From 704a3a87252a456ce34bc8242c86ddec26dbdb1c Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 21 Jan 2021 21:30:59 +0200 Subject: [PATCH 01/18] add info about network boundary https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8880 --- .../md-app-guard-overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 98150e0f15..0c47055df2 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,3 +52,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| From 963bbb8f93de94590c0ed5948d0a965dd92d304e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 25 Jan 2021 21:09:14 +0500 Subject: [PATCH 02/18] Update TOC.md --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index af35c57f47..122083cfeb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -114,6 +114,7 @@ ##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) ##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md) ##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) +##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md) ##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md ) #### [Network protection]() From 7d9fbb1011a636246f5b8ee1eeda47b309177d71 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:28:49 +0500 Subject: [PATCH 03/18] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 7fd98bd981..0cf3df8758 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -45,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender AV real-time protection. Windows 10 version | Microsoft Defender Antivirus -|- From 930fc4dc29b48afbc9db8b7dc0d2a7c8eb9cd62b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:32:17 +0500 Subject: [PATCH 04/18] Update troubleshoot-np.md --- .../threat-protection/microsoft-defender-atp/troubleshoot-np.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 4bfdccfe50..82fcbb7ca7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems: Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). +> * Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. > * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. > * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. From 66e207e995f7d51a6d0f8f2e0301d2c609cfc185 Mon Sep 17 00:00:00 2001 From: Peter Lewis Date: Tue, 26 Jan 2021 17:28:04 +0000 Subject: [PATCH 05/18] fix title fix title which omitted full wording (replace "Set up Microsoft c for macOS device groups in Jamf Pro" with "Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro") --- .../microsoft-defender-atp/mac-jamfpro-device-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md index 3b011e3606..73dc882a2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md @@ -20,7 +20,7 @@ ms.topic: conceptual ms.technology: mde --- -# Set up Microsoft c for macOS device groups in Jamf Pro +# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] From 17d43cfd5707c0b32a5c96b5370503a93beed655 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:10:26 -0800 Subject: [PATCH 06/18] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 0cf3df8758..2a2ebcab64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -45,13 +45,13 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection. -Windows 10 version | Microsoft Defender Antivirus --|- -Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled +| Windows 10 version | Microsoft Defender Antivirus | +|:---|:---| +| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled | -After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints. +After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints. - .smartscreen.microsoft.com - .smartscreen-prod.microsoft.com From 8bfa5fd4bf9e6d15aea12d0cd09f0628b01bac3a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:14:51 -0800 Subject: [PATCH 07/18] Update troubleshoot-np.md --- .../microsoft-defender-atp/troubleshoot-np.md | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 82fcbb7ca7..79cdbc3b60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 03/27/2019 +ms.date: 01/26/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -24,14 +24,13 @@ ms.technology: mde **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -* IT administrators +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- IT administrators When you use [Network protection](network-protection.md) you may encounter issues, such as: -* Network protection blocks a website that is safe (false positive) -* Network protection fails to block a suspicious or known malicious website (false negative) +- Network protection blocks a website that is safe (false positive) +- Network protection fails to block a suspicious or known malicious website (false negative) There are four steps to troubleshooting these problems: @@ -45,11 +44,11 @@ There are four steps to troubleshooting these problems: Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> * Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. -> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. -> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). +> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. +> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. +> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. +> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). ## Use audit mode @@ -61,9 +60,9 @@ You can enable network protection in audit mode and then visit a website that we Set-MpPreference -EnableNetworkProtection AuditMode ``` -1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). +2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). -1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. +3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. If network protection is not blocking a connection that you are expecting it should block, enable the feature. @@ -75,6 +74,8 @@ You can enable network protection in audit mode and then visit a website that we If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). +See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives). + ## Exclude website from network protection scope To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check. @@ -89,16 +90,17 @@ When you report a problem with network protection, you are asked to collect and cd c:\program files\windows defender ``` -1. Run this command to generate the diagnostic logs: +2. Run this command to generate the diagnostic logs: ```PowerShell mpcmdrun -getfiles ``` -1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. +3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics -* [Network protection](network-protection.md) -* [Evaluate network protection](evaluate-network-protection.md) -* [Enable network protection](enable-network-protection.md) +- [Network protection](network-protection.md) +- [Evaluate network protection](evaluate-network-protection.md) +- [Enable network protection](enable-network-protection.md) +- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives) From 1bf91a1fd859e054e58303a537815bb4cfbe4c00 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:15:51 -0800 Subject: [PATCH 08/18] Update network-protection.md --- .../microsoft-defender-atp/network-protection.