deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #4736 from MicrosoftDocs/master

Browse Source 
Publish 02/10/2021, 3:30 PM
This commit is contained in:
Gary Moore 2021-02-10 15:58:18 -08:00 committed by GitHub
commit af74c9ac33
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 124 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/TOC.md
View File

@ -372,9 +372,9 @@
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) ###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine) ###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) ###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert) ###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) ###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) ###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
#### [Visit the Action center to see remediation actions](microsoft-defender-atp/auto-investigation-action-center.md) #### [Visit the Action center to see remediation actions](microsoft-defender-atp/auto-investigation-action-center.md)

122
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -1,8 +1,8 @@
--- ---
title: Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 title: Configure Microsoft Defender Antivirus exclusions on Windows Server
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions. description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.prod: m365-security
@ -14,6 +14,7 @@ author: denisebmsft
ms.author: deniseb ms.author: deniseb
ms.custom: nextgen ms.custom: nextgen
ms.technology: mde ms.technology: mde
ms.date: 02/10/2021
--- ---
# Configure Microsoft Defender Antivirus exclusions on Windows Server # Configure Microsoft Defender Antivirus exclusions on Windows Server
@ -24,8 +25,7 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> [!NOTE] > [!NOTE]
> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. > Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
@ -36,33 +36,29 @@ In addition to server role-defined automatic exclusions, you can add or remove c
## A few points to keep in mind ## A few points to keep in mind
Keep the following important points in mind:
- Custom exclusions take precedence over automatic exclusions. - Custom exclusions take precedence over automatic exclusions.
- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. - Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
- Custom and duplicate exclusions do not conflict with automatic exclusions. - Custom and duplicate exclusions do not conflict with automatic exclusions.
- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions ## Opt out of automatic exclusions
In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. In Windows Server 2016 and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
> [!WARNING] > [!WARNING]
> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles.
Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019 ### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. 4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019 ### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
@ -73,11 +69,12 @@ Use the following cmdlets:
Set-MpPreference -DisableAutoExclusions $true Set-MpPreference -DisableAutoExclusions $true
``` ```
[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). To learn more, see the following resources:
[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/). - [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
- [Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019 ### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties: Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
@ -96,54 +93,42 @@ The following sections contain the exclusions that are delivered with automatic
This section lists the default exclusions for all Windows Server 2016 and 2019 roles. This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
> [!NOTE]
> The default locations could be different than what's listed in this article.
#### Windows "temp.edb" files #### Windows "temp.edb" files
- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb` - `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log` - `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
#### Windows Update files or Automatic Update files #### Windows Update files or Automatic Update files
- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` - `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
- `%windir%\SoftwareDistribution\Datastore\*\edb.chk` - `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log` - `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs` - `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log` - `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
#### Windows Security files #### Windows Security files
- `%windir%\Security\database\*.chk` - `%windir%\Security\database\*.chk`
