From 003fa45ee738cf8943b00c22c900617d1f7d39e5 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 5 Aug 2019 17:39:08 -0400 Subject: [PATCH 01/19] linted --- ...ntially-unwanted-apps-windows-defender-antivirus.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 1fbf4b6b35..b7c966b9dd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -41,13 +41,13 @@ These applications can increase the risk of your network being infected with mal Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantined. -When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). +When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). ## View PUA events -PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune. +PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune. You can turn on email notifications for PUA detections. @@ -61,11 +61,11 @@ You can also use the PUA audit mode to detect PUA without blocking them. The det This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. -**Use Intune to configure PUA protection** +### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -**Use Configuration Manager to configure PUA protection:** +### Use Configuration Manager to configure PUA protection PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. @@ -98,7 +98,7 @@ Use the following cmdlet: Set-MpPreference -PUAProtection ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. +Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. Setting `AuditMode` will detect PUAs but will not block them. From 2f3117a01acf20dab29b11528cae5af54c8032c6 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 5 Aug 2019 18:09:08 -0400 Subject: [PATCH 02/19] some revions to wording before updates --- ...nwanted-apps-windows-defender-antivirus.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index b7c966b9dd..763066b61a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -24,42 +24,42 @@ manager: dansimp The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. -These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. +These applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect their performance or use. _PUA_ can also refer to an application that has a poor reputation, due to certain kinds of undesirable behavior. Typical PUA behavior includes: -- Various types of software bundling - Ad injection into web browsers +- Various types of software bundling - Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs) -These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. +These applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning up the applications. ->[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> [!TIP] +> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm that the feature is working, and see how it works. ## How it works -Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantined. +Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). +When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections, though prefaced with _PUA:_. -They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). +The notification will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). ## View PUA events -PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune. +PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune. -You can turn on email notifications for PUA detections. +You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160. ## Configure PUA protection -You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or PowerShell cmdlets. +You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets. -You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. +You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. -This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. ### Use Intune to configure PUA protection @@ -67,20 +67,20 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic ### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. +PUA protection is enabled by default in the System Center Configuration Manager (current branch), starting with version 1606. See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch). For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. +> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. -**Use Group Policy to configure PUA protection:** +**Use Group Policy to configure PUA protection** -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. 3. Expand the tree to **Windows components > Windows Defender Antivirus**. @@ -100,7 +100,7 @@ Set-MpPreference -PUAProtection Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. -Setting `AuditMode` will detect PUAs but will not block them. +Setting `AuditMode` will detect PUAs without blocking them. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. From b1b91200a6a2c538efbeb78383a36b44da970cbd Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 6 Aug 2019 14:50:39 -0400 Subject: [PATCH 03/19] added info on URL started section on allow lists --- ...nwanted-apps-windows-defender-antivirus.md | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 763066b61a..2f0f4228e5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -24,26 +24,28 @@ manager: dansimp The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. -These applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect their performance or use. _PUA_ can also refer to an application that has a poor reputation, due to certain kinds of undesirable behavior. +These applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect their performance or use. _PUA_ can also refer to a application that has a poor reputation, due to certain kinds of undesirable behavior. Typical PUA behavior includes: - Ad injection into web browsers - Various types of software bundling -- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs) +- Driver and registry optimizers that detect issues, request payment to fix the errors, and then make no changes or optimizations (also known as "rogue antivirus" programs) -These applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning up the applications. +These applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning up after them. > [!TIP] > You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm that the feature is working, and see how it works. ## How it works -Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. +PUAs may operate entirely on a local machine, or rely on remote resources located at an outside URL. PUA protection protects you both from local files, and from URLs associated with potentially unwanted behavior. -When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections, though prefaced with _PUA:_. +Windows Defender Antivirus blocks detected PUA files and URLs, and any attempts to download, move, run, visit, or install them. Blocked PUA files are then moved to quarantine. Requests to blocked URLs are denied. -The notification will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). +When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. + +The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). ## View PUA events @@ -51,7 +53,7 @@ PUA events are reported in the Windows Event Viewer, but not in System Center Co You can turn on email notifications to receive mail about PUA detections. -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160. +See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. ## Configure PUA protection @@ -76,7 +78,7 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat > [!NOTE] > PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. -**Use Group Policy to configure PUA protection** +### Use Group Policy to configure PUA protection 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**. @@ -104,6 +106,10 @@ Setting `AuditMode` will detect PUAs without blocking them. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +## Allow-listing apps + +Sometimes a file or URL is erroneously blocked by PUA protection, or a feature of a PUA is actually required to complete a task. In these cases, a file or URL can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files and URLs which are currently blocked by PUA protection. + ## Related topics - [Next gen protection](windows-defender-antivirus-in-windows-10.md) From 4ca189437bb6598ab8bcf1ed54d81607732f003b Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 8 Aug 2019 12:33:06 -0400 Subject: [PATCH 04/19] slight edit --- ...potentially-unwanted-apps-windows-defender-antivirus.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 2f0f4228e5..dc245887ab 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -39,9 +39,12 @@ These applications can increase the risk of your network being infected with act ## How it works -PUAs may operate entirely on a local machine, or rely on remote resources located at an outside URL. PUA protection protects you both from local files, and from URLs associated with potentially unwanted behavior. +PUAs may operate entirely on a local machine, or rely on remote resources located at an outside URL. PUA protection protects you both from local files. and from URLs associated with potentially unwanted behavior. -Windows Defender Antivirus blocks detected PUA files and URLs, and any attempts to download, move, run, visit, or install them. Blocked PUA files are then moved to quarantine. Requests to blocked URLs are denied. +> [!TIP] +> If you are running a version of Edge that is Chromium-based, PUA protection will also block URLs associated with potentially unwanted activities. + +Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, visit, or install them. Blocked PUA files are then moved to quarantine. When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. From 77909e5bd99794c68e4580f98938139a3c96fede Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 8 Aug 2019 13:43:49 -0400 Subject: [PATCH 05/19] linting smart screen doc removed link to itpro contribution doc -- we already include a contribute link in the footer of every doc page --- .../windows-defender-smartscreen-overview.md | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index 027d92a3b4..c6c40e0048 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -15,6 +15,7 @@ ms.author: mjcaparas --- # Windows Defender SmartScreen + **Applies to:** - Windows 10 @@ -30,7 +31,7 @@ Windows Defender SmartScreen helps to protect your employees if they try to visi **SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** -- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. - Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. @@ -38,6 +39,7 @@ Windows Defender SmartScreen helps to protect your employees if they try to visi >Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and Windows SmartScreen when used outside of the browser. ## Benefits of Windows Defender SmartScreen + Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) @@ -51,27 +53,24 @@ Windows Defender SmartScreen helps to provide an early warning system against we - **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). ## Viewing Windows Defender SmartScreen anti-phishing events + When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). - ## Viewing Windows event logs for SmartScreen + SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. > [!NOTE] > For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1). -|EventID | Description | -| :---: | :---: | -|1000 | Application SmartScreen Event| -|1001 | Uri SmartScreen Event| -|1002 | User Decision SmartScreen Event| +EventID | Description | +-|- +1000 | Application SmartScreen Event +1001 | Uri SmartScreen Event +1002 | User Decision SmartScreen Event ## Related topics + - [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - - [Threat protection](../index.md) - - [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). From 32b9845ef6fe4446f451cd18ca2e4eda613008e2 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 8 Aug 2019 15:11:48 -0400 Subject: [PATCH 06/19] accounting for juli hooper's edits --- ...y-unwanted-apps-windows-defender-antivirus.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index dc245887ab..d797cbe6c7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -32,19 +32,19 @@ Typical PUA behavior includes: - Various types of software bundling - Driver and registry optimizers that detect issues, request payment to fix the errors, and then make no changes or optimizations (also known as "rogue antivirus" programs) -These applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning up after them. +These applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. > [!TIP] -> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm that the feature is working, and see how it works. +> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm that the feature is working, and see it in action. ## How it works -PUAs may operate entirely on a local machine, or rely on remote resources located at an outside URL. PUA protection protects you both from local files. and from URLs associated with potentially unwanted behavior. +PUAs may operate entirely on a local machine, or rely on remote resources located at an outside URL. PUA protection protects you from local files. > [!TIP] > If you are running a version of Edge that is Chromium-based, PUA protection will also block URLs associated with potentially unwanted activities. -Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, visit, or install them. Blocked PUA files are then moved to quarantine. +Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. @@ -111,7 +111,13 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use ## Allow-listing apps -Sometimes a file or URL is erroneously blocked by PUA protection, or a feature of a PUA is actually required to complete a task. In these cases, a file or URL can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files and URLs which are currently blocked by PUA protection. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection. + +## URL blocking + +URL blocking is a new feature, exclusive to Chromium-based builds of the Edge web browser. URL blocking is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). You can configure it by [...] + +If you have a Chromium-based version of Edge, you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. ## Related topics From d94444474a2b5eca0ef6886f10908b9a42e38f5f Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 8 Aug 2019 16:22:21 -0400 Subject: [PATCH 07/19] added bullet point about pua feature --- .../windows-defender-smartscreen-overview.