From 92fdd2de437ac2d59b5e901c1dfee0bfcf716a70 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 22 Apr 2020 16:26:21 -0700 Subject: [PATCH] Update behavioral-blocking-containment.md --- .../behavioral-blocking-containment.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 94b540ac6f..8636102b28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -26,4 +26,10 @@ ms.collection: ## Overview of behavioral blocking and containment -As you know, not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats \ No newline at end of file +As you know, not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats + +Behavioral blocking and containment capabilities offer protection in all of the following scenarios: +- Client behavioral blocking. Enabled by default, threats that are detected through machine learning are blocked and remediated automatically +- Feedback-loop blocking (also referred to as Rapid Protection). Enabled by default, detections that are assumed to be false negatives are observed through behavioral intelligence. +- On-client, policy driven attack surface reduction rules. When enabled, predefined common attack behaviors are prevented from executing, according to your ASR policies (e.g. no child processes from Office applications). Alerts on attempts to execute these behaviors surface in the Microsoft Defender ATP portal (https://securitycenter.windows.com) as informational alerts. +- Endpoint detection and response (EDR) in block mode. When enabled,