deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-23 02:37:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md

Browse Source 
Updated examples to have correct casing based on values in Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.PUAProtectionType enum

Added an example for viewing PUA events

Removed future tense to improve readability.
This commit is contained in:
Thomas Lee 2021-01-31 16:42:08 +00:00 committed by GitHub
parent 5a6e995d70
commit b7d0e0f861
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
View File

@ -62,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium
### Blocking URLs with Microsoft Defender SmartScreen ### Blocking URLs with Microsoft Defender SmartScreen
In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft
Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can
[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.
Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.
## Microsoft Defender Antivirus ## Microsoft Defender Antivirus
@ -87,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi
You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true).
You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.
> [!TIP] > [!TIP]
> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. > Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action.
@ -125,7 +125,7 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
7. Select **Enabled** to enable PUA protection. 7. Select **Enabled** to enable PUA protection.
8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. 8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**.
9. Deploy your Group Policy object as you usually do. 9. Deploy your Group Policy object as you usually do.
@ -134,25 +134,25 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw
##### To enable PUA protection ##### To enable PUA protection
```PowerShell ```PowerShell
Set-MpPreference -PUAProtection enable Set-MpPreference -PUAProtection Enabled
``` ```
Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled.
##### To set PUA protection to audit mode ##### To set PUA protection to audit mode
```PowerShell ```PowerShell
Set-MpPreference -PUAProtection auditmode Set-MpPreference -PUAProtection AuditMode
``` ```
Setting `AuditMode` will detect PUAs without blocking them. Setting `AuditMode` detects PUAs without blocking them.
##### To disable PUA protection ##### To disable PUA protection
We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:
```PowerShell ```PowerShell
Set-MpPreference -PUAProtection disable Set-MpPreference -PUAProtection Disabled
``` ```
Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
@ -160,6 +160,23 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune.
You can also use the ``Get-MpThreat`` cmdlet to view threats that Defender handled.
```console
CategoryID : 27
DidThreatExecute : False
IsActive : False
Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/
fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714}
RollupStatus : 33
SchemaVersion : 1.0.0.0
SeverityID : 1
ThreatID : 213927
ThreatName : PUA:Win32/InstallCore
TypeID : 0
PSComputerName :
```
You can turn on email notifications to receive mail about PUA detections. You can turn on email notifications to receive mail about PUA detections.
See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**.