From 005bcd9283face7ec6d8d9ee147dd426ba860420 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 23 Apr 2018 14:34:26 -0700 Subject: [PATCH 1/2] Added info about reboot required, plus new topic for restoring quarantined files. --- windows/security/threat-protection/TOC.md | 1 + ...-remediation-windows-defender-antivirus.md | 7 +++ ...ntined-files-windows-defender-antivirus.md | 47 +++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index c7591e103c..b808cc230f 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -242,6 +242,7 @@ #### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md) #### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md) #### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md) +#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md) ### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 27f2b3e2e4..41eef3f1c0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -65,6 +65,13 @@ Quarantine | Configure removal of items from Quarantine folder | Specify how man Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable +>[!IMPORTANT] +>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additonal remediation steps have been completed. +>

+>If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md). +>

+>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md). + Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md new file mode 100644 index 0000000000..9881b9e0a9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -0,0 +1,47 @@ +--- +title: Restore quarantined files in Windows Defender AV +description: You can restore files and folders that were quarantined by Windows Defender AV. +keywords: +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 04/23/2018 +--- + +# Restore quarantined files in Windows Defender AV + + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Windows Defender Security Center + +If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender AV quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. + +1. Open **Windows Defender Security Center**. +2. Click **Virus & threat protection** and then click **Scan history**. +3. Under **Quarantined threats**, click **See full history**. +4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.) + +## Related topics + +[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +[Review scan results](review-scan-results-windows-defender-antivirus.md) +[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) + From 0191ad50f4e9abd0ed1c70bb7e380b4c157f318c Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 23 Apr 2018 15:07:22 -0700 Subject: [PATCH 2/2] Fix formatting and a typo. --- ...configure-remediation-windows-defender-antivirus.md | 2 +- ...ore-quarantined-files-windows-defender-antivirus.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 41eef3f1c0..8fbf0984c3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -66,7 +66,7 @@ Threats | Specify threat alert levels at which default action should not be take Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable >[!IMPORTANT] ->Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additonal remediation steps have been completed. +>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. >

>If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md). >

diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 9881b9e0a9..db4d6528c0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -39,9 +39,9 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y ## Related topics -[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -[Review scan results](review-scan-results-windows-defender-antivirus.md) -[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +- [Review scan results](review-scan-results-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)