diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md index 89a9fb3e06..aaf4ef6472 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md +++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md @@ -1,6 +1,6 @@ --- title: Test how Microsoft Defender ATP features work -description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it were enabled +description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled. keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -22,17 +22,17 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. +You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature. -You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. +You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time. -While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. +The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled. To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**. You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. +This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index af8bd90091..f9d0964f9c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -1,9 +1,8 @@ --- title: Configure how attack surface reduction rules work to fine-tune protection in your network -description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR +description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -34,21 +32,21 @@ You can set attack surface reduction rules for devices running any of the follow - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. +You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. +You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior. > [!WARNING] > This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to a specific rule. +An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. -Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode to test the rule](evaluate-attack-surface-reduction.md). +Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md). Rule description | GUID -|-|- @@ -72,20 +70,20 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail ### Use Group Policy to exclude files and folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. -4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. > [!WARNING] > Do not use quotes as they are not supported for either the **Value name** column or the **Value** column. ### Use PowerShell to exclude files and folders -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -103,7 +101,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +You can customize the notification for when a rule is triggered and blocks an app or file. See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 304c656193..c61d11c7c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -1,9 +1,8 @@ --- title: Add additional folders and apps to be protected -description: Add additional folders that should be protected by Controlled folder access, or allow apps that are incorrectly blocking changes to important files. +description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/13/2019 ms.reviewer: manager: dansimp --- @@ -22,9 +20,9 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. -This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): +This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). * [Add additional folders to be protected](#protect-additional-folders) * [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) @@ -36,11 +34,9 @@ This topic describes how to customize the following settings of the controlled f ## Protect additional folders -Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. +Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list. -You can add additional folders to be protected, but you cannot remove the default folders in the default list. - -Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. +Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults. You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). @@ -48,27 +44,27 @@ You can use the Windows Security app or Group Policy to add and remove additiona ### Use the Windows Security app to protect additional folders -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. -3. Under the **Controlled folder access** section, click **Protected folders** +3. Under the **Controlled folder access** section, select **Protected folders**. -4. Click **Add a protected folder** and follow the prompts to add apps. +4. Select **Add a protected folder** and follow the prompts to add apps. ### Use Group Policy to protect additional folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. -4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder. +4. Double-click **Configured protected folders** and set the option to **Enabled**. Select **Show** and enter each folder. ### Use PowerShell to protect additional folders -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -88,41 +84,41 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m ## Allow specific apps to make changes to controlled folders -You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. +You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature. > [!IMPORTANT] > By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. > You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. -When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. +When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access. -An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. +An allowed application or service only has write access to a controlled folder after it starts. For example, an update service will continue to trigger events after it's allowed until it is stopped and restarted. ### Use the Windows Defender Security app to allow specific apps -1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. -3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access** +3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access** -4. Click **Add an allowed app** and follow the prompts to add apps. +4. Select **Add an allowed app** and follow the prompts to add apps. ![Screenshot of how to add an allowed app button](../images/cfa-allow-app.png) ### Use Group Policy to allow specific apps -1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. -4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app. +4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Select **Show** and enter each app. ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -148,7 +144,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications] ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 147860f476..d6c4d0febf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -1,9 +1,8 @@ --- -title: Enable or disable specific mitigations used by Exploit protection +title: Enable or disable specific mitigations used by exploit protection keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations. search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index c5e491ba4b..c611445181 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -3,7 +3,6 @@ title: Turn on exploit protection to help mitigate against attacks keywords: exploit, mitigation, attacks, vulnerability description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware. search.product: eADQiWindows 10XVcnh -ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -11,7 +10,6 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 01/08/2020 ms.reviewer: manager: dansimp --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index ab755a39af..9b791d2ad9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -1,6 +1,6 @@ --- title: Turn on network protection -description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs +description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -8,7 +8,6 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -audience: ITPro author: levinec ms.author: ellevin ms.reviewer: @@ -21,12 +20,11 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. +[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it. ## Check if network protection is enabled -You can see if network protection has been enabled on a local device by using Registry editor. +Check if network protection has been enabled on a local device by using Registry editor. 