deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

config updates, exclusions

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-03-23 14:53:34 -07:00
parent 059b836acb
commit 8a9208672a
9 changed files with 139 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

185
windows/keep-secure/WDAV-working/configure-exclusions-windows-defender-antivirus.md
View File

@ -1,7 +1,6 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title:
description:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -12,109 +11,129 @@ localizationpriority: medium
author: dulcemv
---
# Detect and block Potentially Unwanted Application in Windows 10
#
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
**Audience**
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
- Enterprise security administrators
###Configure PUA in Intune
**Manageability available with**
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
- Group Policy
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- Microsoft Intune
- Windows Defender Security Center
You can exclude certain files, folders, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to both [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
Changes made via Group Policy to the exclusion lists will show in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
However, changes made in the Windows Defender Security Center app will not show in the lists in the Group Policy settings.
###Use PUA audit mode in Intune
## Exclude file extensions from Windows Defender AV scans
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
You can exclude certain file extenstions from being scanned by Windows Defender AV.
1. Open PowerShell as Administrator: <br>
**Use Group Policy to exclude specified file extensions from scans:**
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
```text
set-mpPreference -puaprotection 1
```
3. In the **Group Policy Management Editor** go to **Computer configuration**.
##View PUA events
4. Click **Policies** then **Administrative templates**.
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
##What PUA notifications look like
6. Double-click the **Extension Exclusions** setting and add the exclusions:
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
![The Group Policy setting for file exclusions](images/defender/wdav-extension-exclusions.png)
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
## Exclude paths and files from Windows Defender AV scans
##PUA blocking conditions
**Use Group Policy to exclude specified paths or folders from scans:**
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
6. Double-click the **Path Exclusions** setting and add the exclusions:
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
![The Group Policy setting for folder exclusions](images/defender/wdav-path-exclusions.png)
## Exclude files opened by processes from Windows Defender AV scns
You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process will be.
You can only exclude executable files.
**Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
6. Double-click the **Process Exclusions** setting and add the exclusions:
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
## Configure auto exclusions lists for Windows Server deployments
If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Server role.
These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
You can also [add custom exclusions to the auto exclusions with PowerShell](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server#BKMK_DefExclusions).
Exclusions | Turn off Auto Exclusions |
## Related topics
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

4
windows/keep-secure/WDAV-working/configure-local-policy-overrides-windows-defender-antivirus.md
View File

@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
# Prevent or allow users to locally modify policy settings
# Prevent or allow users to locally modify Windows Defender AV policy settings
**Applies to:**
@ -27,7 +27,7 @@ author: iaanw
- Group Policy
By default, settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
By default, Windows Defender AV settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.

116
windows/keep-secure/WDAV-working/customize-run-review-remediate-scans-windows-defender-antivirus.md
View File

@ -1,120 +1,40 @@
---
title: Detect and block Potentially Unwanted Application with Windows Defender
description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
keywords: pua, enable, detect pua, block pua, windows defender and pua
title: Run and customize scheduled and on-demand scans
description: Customize and initiate scans using Windows Defender AV on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: detect
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: dulcemv
author: iaanw
---
# Detect and block Potentially Unwanted Application in Windows 10
# Customize, initiate, and review the results of Windows Defender AV scans and remediation
**Applies to:**
- Windows 10
You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
**Audience**
Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation.
Typical examples of PUA behavior include:
* Various types of software bundling
* Ad-injection into your browsers
* Driver and registry optimizers that detect issues, request payment to fix them, and persist
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications.
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
##Enable PUA protection in System Center Configuration Manager and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure.
###Configure PUA in System Center Configuration Manager
For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details:
If you are using these versions | See these topics
:---|:---
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
<br>
###Use PUA audit mode in System Center Configuration Manager
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
1. Open PowerShell as Administrator: <br>
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 2
```
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
- Enterprise security administrators
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure scans run by Windows Defender Antivirus.
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client so you can gain insights into what can be blocked.
## In this section
1. Open PowerShell as Administrator: <br>
Topic | Description
---|---
[Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
[Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quaratine folder
[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
a. Click **Start**, type **powershell**, and press **Enter**.
b. Click **Windows PowerShell** to open the interface.
>[!NOTE]
>You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
2. Enter the PowerShell command:
```text
set-mpPreference -puaprotection 1
```
##View PUA events
PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events:
1. Open **Event Viewer**.
2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details.
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
##PUA threat naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser
* The file is in the %downloads% folder
* Or if the file in the %temp% folder

4
windows/keep-secure/WDAV-working/enable-cloud-protection-windows-defender-antivirus.md
View File

@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
# Enable cloud-delivered protection
# Enable cloud-delivered protection in Windows Defender AV
@ -39,7 +39,7 @@ author: iaanw
You can enable or disable cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-based protection.

BIN
windows/keep-secure/WDAV-working/images/defender/wdav-extension-exclusions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/keep-secure/WDAV-working/images/defender/wdav-path-exclusions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/keep-secure/WDAV-working/images/defender/wdav-process-exclusions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

15
windows/keep-secure/WDAV-working/prevent-end-user-interaction-windows-defender-antivirus.md
View File

@ -45,6 +45,19 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl
![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png)
**Use Group Policy to hide the Windows Defender AV interface from users:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
6. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs.
## Prevent users from pausing a scan
@ -52,7 +65,7 @@ Also see the [Prevent users from locally modifying policy settings](configure-lo
You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
**Use Group Policy to hide the prevent users from pausing a scan:**
**Use Group Policy to prevent users from pausing a scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

2
windows/keep-secure/WDAV-working/windows-defender-security-center-antivirus.md
View File

@ -113,7 +113,7 @@ This section describes how to perform some of the most common tasks when reviewi
<a id="exclusions"></a>
**Add exclusions for Windows Defender Antivirus in the Windows Defender Security Center app**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.