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index c6c40e0048..64e85b1eb0 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -21,26 +21,26 @@ ms.author: mjcaparas - Windows 10 - Windows 10 Mobile -Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. +Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files. **SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution. +- Analyzing visited webpages, looking for indications of suspicious behavior. If SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. -- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. +- Checking visited sites against a dynamic list of reported phishing and malicious software sites. If SmartScreen finds a match, it will show a warning indicating that the site might be malicious. **SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** -- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If SmartScreen finds a match, it will show a warning indicating that the site might be malicious. -- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. +- Checking downloaded files against a list of files that are well-known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. - >[!NOTE] - >Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and Windows SmartScreen when used outside of the browser. + > [!NOTE] + > Before Windows 10, version 1703, this feature was called _the SmartScreen Filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. ## Benefits of Windows Defender SmartScreen -Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: +Windows Defender SmartScreen provides an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) From ab0b968420fcf3195c55f2be7450b12914f8b9e3 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 9 Aug 2019 10:53:12 -0400 Subject: [PATCH 08/19] meta data --- ...tentially-unwanted-apps-windows-defender-antivirus.md | 1 + .../windows-defender-smartscreen-overview.md | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index d797cbe6c7..e4363b8e32 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -11,6 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp +audience: ITPro ms.date: 10/02/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index 64e85b1eb0..ea863f2a7d 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -7,11 +7,12 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: mjcaparas +ms.author: macapara +audience: ITPro ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: manager: dansimp -ms.author: mjcaparas --- # Windows Defender SmartScreen @@ -40,7 +41,7 @@ Windows Defender SmartScreen protects against phishing or malware websites, and ## Benefits of Windows Defender SmartScreen -Windows Defender SmartScreen provides an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: +Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) @@ -52,6 +53,8 @@ Windows Defender SmartScreen provides an early warning system against websites t - **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). +- **Blocking URLs associated with potentially unwanted applications.** When running Chromium-based builds of Edge, SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). + ## Viewing Windows Defender SmartScreen anti-phishing events When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). @@ -63,7 +66,7 @@ SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Even > [!NOTE] > For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1). -EventID | Description | +EventID | Description -|- 1000 | Application SmartScreen Event 1001 | Uri SmartScreen Event From a6b8bf8e3039d7a70e5445c0d2db2bef5521c9da Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 26 Aug 2019 13:26:49 -0400 Subject: [PATCH 09/19] updated references to Chromium --- ...-potentially-unwanted-apps-windows-defender-antivirus.md | 6 +++--- .../windows-defender-smartscreen-overview.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index e4363b8e32..f5817f0d5e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -43,7 +43,7 @@ These applications can increase the risk of your network being infected with act PUAs may operate entirely on a local machine, or rely on remote resources located at an outside URL. PUA protection protects you from local files. > [!TIP] -> If you are running a version of Edge that is Chromium-based, PUA protection will also block URLs associated with potentially unwanted activities. +> If you are running the next major version of Microsoft Edge, which is Chromium-based, PUA protection will also block URLs associated with potentially unwanted activities. Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. @@ -116,9 +116,9 @@ Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA ## URL blocking -URL blocking is a new feature, exclusive to Chromium-based builds of the Edge web browser. URL blocking is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). You can configure it by [...] +URL blocking is a new feature, exclusive to the next major version of Microsoft Edge, which is Chromium-based. URL blocking is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). You can configure it by [...] -If you have a Chromium-based version of Edge, you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. +If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index ea863f2a7d..de3eeba6e3 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -53,7 +53,7 @@ Windows Defender SmartScreen provide an early warning system against websites th - **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). -- **Blocking URLs associated with potentially unwanted applications.** When running Chromium-based builds of Edge, SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +- **Blocking URLs associated with potentially unwanted applications.** When running the next major version of Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). ## Viewing Windows Defender SmartScreen anti-phishing events From 751e00c3420534b43ffc5e5a3b75b53ebecc13f5 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 26 Aug 2019 15:35:07 -0400 Subject: [PATCH 10/19] added description of how to turn on pua protection in edge --- ...tentially-unwanted-apps-windows-defender-antivirus.md | 9 +++++++-- .../windows-defender-smartscreen-overview.md | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index f5817f0d5e..d0d625f44e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -116,9 +116,14 @@ Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA ## URL blocking -URL blocking is a new feature, exclusive to the next major version of Microsoft Edge, which is Chromium-based. URL blocking is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). You can configure it by [...] +URL blocking is a new feature, exclusive to the next major version of Microsoft Edge, which is Chromium-based and currently in public preview. URL blocking is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). This feature is off by default, but can easily be turned on in Microsoft Edge (Chromium-based). -If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. +1. From the tool bar, select **Settings and more** > **Settings** +1. Select **Privacy and services** +1. Under the **Services** section, you can toggle **Poentially unwanted app blocking** on or off + +> [!TIP] +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index de3eeba6e3..475ce2cff3 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -53,7 +53,7 @@ Windows Defender SmartScreen provide an early warning system against websites th - **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). -- **Blocking URLs associated with potentially unwanted applications.