1. Select the **Start** button in the task bar and type **regedit** to open Registry editor 1. Choose **HKEY_LOCAL_MACHINE** from the side menu @@ -39,82 +37,96 @@ You can see if network protection has been enabled on a local device by using Re ## Enable network protection -You can enable network protection by using any of these methods: +Enable network protection by using any of these methods: * [PowerShell](#powershell) * [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) +* [Mobile Device Management (MDM)](#mobile-device-management-mmd) * [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) * [Group Policy](#group-policy) ### PowerShell -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell Set-MpPreference -EnableNetworkProtection Enabled ``` -You can enable the feature in audit mode using the following cmdlet: +3. Optional: Enable the feature in audit mode using the following cmdlet: -```PowerShell -Set-MpPreference -EnableNetworkProtection AuditMode -``` + ```PowerShell + Set-MpPreference -EnableNetworkProtection AuditMode + ``` -Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. + Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature. ### Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -1. Click **Device configuration** > **Profiles** > **Create profile**. -1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) -1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. - ![Enable network protection in Intune](../images/enable-np-intune.png) -1. Click **OK** to save each open blade and click **Create**. -1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. -### MDM +2. Go to **Device configuration** > **Profiles** > **Create profile**. + +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. + + ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png) + +4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. + + ![Enable network protection in Intune](../images/enable-np-intune.png) + +5. Select **OK** to save each open section and **Create**. + +6. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**. + +### Mobile Device Management (MMD) Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Network protection**, and click **Next**. -1. Choose whether to block or audit access to suspicious domains and click **Next**. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. + +2. Then go to **Home** > **Create Exploit Guard Policy**. + +3. Enter a name and a description, select **Network protection**, and then **Next**. + +4. Choose whether to block or audit access to suspicious domains and select **Next**. + +5. Review the settings and select **Next** to create the policy. + +6. After the policy is created, **Close**. ### Group Policy -You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. +Use the following procedure to enable network protection on domain-joined computers or on a standalone computer. -1. On a standalone computer, click **Start**, type and then click **Edit group policy**. +1. On a standalone computer, go to **Start** and then type and select **Edit group policy**. *-Or-* - On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. -4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following: - * **Block** - Users will not be able to access malicious IP addresses and domains - * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. +4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options: + * **Block** - Users can't access malicious IP addresses and domains + * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains + * **Audit Mode** - If a user visits a malicious IP address or domain, an event won't be recorded in the Windows event log. However, the user won't be blocked from visiting the address. > [!IMPORTANT] > To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. -You can confirm network protection is enabled on a local computer by using Registry editor: +Confirm network protection is enabled on a local computer by using Registry editor: + +1. Select **Start** and type **regedit** to open **Registry Editor**. -1. Click **Start** and type **regedit** to open **Registry Editor**. 2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -3. Click **EnableNetworkProtection** and confirm the value: + +3. Select **EnableNetworkProtection** and confirm the value: * 0=Off * 1=On * 2=Audit diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 3555d2490e..3b9cd84b1d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -28,13 +28,13 @@ ms.topic: conceptual Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance. -Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. +Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. ## How it works Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time. -- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports. +- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports. - **Breach likelihood** - Your organization's security posture and resilience against threats @@ -54,15 +54,15 @@ View related security recommendations in the following places: ### Navigation menu -Go to the threat and vulnerability management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization. +Go to the threat and vulnerability management navigation menu and select **Security recommendations**. The page contains a list of security recommendations for the threats and vulnerabilities found in your organization. ### Top security recommendations in the threat and vulnerability management dashboard -In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. +In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. ![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png) -The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation. +The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details. ## Security recommendations overview @@ -74,7 +74,7 @@ The color of the **Exposed devices** graph changes as the trend changes. If the ### Icons -Useful icons also quickly calls your attention to: +Useful icons also quickly call your attention to: - ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts - ![red bug](images/tvm_bug_icon.png) associated public exploits - ![light bulb](images/tvm_insight_icon.png) recommendation insights @@ -85,13 +85,13 @@ Select the security recommendation that you want to investigate or process. ![Example of a security recommendation flyout page.](images/secrec-flyouteolsw.png) -From the flyout, you can do any of the following: +From the flyout, you can choose any of the following options: -- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. +- **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. - [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. -- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. +- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. >[!NOTE] >When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer. @@ -137,7 +137,7 @@ There are many reasons why organizations create exceptions for a recommendation. When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. -1. Select a security recommendation you would like create an exception for, and then **Exception options**. +1. Select a security recommendation you would like to create an exception for, and then **Exception options**. ![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) 2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. @@ -171,30 +171,30 @@ You can report a false positive when you see any vague, inaccurate, incomplete, ## Find and remediate software or software versions which have reached end-of-support (EOS) -End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. +End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks. -It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates. +It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates. -To find software or software versions which have reached end-of-support: +To find software or software versions that are no longer supported: 1. From the threat and vulnerability management menu, navigate to **Security recommendations**. 