deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update behavioral-blocking-containment.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-04-28 14:11:30 -07:00
parent 18824c361c
commit d888123d17
1 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
View File

@ -26,10 +26,20 @@ ms.collection:
## Overview of behavioral blocking and containment
As you know, not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats
Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats
Behavioral blocking and containment capabilities offer protection in all of the following scenarios:
- Client behavioral blocking. Enabled by default, threats that are detected through machine learning are blocked and remediated automatically
- Feedback-loop blocking (also referred to as Rapid Protection). Enabled by default, detections that are assumed to be false negatives are observed through behavioral intelligence.
- On-client, policy driven attack surface reduction rules. When enabled, predefined common attack behaviors are prevented from executing, according to your ASR policies (e.g. no child processes from Office applications). Alerts on attempts to execute these behaviors surface in the Microsoft Defender ATP portal (https://securitycenter.windows.com) as informational alerts.
- Endpoint detection and response (EDR) in block mode. When enabled,
Behavioral blocking and containment capabilities include:
- **Client behavioral blocking**. Enabled by default, threats that are detected through machine learning are blocked and remediated automatically
- **Feedback-loop blocking** (also referred to as rapid protection). Enabled by default, detections that are assumed to be false negatives are observed through behavioral intelligence, and threats are prevented earlier.
- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. When enabled, predefined common attack behaviors are prevented from executing, according to your ASR policies (e.g. no child processes from Office applications). Alerts on attempts to execute these behaviors surface in the Microsoft Defender ATP portal (https://securitycenter.windows.com) as informational alerts.
- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. When enabled, blocks malicious artifacts or behaviors that are observed through post-breach protection, even if Windows Defender Antivirus is not the primary antivirus solution.
## Related articles
- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
- [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)