to be used on devices that aren't working correctly due to a possible malware infection.
[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. Its designed to be used on devices that aren't working correctly due to a possible malware infection.
[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.

20
windows/security/threat-protection/intelligence/safety-scanner-download.md
View File

@ -6,11 +6,15 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
ms.date: 08/01/2018
ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Safety Scanner
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733)
@ -37,9 +41,9 @@ For more information about the Safety Scanner, see the support article on [how t
## Related resources
- [Troubleshooting Safety Scanner](https://support.microsoft.com/kb/2520970)
- [Windows Defender Antivirus](https://www.microsoft.com/en-us/windows/windows-defender)
- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner)
- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security)
- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
- [Removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection)
- [Submit file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission)
- [Microsoft antimalware and threat protection solutions](https://www.microsoft.com/en-us/wdsi/products)
- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)

5
windows/security/threat-protection/intelligence/submission-guide.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/01/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Submit files for analysis

5
windows/security/threat-protection/intelligence/supply-chain-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Supply chain attacks

7
windows/security/threat-protection/intelligence/support-scams.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Tech support scams
@ -60,4 +63,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an
**www.microsoft.com/reportascam**
You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality.
You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.

10
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -8,11 +8,15 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Top scoring in industry tests
Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
## Endpoint detection & response
@ -106,8 +110,8 @@ SE Labs tests a range of solutions used by products and services to detect and/o
It is important to remember that Microsoft sees a wider and broader set of threats beyond whats tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
The capabilities within [Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
![ATP](./images/wdatp-pillars2.png)

7
windows/security/threat-protection/intelligence/trojans-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Trojans
@ -37,6 +40,6 @@ Use the following free Microsoft software to detect and remove it:
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
- [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner)
- [Microsoft Safety Scanner](safety-scanner-download.md)
For more general tips, see [prevent malware infection](prevent-malware-infection.md).

9
windows/security/threat-protection/intelligence/understanding-malware.md
View File

@ -1,6 +1,6 @@
---
title: Understanding malware & other threats
description: Learn about the world's most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them.
description: Learn about the most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent &amp; remove them.
keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi
ms.prod: w10
ms.mktglfcycl: secure
@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Understanding malware & other threats
@ -16,7 +19,7 @@ Malware is a term used to describe malicious applications and code that can caus
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf), businesses can stay protected with next-generation protection and other security capabilities.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)), businesses can stay protected with next-generation protection and other security capabilities.
For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.

9
windows/security/threat-protection/intelligence/unwanted-software.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Unwanted software
@ -30,7 +33,7 @@ Here are some indications of unwanted software:
Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser.
Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria) to identify unwanted software.
Microsoft uses an extensive [evaluation criteria](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria) to identify unwanted software.
## How to protect against unwanted software
@ -57,4 +60,4 @@ If you only recently noticed symptoms of unwanted software infection, consider s
You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome.
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).

7
windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 07/12/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Virus Information Alliance
@ -46,4 +49,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement.
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).

7
windows/security/threat-protection/intelligence/virus-initiative-criteria.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 07/12/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Virus Initiative
@ -54,4 +57,4 @@ Your organization must meet the following eligibility requirements to participat
### Apply now
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).

5
windows/security/threat-protection/intelligence/worms-malware.md
View File

@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Worms