- `%windir%\Security\database\*.edb` - `%windir%\Security\database\*.edb`
- `%windir%\Security\database\*.jrs` - `%windir%\Security\database\*.jrs`
- `%windir%\Security\database\*.log` - `%windir%\Security\database\*.log`
- `%windir%\Security\database\*.sdb` - `%windir%\Security\database\*.sdb`
#### Group Policy files #### Group Policy files
- `%allusersprofile%\NTUser.pol` - `%allusersprofile%\NTUser.pol`
- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol` - `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
- `%SystemRoot%\System32\GroupPolicy\User\registry.pol` - `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
#### WINS files #### WINS files
- `%systemroot%\System32\Wins\*\*.chk` - `%systemroot%\System32\Wins\*\*.chk`
- `%systemroot%\System32\Wins\*\*.log` - `%systemroot%\System32\Wins\*\*.log`
- `%systemroot%\System32\Wins\*\*.mdb` - `%systemroot%\System32\Wins\*\*.mdb`
- `%systemroot%\System32\LogFiles\` - `%systemroot%\System32\LogFiles\`
- `%systemroot%\SysWow64\LogFiles\` - `%systemroot%\SysWow64\LogFiles\`
#### File Replication Service (FRS) exclusions #### File Replication Service (FRS) exclusions
@ -151,9 +136,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- `%windir%\Ntfrs\jet\sys\*\edb.chk` - `%windir%\Ntfrs\jet\sys\*\edb.chk`
- `%windir%\Ntfrs\jet\*\Ntfrs.jdb` - `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
- `%windir%\Ntfrs\jet\log\*\*.log` - `%windir%\Ntfrs\jet\log\*\*.log`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory` - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
@ -174,33 +157,21 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
> For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions). > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
- `%systemdrive%\System Volume Information\DFSR\$db_normal$` - `%systemdrive%\System Volume Information\DFSR\$db_normal$`
- `%systemdrive%\System Volume Information\DFSR\FileIDTable_*` - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
- `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*` - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
- `%systemdrive%\System Volume Information\DFSR\*.XML` - `%systemdrive%\System Volume Information\DFSR\*.XML`
- `%systemdrive%\System Volume Information\DFSR\$db_dirty$` - `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
- `%systemdrive%\System Volume Information\DFSR\$db_clean$` - `%systemdrive%\System Volume Information\DFSR\$db_clean$`
- `%systemdrive%\System Volume Information\DFSR\$db_lostl$` - `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
- `%systemdrive%\System Volume Information\DFSR\Dfsr.db` - `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
- `%systemdrive%\System Volume Information\DFSR\*.frx` - `%systemdrive%\System Volume Information\DFSR\*.frx`
- `%systemdrive%\System Volume Information\DFSR\*.log` - `%systemdrive%\System Volume Information\DFSR\*.log`
- `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs` - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
- `%systemdrive%\System Volume Information\DFSR\Tmp.edb` - `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
#### Process exclusions #### Process exclusions
- `%systemroot%\System32\dfsr.exe` - `%systemroot%\System32\dfsr.exe`
- `%systemroot%\System32\dfsrs.exe` - `%systemroot%\System32\dfsrs.exe`
#### Hyper-V exclusions #### Hyper-V exclusions
@ -214,23 +185,16 @@ The following table lists the file type exclusions, folder exclusions, and proce
#### SYSVOL files #### SYSVOL files
- `%systemroot%\Sysvol\Domain\*.adm` - `%systemroot%\Sysvol\Domain\*.adm`
- `%systemroot%\Sysvol\Domain\*.admx` - `%systemroot%\Sysvol\Domain\*.admx`
- `%systemroot%\Sysvol\Domain\*.adml` - `%systemroot%\Sysvol\Domain\*.adml`
- `%systemroot%\Sysvol\Domain\Registry.pol` - `%systemroot%\Sysvol\Domain\Registry.pol`
- `%systemroot%\Sysvol\Domain\*.aas` - `%systemroot%\Sysvol\Domain\*.aas`
- `%systemroot%\Sysvol\Domain\*.inf` - `%systemroot%\Sysvol\Domain\*.inf`
- `%systemroot%\Sysvol\Domain\*Scripts.ini`
- `%systemroot%\Sysvol\Domain\*.Scripts.ini`
- `%systemroot%\Sysvol\Domain\*.ins` - `%systemroot%\Sysvol\Domain\*.ins`
- `%systemroot%\Sysvol\Domain\Oscfilter.ini` - `%systemroot%\Sysvol\Domain\Oscfilter.ini`
### Active Directory exclusions ### Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services. This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
@ -240,7 +204,6 @@ This section lists the exclusions that are delivered automatically when you inst
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- `%windir%\Ntds\ntds.dit` - `%windir%\Ntds\ntds.dit`
- `%windir%\Ntds\ntds.pat` - `%windir%\Ntds\ntds.pat`
#### The AD DS transaction log files #### The AD DS transaction log files
@ -248,13 +211,9 @@ The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path` The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- `%windir%\Ntds\EDB*.log` - `%windir%\Ntds\EDB*.log`
