From 54e98e1350b1a58d3387d5cadb6d62ca7db52b10 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Mon, 20 May 2019 01:33:49 -0500 Subject: [PATCH 1/6] Adding note to be explicit what is the requiremet on issue #3499 --- ...-connections-windows-defender-antivirus.md | 101 ++---------------- 1 file changed, 11 insertions(+), 90 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index b895c48fac..4ce668c163 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -46,97 +46,18 @@ After you've enabled the service, you may need to configure your network or fire The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ServiceDescriptionURL
- Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS) - - Used by Windows Defender Antivirus to provide cloud-delivered protection - -*.wdcp.microsoft.com
-*.wdcpalt.microsoft.com
-*.wd.microsoft.com -
-Microsoft Update Service (MU) - -Security intelligence and product updates - -*.update.microsoft.com -
- Security intelligence updates alternate download location (ADL) - - Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence falls out of date (7 or more days behind) - -*.download.microsoft.com -
- Malware submission storage - - Upload location for files submitted to Microsoft via the Submission form or automatic sample submission - -*.blob.core.windows.net -
-Certificate Revocation List (CRL) - -Used by Windows when creating the SSL connection to MAPS for updating the CRL - -http://www.microsoft.com/pkiops/crl/
-http://www.microsoft.com/pkiops/certs
-http://crl.microsoft.com/pki/crl/products
-http://www.microsoft.com/pki/certs - -
-Symbol Store - -Used by Windows Defender Antivirus to restore certain critical files during remediation flows - -https://msdl.microsoft.com/download/symbols -
-Universal Telemetry Client - -Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes - -This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
  • vortex-win.data.microsoft.com
  • settings-win.data.microsoft.com
+| **Service**| **Description** |**URL** | +| :--: | :-- | :-- | +| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com| +| *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com| +| *Security intelligence updates alternate download location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence falls out of date (7 or more days behind)| *.download.microsoft.com| +| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission |*.blob.core.windows.net| +| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs | +| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | +| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com| - +>[!IMPORTANT] +> As a cloud service is required that the computer has access to internet the firewall and traffic can hit the ATP, machine learning services. ## Validate connections between your network and the cloud From bb8b410dcfe09b531d84a5bc6bc03d88564d5049 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 20 May 2019 11:30:39 -0500 Subject: [PATCH 2/6] Update windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../configure-network-connections-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 4ce668c163..a813754eb6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -50,7 +50,7 @@ The following table lists the services and their associated URLs that your netwo | :--: | :-- | :-- | | *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com| | *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com| -| *Security intelligence updates alternate download location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence falls out of date (7 or more days behind)| *.download.microsoft.com| +| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com| | *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission |*.blob.core.windows.net| | *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs | | *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | From 070fe933fa6bbf33a5fd4c139f98f8e3d427ede8 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 20 May 2019 11:30:50 -0500 Subject: [PATCH 3/6] Update windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../configure-network-connections-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index a813754eb6..8e45b295fb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -57,7 +57,7 @@ The following table lists the services and their associated URLs that your netwo | *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com| >[!IMPORTANT] -> As a cloud service is required that the computer has access to internet the firewall and traffic can hit the ATP, machine learning services. +> As a cloud service is required so that the computer has access to internet the firewall and traffic can hit the ATP machine learning services. ## Validate connections between your network and the cloud From 22e98446cc274f453a5d9d9f409bc130eb6a9baa Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Mon, 27 May 2019 10:01:16 -0500 Subject: [PATCH 4/6] Updated --- .../configure-network-connections-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 4ce668c163..54db13d636 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -57,7 +57,7 @@ The following table lists the services and their associated URLs that your netwo | *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com| >[!IMPORTANT] -> As a cloud service is required that the computer has access to internet the firewall and traffic can hit the ATP, machine learning services. +> As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The following table lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them. ## Validate connections between your network and the cloud From 7fd0521d1b8e4f55c3974fdd852d6db0ab467cd8 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Mon, 27 May 2019 10:03:32 -0500 Subject: [PATCH 5/6] Update Monday --- ...onfigure-network-connections-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 54db13d636..a813754eb6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -50,14 +50,14 @@ The following table lists the services and their associated URLs that your netwo | :--: | :-- | :-- | | *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com| | *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com| -| *Security intelligence updates alternate download location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence falls out of date (7 or more days behind)| *.download.microsoft.com| +| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com| | *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission |*.blob.core.windows.net| | *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs | | *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | | *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com| >[!IMPORTANT] -> As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The following table lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them. +> As a cloud service is required that the computer has access to internet the firewall and traffic can hit the ATP, machine learning services. ## Validate connections between your network and the cloud From 85ea3d52eae4d81dc9cbd6cbf2b5591ffc790243 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 30 May 2019 23:01:36 -0700 Subject: [PATCH 6/6] Removing important tag and text and rephrasing --- ...nfigure-network-connections-windows-defender-antivirus.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 9079d86f60..70b8c68e19 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -44,7 +44,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. -The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: +As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The following table lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them: | **Service**| **Description** |**URL** | @@ -57,9 +57,6 @@ The following table lists the services and their associated URLs that your netwo | *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | | *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com| ->[!IMPORTANT] -> As a cloud service is required that the computer has access to internet the firewall and traffic can hit the ATP, machine learning services. - ## Validate connections between your network and the cloud After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.