** When running the next major version of Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). ## Viewing Windows Defender SmartScreen anti-phishing events From d2bb285a61f06f20555c5fea02591373f310d188 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 16 Sep 2019 10:27:00 -0400 Subject: [PATCH 11/19] updated per discssion w J Hooper & M Esquivel --- ...nwanted-apps-windows-defender-antivirus.md | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index d0d625f44e..3b4452b416 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -22,28 +22,37 @@ manager: dansimp **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Edge on Windows 10](https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge) The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. -These applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect their performance or use. _PUA_ can also refer to a application that has a poor reputation, due to certain kinds of undesirable behavior. +These applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. -Typical PUA behavior includes: +These kinds of undesirable PUA behavior include: - Ad injection into web browsers - Various types of software bundling - Driver and registry optimizers that detect issues, request payment to fix the errors, and then make no changes or optimizations (also known as "rogue antivirus" programs) -These applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. +Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. > [!TIP] > You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm that the feature is working, and see it in action. ## How it works -PUAs may operate entirely on a local machine, or rely on remote resources located at an outside URL. PUA protection protects you from local files. +### Microsoft Edge -> [!TIP] -> If you are running the next major version of Microsoft Edge, which is Chromium-based, PUA protection will also block URLs associated with potentially unwanted activities. +The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. + +1. From the tool bar, select **Settings and more** > **Settings** +1. Select **Privacy and services** +1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off + +> [!TIP] +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. + +### Windows Defender Antivirus Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. @@ -114,17 +123,6 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection. -## URL blocking - -URL blocking is a new feature, exclusive to the next major version of Microsoft Edge, which is Chromium-based and currently in public preview. URL blocking is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). This feature is off by default, but can easily be turned on in Microsoft Edge (Chromium-based). - -1. From the tool bar, select **Settings and more** > **Settings** -1. Select **Privacy and services** -1. Under the **Services** section, you can toggle **Poentially unwanted app blocking** on or off - -> [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. - ## Related topics - [Next gen protection](windows-defender-antivirus-in-windows-10.md) From 5f7ef511cfd55cb5d343bcf11ce3c761cc6539de Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 16 Sep 2019 10:57:25 -0400 Subject: [PATCH 12/19] some updates to heading levels + select used in preference to click --- ...nwanted-apps-windows-defender-antivirus.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 3b4452b416..e05955986d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -26,7 +26,7 @@ manager: dansimp The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. -These applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. +Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. These kinds of undesirable PUA behavior include: @@ -60,7 +60,7 @@ When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notifi The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). -## View PUA events +#### View PUA events PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune. @@ -68,7 +68,7 @@ You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. -## Configure PUA protection +#### Configure PUA protection You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets. @@ -76,11 +76,11 @@ You can also use the PUA audit mode to detect PUAs without blocking them. The de PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. -### Use Intune to configure PUA protection +##### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -### Use Configuration Manager to configure PUA protection +##### Use Configuration Manager to configure PUA protection PUA protection is enabled by default in the System Center Configuration Manager (current branch), starting with version 1606. @@ -91,21 +91,21 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat > [!NOTE] > PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. -### Use Group Policy to configure PUA protection +##### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**. -2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Windows Defender Antivirus**. 4. Double-click **Configure protection for potentially unwanted applications**. -5. Click **Enabled** to enable PUA protection. +5. Select **Enabled** to enable PUA protection. -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Click **OK**. +6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. -**Use PowerShell cmdlets to configure PUA protection:** +##### Use PowerShell cmdlets to configure PUA protection Use the following cmdlet: @@ -119,7 +119,7 @@ Setting `AuditMode` will detect PUAs without blocking them. