deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Content reorg and rebranding changes

Browse Source
This commit is contained in:
Andrea Bichsel
2018-08-09 14:23:01 -07:00
parent 70fb7062d0
commit a62b0855f1
2 changed files with 29 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Enable and configure protection features in Windows Defender AV
title: Enable and configure antivirus protection features
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
@ -16,30 +16,21 @@ ms.date: 08/26/2017
# Configure behavioral, heuristic, and real-time protection
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
Windows Defender Antivirus uses several methods to provide threat protection:
Antivirus uses several methods to provide threat protection:
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
You can configure how antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See [Use next-gen antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for how to enable and configure antivirus cloud-delivered protection.
## In this section
Topic | Description
Topic | Description
---|---
[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features
[Enable and configure antivirus protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features

70
windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Configure always-on real-time protection in Windows Defender AV
description: Enable and configure real-time protection features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics
title: Configure always-on real-time antivirus protection
description: Enable and configure antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -14,66 +14,42 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
# Enable and configure Windows Defender AV always-on protection and monitoring
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
# Enable and configure antivirius always-on protection and monitoring
**Manageability available with**
- Group Policy
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
## Configure and enable always-on protection
You can configure how always-on protection works with the Group Policy settings described in this section.
To configure these settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK** and repeat for any other settings.
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Real-time protection | Monitor file and program activity on your computer | The AV engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled
Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
Real-time protection | Monitor file and program activity on your computer | The antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled
Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled
Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the antivirus engine is asked to detect the activity | Enabled
Root | Allow antimalware service to startup with normal priority | You can lower the priority of the antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set antivirus to still run. This lowers the protection on the endpoint. | Disabled
## Disable real-time protection
> [!WARNING]
@ -83,17 +59,15 @@ The main real-time protection capability is enabled by default, but you can disa
**Use Group Policy to disable real-time protection:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
6. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
## Related topics
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)