- `%windir%\Ntds\Res*.log` - `%windir%\Ntds\Res*.log`
- `%windir%\Ntds\Edb*.jrs` - `%windir%\Ntds\Edb*.jrs`
- `%windir%\Ntds\Ntds*.pat` - `%windir%\Ntds\Ntds*.pat`
- `%windir%\Ntds\TEMP.edb` - `%windir%\Ntds\TEMP.edb`
#### The NTDS working folder #### The NTDS working folder
@ -262,13 +221,11 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- `%windir%\Ntds\Temp.edb` - `%windir%\Ntds\Temp.edb`
- `%windir%\Ntds\Edb.chk` - `%windir%\Ntds\Edb.chk`
#### Process exclusions for AD DS and AD DS-related support files #### Process exclusions for AD DS and AD DS-related support files
- `%systemroot%\System32\ntfrs.exe` - `%systemroot%\System32\ntfrs.exe`
- `%systemroot%\System32\lsass.exe` - `%systemroot%\System32\lsass.exe`
### DHCP Server exclusions ### DHCP Server exclusions
@ -276,13 +233,9 @@ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentC
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- `%systemroot%\System32\DHCP\*\*.mdb` - `%systemroot%\System32\DHCP\*\*.mdb`
- `%systemroot%\System32\DHCP\*\*.pat` - `%systemroot%\System32\DHCP\*\*.pat`
- `%systemroot%\System32\DHCP\*\*.log` - `%systemroot%\System32\DHCP\*\*.log`
- `%systemroot%\System32\DHCP\*\*.chk` - `%systemroot%\System32\DHCP\*\*.chk`
- `%systemroot%\System32\DHCP\*\*.edb` - `%systemroot%\System32\DHCP\*\*.edb`
### DNS Server exclusions ### DNS Server exclusions
@ -292,11 +245,8 @@ This section lists the file and folder exclusions and the process exclusions tha
#### File and folder exclusions for the DNS Server role #### File and folder exclusions for the DNS Server role
- `%systemroot%\System32\Dns\*\*.log` - `%systemroot%\System32\Dns\*\*.log`
- `%systemroot%\System32\Dns\*\*.dns` - `%systemroot%\System32\Dns\*\*.dns`
- `%systemroot%\System32\Dns\*\*.scc` - `%systemroot%\System32\Dns\*\*.scc`
- `%systemroot%\System32\Dns\*\BOOT` - `%systemroot%\System32\Dns\*\BOOT`
#### Process exclusions for the DNS Server role #### Process exclusions for the DNS Server role
@ -308,9 +258,7 @@ This section lists the file and folder exclusions and the process exclusions tha
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- `%SystemDrive%\ClusterStorage` - `%SystemDrive%\ClusterStorage`
- `%clusterserviceaccount%\Local Settings\Temp` - `%clusterserviceaccount%\Local Settings\Temp`
- `%SystemDrive%\mscs` - `%SystemDrive%\mscs`
### Print Server exclusions ### Print Server exclusions
@ -320,7 +268,6 @@ This section lists the file type exclusions, folder exclusions, and the process
#### File type exclusions #### File type exclusions
- `*.shd` - `*.shd`
- `*.spl` - `*.spl`
#### Folder exclusions #### Folder exclusions
@ -340,36 +287,49 @@ This section lists the folder exclusions and the process exclusions that are del
#### Folder exclusions #### Folder exclusions
- `%SystemRoot%\IIS Temporary Compressed Files` - `%SystemRoot%\IIS Temporary Compressed Files`
- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files` - `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
- `%SystemDrive%\inetpub\temp\ASP Compiled Templates` - `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
- `%systemDrive%\inetpub\logs` - `%systemDrive%\inetpub\logs`
- `%systemDrive%\inetpub\wwwroot` - `%systemDrive%\inetpub\wwwroot`
#### Process exclusions #### Process exclusions
- `%SystemRoot%\system32\inetsrv\w3wp.exe` - `%SystemRoot%\system32\inetsrv\w3wp.exe`
- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe` - `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
- `%SystemDrive%\PHP5433\php-cgi.exe` - `%SystemDrive%\PHP5433\php-cgi.exe`
#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
- `%systemroot%\Sysvol\Domain`
- `%systemroot%\Sysvol_DFSR\Domain`
The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters`
Exclude the following files from this folder and all its subfolders:
- `*.adm`
- `*.admx`
- `*.adml`
- `Registry.pol`
- `Registry.tmp`
- `*.aas`
- `*.inf`
- `Scripts.ini`
- `*.ins`
- `Oscfilter.ini`
### Windows Server Update Services exclusions ### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- `%systemroot%\WSUS\WSUSContent` - `%systemroot%\WSUS\WSUSContent`
- `%systemroot%\WSUS\UpdateServicesDBFiles` - `%systemroot%\WSUS\UpdateServicesDBFiles`
- `%systemroot%\SoftwareDistribution\Datastore` - `%systemroot%\SoftwareDistribution\Datastore`
- `%systemroot%\SoftwareDistribution\Download` - `%systemroot%\SoftwareDistribution\Download`
## Related articles ## See also
- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)

47
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -31,7 +31,13 @@ ms.technology: mde
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with. Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.
Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: ## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations.
## Automated investigation ## Automated investigation
@ -121,22 +127,6 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct
>[!NOTE] >[!NOTE]
>You'll need to have the appropriate license to enable this feature. >You'll need to have the appropriate license to enable this feature.
## Microsoft Secure Score
Forwards Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
### Enable the Defender for Endpoint integration from the Azure ATP portal
To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
2. Click **Create your instance**.
3. Toggle the Integration setting to **On** and click **Save**.
After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
## Office 365 Threat Intelligence connection ## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
@ -166,6 +156,22 @@ Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud
Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings. Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings.
## Microsoft Secure Score
Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
### Enable the Microsoft Defender ATP integration from the Azure ATP portal
To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
2. Click **Create your instance**.
3. Toggle the Integration setting to **On** and click **Save**.
After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
## Microsoft Intune connection ## Microsoft Intune connection
Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement. Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.
@ -185,7 +191,6 @@ When you enable Intune integration, Intune will automatically create a classic C
>[!NOTE] >[!NOTE]
> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
## Preview features ## Preview features
Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience. Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
@ -198,12 +203,6 @@ Forwards endpoint security alerts and their triage status to Microsoft Complianc
After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users. After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users.
## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics ## Related topics
- [Update data retention settings](data-retention-settings.md) - [Update data retention settings](data-retention-settings.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason400.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine400.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file400.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

4
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
View File

@ -37,9 +37,9 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
## Enable raw data streaming: ## Enable raw data streaming:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) with a Global Admin user. 1. Log in to the [Microsoft Defender Security Center](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. 2. Go to the [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.
3. Click on **Add data export settings**. 3. Click on **Add data export settings**.

2
windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
View File

@ -37,7 +37,7 @@ Want to experience Defender for Endpoint? [Sign up for a free trial.](https://ww
## Enable raw data streaming: ## Enable raw data streaming:
1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) with Global Admin user. 1. Log in to [Microsoft Defender for Endpoint portal](https://securitycenter.windows.com) as a ***Global Administrator*** or ***Security Administrator***.
2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center. 2. Go to [Data export settings page](https://securitycenter.windows.com/interoperability/dataexport) on Microsoft Defender Security Center.

84
windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
View File

@ -1,5 +1,5 @@
--- ---
title: Take response actions on a file in Microsoft Defender ATP title: Take response actions on a file in Microsoft Defender for Endpoint
description: Take response actions on file-related alerts by stopping and quarantining a file or blocking a file and checking activity details. description: Take response actions on file-related alerts by stopping and quarantining a file or blocking a file and checking activity details.
keywords: respond, stop and quarantine, block file, deep analysis keywords: respond, stop and quarantine, block file, deep analysis
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -56,7 +56,6 @@ Some actions require certain permissions. The following table describes what act
For more information on roles, see [Create and manage roles for role-based access control](user-roles.md). For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
## Stop and quarantine files in your network ## Stop and quarantine files in your network
You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed. You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
@ -68,7 +67,7 @@ You can contain an attack in your organization by stopping the malicious process
> - The file does not belong to trusted third-party publishers or not signed by Microsoft > - The file does not belong to trusted third-party publishers or not signed by Microsoft
> - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys. The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data such as registry keys.
This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days. This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
@ -82,7 +81,6 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- **Search box** - select **File** from the dropdown menu and enter the file name - **Search box** - select **File** from the dropdown menu and enter the file name
> [!NOTE] > [!NOTE]
> The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). > The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
@ -90,7 +88,7 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher
![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
3. Specify a reason, then click **Confirm**. 3. Specify a reason, then select **Confirm**.
![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png) ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png)
@ -112,7 +110,7 @@ When the file is being removed from a device, the following notification is show
In the device timeline, a new event is added for each device where a file was stopped and quarantined. In the device timeline, a new event is added for each device where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended. A warning is shown before the action is implemented for files widely used throughout an organization. It's to validate that the operation is intended.
