Update defender-endpoint-false-positives-negatives.md

windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md

@@ -177,7 +177,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
 
 | Indicator type | Prerequisites |
 |:----|:----|
-|**Files** <p>Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. <p> **[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** <p>The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action <p>Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications. <p>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes.  | Microsoft Defender Antivirus with cloud-based protection enabled. <p>Antimalware client version: 4.18.1901.x or later. <p>Devices are running one of the following versions of Windows:<br/>- Windows 10, version 1703 or later<br/>- Windows Server 2016<br/>- Windows Server 2019 <p> [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | 
+|**Files** <p>Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. <p> **[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** <p>The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action <p>Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications. <p>Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.  | Microsoft Defender Antivirus with cloud-based protection enabled. <p> Antimalware client version: 4.18.1901.x or later. <p>Devices are running one of the following versions of Windows:<br/>- Windows 10, version 1703 or later<br/>- Windows Server 2016<br/>- Windows Server 2019 <p> [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | 
 | **IP addresses and URLs** <p>Full URL path blocks can be applied on the domain level and all unencrypted URLs <p>IP is supported for all three protocols <p>**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** <p>Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.<p>There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. <p>Only single IP addresses are supported (no CIDR blocks or IP ranges) <p>Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge) <p>Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)<p>Antimalware client version: 4.18.1906.x or later. <p>Devices are running Windows 10, version 1709 or later <p>Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).)   |
 | **Certificates** <p>`.CER` or `.PEM` file extensions are supported. <p>**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** <p>A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. <p>Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities). <p>The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.<p>Microsoft signed certificates cannot be blocked. <p>It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)<p>Antimalware client version: 4.18.1901.x or later. <p>Devices are running one of the following versions of Windows:<br/>- Windows 10, version 1703 or later<br/>- Windows Server 2016<br/>- Windows Server 2019 <p>Virus and threat protection definitions are up to date. |