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. -## Allow-listing apps +#### Allow-listing apps Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection. From 7bdb116ceb2b496c6ecf8e5a232a75219ada3ebb Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 16 Sep 2019 10:58:55 -0400 Subject: [PATCH 13/19] moved line about wdav down to wdav section --- ...ck-potentially-unwanted-apps-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index e05955986d..ec20c965e7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -24,8 +24,6 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Edge on Windows 10](https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge) -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. - Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. These kinds of undesirable PUA behavior include: @@ -54,6 +52,8 @@ The next major version of Microsoft Edge, which is Chromium-based, blocks potent ### Windows Defender Antivirus +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. + Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. From da317f29456aa066061b7e085846d1b798114709 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 17 Sep 2019 11:28:38 -0400 Subject: [PATCH 14/19] forcing another build - task was terminated on the server --- ...lock-potentially-unwanted-apps-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index ec20c965e7..9479653966 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -24,7 +24,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Edge on Windows 10](https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge) -Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints that adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. +Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. These kinds of undesirable PUA behavior include: From 4db2a774123983550af53d166ad2c90d50d50b8e Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 18 Sep 2019 11:24:40 -0400 Subject: [PATCH 15/19] implemented some advice from meeting with juli/matt --- ...nwanted-apps-windows-defender-antivirus.md | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 9479653966..631a48df1a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Edge on Windows 10](https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge) +- [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge) Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. @@ -34,9 +34,6 @@ These kinds of undesirable PUA behavior include: Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. -> [!TIP] -> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm that the feature is working, and see it in action. - ## How it works ### Microsoft Edge @@ -52,7 +49,10 @@ The next major version of Microsoft Edge, which is Chromium-based, blocks potent ### Windows Defender Antivirus -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. + +> [!NOTE] +> This feature is only available in Windows 10. Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. @@ -60,20 +60,15 @@ When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notifi The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). -#### View PUA events - -PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune. - -You can turn on email notifications to receive mail about PUA detections. - -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. - #### Configure PUA protection You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets. You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. +> [!TIP] +> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. + PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. ##### Use Intune to configure PUA protection @@ -119,6 +114,14 @@ Setting `AuditMode` will detect PUAs without blocking them. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +#### View PUA events + +PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune. + +You can turn on email notifications to receive mail about PUA detections. + +See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. + #### Allow-listing apps Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection. From 5acde849e8646768dabef2e30295e2a3951f0629 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 19 Sep 2019 12:39:53 -0400 Subject: [PATCH 16/19] distinguishing wdav from edge pua protection --- ...y-unwanted-apps-windows-defender-antivirus.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 631a48df1a..7572d8de93 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -38,18 +38,24 @@ Potentially unwanted applications can increase the risk of your network being in ### Microsoft Edge -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. +The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). + +#### Enable PUA protection in Chromium-based Microsoft Edge + +Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. 1. From the tool bar, select **Settings and more** > **Settings** 1. Select **Privacy and services** 1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off -> [!TIP] +> [!TIP] > If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. + + ### Windows Defender Antivirus -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] > This feature is only available in Windows 10. @@ -60,7 +66,7 @@ When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notifi The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection +#### Configure PUA protection in Windows Defender Antivirus You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets. @@ -124,7 +130,7 @@ See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for det #### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. ## Related topics From ae91bac1234cb8566df5aa7658a683d73ea6ba8e Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 19 Sep 2019 12:42:57 -0400 Subject: [PATCH 17/19] another disambiguation --- ...lock-potentially-unwanted-apps-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 7572d8de93..d1a9bb41d7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -90,7 +90,7 @@ See [How to create and deploy antimalware policies: Scheduled scans settings](ht For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. +> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center Configuration Manager. ##### Use Group Policy to configure PUA protection From cb68a68b0e7667f1806521be7c2869919dc2756b Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 26 Sep 2019 16:26:07 -0400 Subject: [PATCH 18/19] added examples and link to criteria page on pua --- ...ntially-unwanted-apps-windows-defender-antivirus.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index d1a9bb41d7..059d6681dd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -26,11 +26,13 @@ manager: dansimp Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. -These kinds of undesirable PUA behavior include: +For example: -- Ad injection into web browsers -- Various types of software bundling -- Driver and registry optimizers that detect issues, request payment to fix the errors, and then make no changes or optimizations (also known as "rogue antivirus" programs) +* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages. +* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. + +For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. From f60604877eeb303e89eb4872566470da1fb4a837 Mon Sep 17 00:00:00 2001 From: Clay Detels Date: Wed, 30 Oct 2019 08:27:28 -0700 Subject: [PATCH 19/19] Update detect-block-potentially-unwanted-apps-windows-defender-antivirus.md --- ...ck-potentially-unwanted-apps-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 059d6681dd..20f5db2632 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge) +- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. @@ -132,7 +132,7 @@ See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for det #### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. ## Related topics