deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update defender-endpoint-false-positives-negatives.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2021-01-20 10:58:24 -08:00
parent 5eb90ebe27
commit e8f163965b
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
View File

@ -170,8 +170,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
| Indicator type | Prerequisites | Notes |
|----|----|---|
|Files <p>Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. <p> [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled. <p>Your antimalware client version is must be 4.18.1901.x or later. <p>Your devices are must be running one of the following versions of Windows:<br/>- Windows 10, version 1703 or later<br/>- Windows Server 2016<br/>- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action <p>Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications. <p>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
|Files <p>Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. <p> [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled. <p>Antimalware client version must be 4.18.1901.x or later. <p>Devices are running one of the following versions of Windows:<br/>- Windows 10, version 1703 or later<br/>- Windows Server 2016<br/>- Windows Server 2019 <p> The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action <p>Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications. <p>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
| IP addresses and URLs <p>Full URL path blocks can be applied on the domain level and all unencrypted URLs <p>IP is supported for all three protocols <p>[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)<p>Your antimalware client version must be 4.18.1906.x or later. <p>Your devices must be running Windows 10, version 1709 or later <p>Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.<p>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. <p>Only single IP addresses are supported (no CIDR blocks or IP ranges) <p>Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge) <p>Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
| Certificates <p>`.CER` or `.PEM` file extensions are supported. <p>[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)<p>Your antimalware client version must be 4.18.1901.x or later. <p>Your devices must be running one of the following versions of Windows:<br/>- Windows 10, version 1703 or later<br/>- Windows Server 2016<br/>- Windows Server 2019 <p>Your virus and threat protection definitions must be up to date. |