From b7d0e0f861f946c55978c6fecc3e044a3d2e4ca8 Mon Sep 17 00:00:00 2001 From: Thomas Lee Date: Sun, 31 Jan 2021 16:42:08 +0000 Subject: [PATCH 1/3] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md Updated examples to have correct casing based on values in Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType enum Added an example for viewing PUA events Removed future tense to improve readability. --- ...anted-apps-microsoft-defender-antivirus.md | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index dc721c7813..0467981cf8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -62,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium ### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs. Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings. ## Microsoft Defender Antivirus @@ -87,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). -You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. > [!TIP] > Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. @@ -125,7 +125,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw 7. Select **Enabled** to enable PUA protection. -8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. 9. Deploy your Group Policy object as you usually do. @@ -134,25 +134,25 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell -Set-MpPreference -PUAProtection enable +Set-MpPreference -PUAProtection Enabled ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. +Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell -Set-MpPreference -PUAProtection auditmode +Set-MpPreference -PUAProtection AuditMode ``` -Setting `AuditMode` will detect PUAs without blocking them. +Setting `AuditMode` detects PUAs without blocking them. ##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell -Set-MpPreference -PUAProtection disable +Set-MpPreference -PUAProtection Disabled ``` -Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. +Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. @@ -160,6 +160,23 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. +You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled. +```console + +CategoryID : 27 +DidThreatExecute : False +IsActive : False +Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/ + fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714} +RollupStatus : 33 +SchemaVersion : 1.0.0.0 +SeverityID : 1 +ThreatID : 213927 +ThreatName : PUA:Win32/InstallCore +TypeID : 0 +PSComputerName : +``` + You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. From 40589e437f4e628d9fe18e780fbc70a721feb3a5 Mon Sep 17 00:00:00 2001 From: Thomas Lee Date: Sun, 31 Jan 2021 22:21:20 +0000 Subject: [PATCH 2/3] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md Changed double-tick to single, as per suggestion. Added blank line around codefencing --- ...ntially-unwanted-apps-microsoft-defender-antivirus.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 0467981cf8..73b795ee62 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -134,14 +134,18 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw ##### To enable PUA protection ```PowerShell + Set-MpPreference -PUAProtection Enabled + ``` Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell + Set-MpPreference -PUAProtection AuditMode + ``` Setting `AuditMode` detects PUAs without blocking them. @@ -150,7 +154,9 @@ Setting `AuditMode` detects PUAs without blocking them. We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell + Set-MpPreference -PUAProtection Disabled + ``` Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. @@ -160,7 +166,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. -You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled. +You can also use the `Get-MpThreat` cmdlet to view threats that Defender handled. + ```console CategoryID : 27 From 27bc25e7daf6b9cc92222580249de5bc691b6725 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 1 Feb 2021 13:47:35 -0800 Subject: [PATCH 3/3] Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md --- ...entially-unwanted-apps-microsoft-defender-antivirus.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 73b795ee62..5b962456c2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 01/08/2021 +ms.date: 02/01/2021 ms.reviewer: manager: dansimp ms.technology: mde @@ -164,9 +164,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u ### View PUA events -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. - -You can also use the `Get-MpThreat` cmdlet to view threats that Defender handled. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: ```console @@ -194,7 +192,7 @@ Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). -## Related articles +## See also - [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)