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 2a2ebcab64..29ed5acfbf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -79,11 +79,11 @@ You can review the Windows event log to see events that are created when network 3. This will create a custom view that filters to only show the following events related to network protection: - Event ID | Description - -|- - 5007 | Event when settings are changed - 1125 | Event when network protection fires in audit mode - 1126 | Event when network protection fires in block mode + | Event ID | Description | + |:---|:---| + | 5007 | Event when settings are changed | + | 1125 | Event when network protection fires in audit mode | + | 1126 | Event when network protection fires in block mode | ## Related articles From e2f432e0a8799480ccf021609a4e9d178d294237 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:28:01 -0800 Subject: [PATCH 09/18] Update md-app-guard-overview.md --- .../md-app-guard-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 0c47055df2..576fd34c27 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/17/2020 +ms.date: 01/27/2021 ms.reviewer: manager: dansimp ms.custom: asr From e6fb1e9cee0ae3f6ba9216514805cddc6a1c70f6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 12:28:24 -0800 Subject: [PATCH 10/18] Update md-app-guard-overview.md --- .../md-app-guard-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 576fd34c27..1187818d92 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -52,4 +52,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| -|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| From 0fc5c1575c45368487396bb4cef1ffe83d54c36e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:09:47 -0800 Subject: [PATCH 11/18] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 89da6e7ecf..99428b624b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -63,7 +63,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat | Alert status | What to do | |:---|:---| | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | - | The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.

3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | + | The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
2. [Suppress the alert](#suppress-an-alert).
3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | ### Classify an alert From 71ce32654daec644b5ddbd198d5fa7f167bacedf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:11:16 -0800 Subject: [PATCH 12/18] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 99428b624b..65a56a8421 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,7 +85,7 @@ If you have alerts that are either false positives or that are true positives bu 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. 3. Select an alert that you want to suppress to open its **Details** pane. -4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**. +4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**. 5. Specify all the settings for your suppression rule, and then choose **Save**. > [!TIP] From 5db57d8657c4b511930d491c3010cd25ef049736 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:11:44 -0800 Subject: [PATCH 13/18] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 65a56a8421..3cdec79594 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -268,7 +268,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the ### Cloud-delivered protection -Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). From 98147f674b436cc6716e980e2869d013fe4e21bf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:12:09 -0800 Subject: [PATCH 14/18] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 3cdec79594..f749263f1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -280,7 +280,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. -4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting cloud-delivered protection to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) From 4dce3eb74897b63e1b9d8093282a41702e395c25 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:12:47 -0800 Subject: [PATCH 15/18] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f749263f1b..731967a11e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -300,7 +300,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. -Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings. From 37c3f8535612fc56170dfa2c61bdf3befbfbb465 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:17:47 -0800 Subject: [PATCH 16/18] Update defender-endpoint-false-positives-negatives.md --- ...fender-endpoint-false-positives-negatives.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 731967a11e..251443c99e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,16 +31,17 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution. +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, includling [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: +Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives: -1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) -2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) -3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions) -4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) -5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) -6. [Getting help if you still have issues with false positives/negatives](#still-need-help) +1. [Review and classify alerts](#part-1-review-and-classify-alerts) +2. [Review remediation actions that were taken](#part-2-review-remediation-actions) +3. [Review and define exclusions](#part-3-review-or-define-exclusions) +4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) + +And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article. > [!NOTE] > This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md). From 2124e871d4e374b3206bd09300c846ed9e118495 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 26 Jan 2021 15:18:18 -0800 Subject: [PATCH 17/18] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 251443c99e..9fef03cef6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, includling [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives: From 8c5574fd668f3c09831eb4f953c3f0fa40ffe846 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 26 Jan 2021 15:23:49 -0800 Subject: [PATCH 18/18] Re-labeled code blocks As written, the commands in the code blocks that I re-labeled work from the Windows command line, but not from the PowerShell command line. --- .../microsoft-defender-atp/troubleshoot-np.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 79cdbc3b60..05563e45c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -86,13 +86,13 @@ When you report a problem with network protection, you are asked to collect and 1. Open an elevated command prompt and change to the Windows Defender directory: - ```PowerShell + ```console cd c:\program files\windows defender ``` 2. Run this command to generate the diagnostic logs: - ```PowerShell + ```console mpcmdrun -getfiles ```