deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into samanro-working

Browse Source
This commit is contained in:
Samantha Robertson
2021-01-26 15:45:22 -08:00
parent f8139e4739 354673c2db
commit 94b89bdcef
6 changed files with 51 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/threat-protection/TOC.md
View File

@ -114,6 +114,7 @@
##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md)
##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md )
#### [Network protection]()

3
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 12/17/2020
ms.date: 01/27/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -53,3 +53,4 @@ Application Guard has been created to target several types of devices:
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|

30
windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
View File

@ -31,22 +31,22 @@ ms.custom: FPFN
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution.
In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png)
If youre using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include:
Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives:
1. [Review and classify alerts](#part-1-review-and-classify-alerts)
2. [Review remediation actions that were taken](#part-2-review-remediation-actions)
3. [Review and define exclusions](#part-3-review-or-define-exclusions)
4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis)
5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article.
![Steps to address false positives and negatives](images/false-positives-step-diagram.png)
1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts)
2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions)
4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis)
5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
6. [Getting help if you still have issues with false positives/negatives](#still-need-help)
> [!NOTE]
> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md).
@ -68,7 +68,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat
| Alert status | What to do |
|:---|:---|
| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. |
| The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert). <p> 2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint. <p> 3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). |
| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive. <br/>2. [Suppress the alert](#suppress-an-alert). <br/> 3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint. <br/> 4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). |
| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
### Classify an alert
@ -90,7 +90,7 @@ If you have alerts that are either false positives or that are true positives bu
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the navigation pane, select **Alerts queue**.
3. Select an alert that you want to suppress to open its **Details** pane.
4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**.
4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**.
5. Specify all the settings for your suppression rule, and then choose **Save**.
> [!TIP]
@ -276,7 +276,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the
### Cloud-delivered protection
Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives.
Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives.
> [!TIP]
> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
@ -288,7 +288,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere
1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you dont have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)).
3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives.
4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting cloud-delivered protection to **Not configured**, which provides strong protection while reducing the chances of getting false positives.
5. Choose **Review + save**, and then **Save**.
#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy)
@ -308,7 +308,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere
Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation.
Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus.
Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus.
We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings.

2
windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
View File

@ -20,7 +20,7 @@ ms.topic: conceptual
ms.technology: mde
---
# Set up Microsoft c for macOS device groups in Jamf Pro
# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]

20
windows/security/threat-protection/microsoft-defender-atp/network-protection.md
View File

@ -45,13 +45,13 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
## Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection.
Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection.
Windows 10 version | Microsoft Defender Antivirus
-|-
Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled
| Windows 10 version | Microsoft Defender Antivirus |
|:---|:---|
| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled |
After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints.
After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints.
- .smartscreen.microsoft.com
- .smartscreen-prod.microsoft.com
@ -79,11 +79,11 @@ You can review the Windows event log to see events that are created when network
3. This will create a custom view that filters to only show the following events related to network protection:
Event ID | Description
-|-
5007 | Event when settings are changed
1125 | Event when network protection fires in audit mode
1126 | Event when network protection fires in block mode
| Event ID | Description |
|:---|:---|
| 5007 | Event when settings are changed |
| 1125 | Event when network protection fires in audit mode |
| 1126 | Event when network protection fires in block mode |
## Related articles

42
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 03/27/2019
ms.date: 01/26/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
@ -24,14 +24,13 @@ ms.technology: mde
**Applies to:**
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
* IT administrators
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- IT administrators
When you use [Network protection](network-protection.md) you may encounter issues, such as:
* Network protection blocks a website that is safe (false positive)
* Network protection fails to block a suspicious or known malicious website (false negative)
- Network protection blocks a website that is safe (false positive)
- Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
@ -45,11 +44,11 @@ There are four steps to troubleshooting these problems:
Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher.
> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
## Use audit mode
@ -61,9 +60,9 @@ You can enable network protection in audit mode and then visit a website that we
Set-MpPreference -EnableNetworkProtection AuditMode
```
1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
If network protection is not blocking a connection that you are expecting it should block, enable the feature.
@ -75,6 +74,8 @@ You can enable network protection in audit mode and then visit a website that we
If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives).
## Exclude website from network protection scope
To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
@ -85,20 +86,21 @@ When you report a problem with network protection, you are asked to collect and
1. Open an elevated command prompt and change to the Windows Defender directory:
```PowerShell
```console
cd c:\program files\windows defender
```
1. Run this command to generate the diagnostic logs:
2. Run this command to generate the diagnostic logs:
```PowerShell
```console
mpcmdrun -getfiles
```
1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
* [Network protection](network-protection.md)
* [Evaluate network protection](evaluate-network-protection.md)
* [Enable network protection](enable-network-protection.md)
- [Network protection](network-protection.md)
- [Evaluate network protection](evaluate-network-protection.md)
- [Enable network protection](enable-network-protection.md)
- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives)