deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #9053 from doctordns/patch-1

Browse Source 
Update detect-block-potentially-unwanted-apps-microsoft-defender-anti…
This commit is contained in:
Denise Vangel-MSFT 2021-02-01 13:49:46 -08:00 committed by GitHub
commit 9856688ff2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 35 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
ms.date: 01/08/2021
ms.date: 02/01/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
@ -62,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium
### Blocking URLs with Microsoft Defender SmartScreen
In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs.
In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft
Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings.
Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
## Microsoft Defender Antivirus
@ -87,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi
You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true).
You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log.
You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.
> [!TIP]
> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action.
@ -125,7 +125,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
7. Select **Enabled** to enable PUA protection.
8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**.
8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**.
9. Deploy your Group Policy object as you usually do.
@ -134,31 +134,53 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
##### To enable PUA protection
```PowerShell
Set-MpPreference -PUAProtection enable
Set-MpPreference -PUAProtection Enabled
```
Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled.
Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled.
##### To set PUA protection to audit mode
```PowerShell
Set-MpPreference -PUAProtection auditmode
Set-MpPreference -PUAProtection AuditMode
```
Setting `AuditMode` will detect PUAs without blocking them.
Setting `AuditMode` detects PUAs without blocking them.
##### To disable PUA protection
We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
```PowerShell
Set-MpPreference -PUAProtection disable
Set-MpPreference -PUAProtection Disabled
```
Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled.
Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### View PUA events
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune.
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example:
```console
CategoryID : 27
DidThreatExecute : False
IsActive : False
Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/
fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}
RollupStatus : 33
SchemaVersion : 1.0.0.0
SeverityID : 1
ThreatID : 213927
ThreatName : PUA:Win32/InstallCore
TypeID : 0
PSComputerName :
```
You can turn on email notifications to receive mail about PUA detections.
@ -170,7 +192,7 @@ Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA
For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions).
## Related articles
## See also
- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md)
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)