## Restore file from quarantine ## Restore file from quarantine
@ -138,9 +136,23 @@ You can roll back and remove a file from quarantine if youve determined that
> [!IMPORTANT] > [!IMPORTANT]
> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. > A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
## Download or collect file
Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file. A flyout will appear where you can record a reason for downloading the file, and set a password.
By default, you will not be able to download files that are in quarantine.
![Image of download file action](images/atp-download-file-action.png)
### Collect files
If a file is not already stored by Microsoft Defender for Endpoint, you can't download it. Instead, you'll see a **Collect file** button in the same location. If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled.
> [!Important]
> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
## Add indicator to block or allow a file ## Add indicator to block or allow a file
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
> [!IMPORTANT] > [!IMPORTANT]
> >
@ -164,56 +176,43 @@ To start blocking files, you first need to [turn the **Block or allow** feature
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files. See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator. To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position as the **Add Indicator** action, before you added the indicator.
You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash. You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
## Download or collect file
Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
![Image of download file action](images/atp-download-file-action.png)
When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file.
![Image of download file fly-out](images/atp-download-file-reason.png)
If a file is not already stored by Defender for Endpoint, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
## Consult a threat expert ## Consult a threat expert
You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. Consult a Microsoft threat expert for more insights on a potentially compromised device, or already compromised devices. Microsoft Threat Experts are engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights on a potentially compromised device and help you understand complex threats and targeted attack notifications. They can also provide information about the alerts or a threat intelligence context that you see on your portal dashboard.
See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details. See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
## Check activity details in Action center ## Check activity details in Action center
The **Action center** provides information on actions that were taken on a device or file. Youll be able to view the following details: The **Action center** provides information on actions that were taken on a device or file. You can view the following details:
- Investigation package collection - Investigation package collection
- Antivirus scan - Antivirus scan
- App restriction - App restriction
- Device isolation - Device isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed. All other related details are also shown, such as submission date/time, submitting user, and if the action succeeded or failed.
![Image of action center with information](images/action-center-details.png) ![Image of action center with information](images/action-center-details.png)
## Deep analysis ## Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis. Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Selecting a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs. The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files). Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display the date and time of the latest results available, as well as a summary of the report itself. Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display a summary and the date and time of the latest available results.
The Deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will simply display a brief message. The deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts. Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
@ -227,22 +226,22 @@ Use the deep analysis feature to investigate the details of any file, usually du
> [!NOTE] > [!NOTE]
> Only files from Windows 10 can be automatically collected. > Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available. You can also submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file wasn't observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available.
> [!NOTE] > [!NOTE]
> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint. > Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint.
When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications. When the sample is collected, Defender for Endpoint runs the file in a secure environment. It then creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
#### Submit files for deep analysis ### Submit files for deep analysis
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
- Alerts - click the file links from the **Description** or **Details** in the Artifact timeline - Alerts - select the file links from the **Description** or **Details** in the Artifact timeline
- **Devices list** - click the file links from the **Description** or **Details** in the **Device in organization** section - **Devices list** - select the file links from the **Description** or **Details** in the **Device in organization** section
- Search box - select **File** from the dropdown menu and enter the file name - Search box - select **File** from the dropdown menu and enter the file name
2. In the **Deep analysis** tab of the file view, click **Submit**. 2. In the **Deep analysis** tab of the file view, select **Submit**.
![You can only submit PE files in the file details section](images/submit-file.png) ![You can only submit PE files in the file details section](images/submit-file.png)
@ -254,9 +253,9 @@ A progress bar is displayed and provides information on the different stages of
> [!NOTE] > [!NOTE]
> Depending on device availability, sample collection time can vary. There is a 3hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can resubmit files for deep analysis to get fresh data on the file. > Depending on device availability, sample collection time can vary. There is a 3hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can resubmit files for deep analysis to get fresh data on the file.