2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) -3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. +3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) ### List of versions and dates -To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps: +To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps: -1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected. +1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon. ![Screenshot of version distribution link](images/eos-upcoming-eos.png) -2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. +2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. ![Screenshot of version distribution link](images/software-drilldown-eos.png) @@ -202,7 +202,7 @@ To view a list of version that have reached end of support, or end or support so ![Screenshot of version distribution link](images/version-eos-date.png) -After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. +Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index d0e00649f5..d157c8610f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -1,6 +1,6 @@ --- title: Software inventory in threat and vulnerability management -description: Microsoft Defender ATP threat and vulnerability management's software inventory page shows how many weaknesses and vulnerabilities have been detected in software. +description: The software inventory page for Microsoft Defender ATP's threat and vulnerability management shows how many weaknesses and vulnerabilities have been detected in software. keywords: threat and vulnerability management, microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,26 +23,26 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -The software inventory in threat and vulnerability management is a list of all the software in your organization, including details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. +The software inventory in threat and vulnerability management is a list of all the software in your organization. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. ## How it works -In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md). +In the field of discovery, we're leveraging the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender ATP endpoint detection and response capabilities](overview-endpoint-detection-response.md). -Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. +Since it's real time, in a matter of minutes, you'll see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. ## Navigate to the Software inventory page -You can access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). +Access the Software inventory page by selecting **Software inventory** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md). ## Software inventory overview -The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. +The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can filter the list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. ![Example of the landing page for software inventory.](images/software_inventory_filter.png) -Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. +Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. ![Flyout example page of "Visual Studio 2017" from the software inventory page.](images/tvm-software-inventory-flyout500.png) @@ -56,8 +56,8 @@ You can view software pages a few different ways: A full page will appear with all the details of a specific software and the following information: -- Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score -- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices +- Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to your exposure score +- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices - Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities. ![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) @@ -67,17 +67,17 @@ You can view software pages a few different ways: We now show evidence of where we detected a specific software on a device from the registry, disk or both. You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence." -From the Microsoft Defender Security Center navigation panel, go to **Devices list** > select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. +From the Microsoft Defender Security Center navigation panel, go to the **Devices list**. Select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. ![Software evidence example of Windows 10 from the devices list, showing software evidence registry path.](images/tvm-software-evidence.png) ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information. +Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated. 1. Open the software flyout on the Software inventory page. 2. Select **Report inaccuracy**. -3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. +3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details about the inaccuracy. 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 381f126c5b..889e5059e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -39,7 +39,7 @@ Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software prod Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment -MacOS | Not supported (planned) +macOS | Not supported (planned) Linux | Not supported (planned) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index d82ae3d95c..37a974d932 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -27,7 +27,7 @@ ms.topic: conceptual Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. -The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. +The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. >[!IMPORTANT] >To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: @@ -52,13 +52,13 @@ Go to the threat and vulnerability management navigation menu and select **Weakn 1. Go to the global search drop-down menu. 2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for. ![Global search box with the dropdown option "vulnerability" selected and an example CVE.](images/tvm-vuln-globalsearch.png) -3. Select the CVE and a flyout panel opens up with more information, including the vulnerability description, details, threat insights, and exposed devices. +3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices. To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search. ## Weaknesses overview -If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you are not at risk. +Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk. ![Weaknesses landing page.](images/tvm-weaknesses-overview.png) @@ -69,10 +69,10 @@ View related breach and threat insights in the **Threat** column when the icons >[!NOTE] > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon ![Simple drawing of a red bug.](images/tvm_bug_icon.png) and breach insight icon ![Simple drawing of an arrow hitting a target.](images/tvm_alert_icon.png). -The breach insights icon is highlighted if there is a vulnerability found in your organization. +The breach insights icon is highlighted if there's a vulnerability found in your organization. ![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](images/tvm-breach-insights.png) -The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories. +The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there is a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories. ![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](images/tvm-threat-insights.png) @@ -88,11 +88,11 @@ The "OS Feature" category is shown in relevant scenarios. ### Top vulnerable software in the dashboard -1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. +1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time. ![Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.](images/tvm-top-vulnerable-software500.png) -2. Select the software you want to investigate to go to a drill down page. +2. Select the software you want to investigate to go to a drilldown page. 3. Select the **Discovered vulnerabilities** tab. 4. Select the vulnerability you want to investigate for more information on vulnerability details @@ -116,19 +116,19 @@ View related weaknesses information in the device page. #### CVE Detection logic -Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source. +Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source. -The "OS Feature" category is also shown in relevant scenarios. For example, a CVE affects devices that run a vulnerable OS, only if a specific OS component is enabled on these devices. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll attach this CVE only to the Windows Server 2019 devices with DNS capability enabled in their OS. +The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS. ![Detection Logic example which lists the software detected on the device and the KBs.](images/tvm-cve-detection-logic.png) ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information. +Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated. 1. Open the CVE on the Weaknesses page. -2. Select **Report inaccuracy**. -3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. +2. Select **Report inaccuracy** and a flyout pane will open. +3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details. 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. ## Related topics