update how it works

windows/keep-secure/windows-defender-block-at-first-sight.md

@@ -30,11 +30,9 @@ It is enabled by default when certain pre-requisite settings are also enabled. I
 
 When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
 
-If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud. 
+If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file. 
 
-If the Block at First Sight feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run.
- 
-The file-based determination typically takes 1 to 4 seconds.
+In many cases this process can reduce the response time to new malware from hours to seconds.
 
 > [!NOTE]
 > Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.