#### View deep analysis reports ### View deep analysis reports
View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. View the provided deep analysis report to see more in-depth insights on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections: You can view the comprehensive report that provides details on the following sections:
@ -268,19 +267,16 @@ The details provided can help you investigate if there are indications of a pote
1. Select the file you submitted for deep analysis. 1. Select the file you submitted for deep analysis.
2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab. 2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab.
![The deep analysis report shows detailed information across a number of categories](images/analysis-results-nothing.png) ![The deep analysis report shows detailed information across a number of categories](images/analysis-results-nothing500.png)
#### Troubleshoot deep analysis #### Troubleshoot deep analysis
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. If you come across a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
2. Ensure the service has access to the file, that it still exists, and hasn't been corrupted or modified.
1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. 3. Wait a short while and try to submit the file again. The queue may be full, or there was a temporary connection or communication error.
4. If the sample collection policy isn't configured, then the default behavior is to allow sample collection. If it's configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
```powershell ```powershell
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

2
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -46,7 +46,7 @@ The Security Compliance Toolkit consists of:
- Microsoft 365 Apps for enterprise (Sept 2019) - Microsoft 365 Apps for enterprise (Sept 2019)
- Microsoft Edge security baseline - Microsoft Edge security baseline
- Version 85 - Version 88
- Windows Update security baseline - Windows Update security baseline
- Windows 10 20H2 and below (October 2020 Update) - Windows 10 20H2 and below (October 2020 Update)

5
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -41,7 +41,7 @@ Here's an approximate scaling guide for WEF events:
| 5,000 - 50,000 | SEM | | 5,000 - 50,000 | SEM |
| 50,000+ | Hadoop/HDInsight/Data Lake | | 50,000+ | Hadoop/HDInsight/Data Lake |
Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences. Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences.
For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb). For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb).
@ -147,7 +147,7 @@ Yes. If you desire a High-Availability environment, simply configure multiple WE
### <a href="" id="what-are-the-wec-server-s-limitations-"></a>What are the WEC servers limitations? ### <a href="" id="what-are-the-wec-server-s-limitations-"></a>What are the WEC servers limitations?
There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is “10k x 10k” meaning, no more than 10,000 concurrently active WEF Clients per WEC server and no more than 10,000 events/second average event volume. There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions.
- **Disk I/O**. The WEC server does not process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive. - **Disk I/O**. The WEC server does not process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive.
- **Network Connections**. While a WEF source does not maintain a permanent, persistent connection to the WEC server, it does not immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. - **Network Connections**. While a WEF source does not maintain a permanent, persistent connection to the WEC server, it does not immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server.
@ -661,4 +661,3 @@ You can get more info with the following links:
- [Windows Event Collector](https://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) - [Windows Event Collector](https://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
- [4625(F): An account failed to log on](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625) - [4625(F): An account failed to log on](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625)

8
windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
View File

@ -26,8 +26,8 @@ ms.technology: mde
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
- [Create WMI Filters for the GPO](#create-wmi-filters-for-the-gpo)
- [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows) - [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows)
- [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo) - [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo)
**Administrative credentials** **Administrative credentials**
@ -80,6 +80,12 @@ First, create the WMI filter and configure it to look for a specified version (o
select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1" select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
``` ```
Specific versions of Windows 10 can be targeted by including the *major build version* in the query. The following query returns **true** for all devices running Windows 10 20H2 (which has a *major build version* of `19042`), and returns **false** for any server operating system or any other client operating system. Additional information about Windows 10 build versions can be found at [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
```syntax
select * from Win32_OperatingSystem where Version like "10.0.19042" and ProductType="1"
```
The following query returns **true** for any device running Windows Server 2016, except domain controllers: The following query returns **true** for any device running Windows Server 2016, except domain controllers:
``` syntax ``` syntax

8
windows/whats-new/index.yml
View File

@ -1,11 +1,11 @@
### YamlMime:Landing ### YamlMime:Landing
title: Windows 10 deployment resources and documentation # < 60 chars title: What's new in Windows 10 # < 60 chars
summary: Learn about deploying and keeping Windows 10 up to date. # < 160 chars summary: Find out about new features and capabilities in the latest release of Windows 10. # < 160 chars
metadata: metadata:
title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. title: What's new in Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. description: Find out about new features and capabilities in the latest release of Windows 10. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10 services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice ms.subservice: subservice