You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/indicator-file.md
+8-7Lines changed: 8 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
6
6
ms.author: deniseb
7
7
author: denisebmsft
8
8
ms.localizationpriority: medium
9
-
ms.date: 03/04/2025
9
+
ms.date: 05/16/2025
10
10
manager: deniseb
11
11
audience: ITPro
12
12
ms.collection:
@@ -58,7 +58,7 @@ Understand the following prerequisites before you create indicators for files:
58
58
- This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode)
59
59
- The antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
60
60
- This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, Windows Server 2022, and Windows Server 2025.
61
-
- File hash computation is enabled, by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\` to **Enabled**
61
+
- File hash computation is enabled by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable File Hash Computation` to **Enabled**. Or, you can run the following PowerShell command: `Set-MpPreference -EnableFileHashComputation $true`
62
62
63
63
> [!NOTE]
64
64
> File indicators support portable executable (PE) files, including `.exe` and `.dll` files only.
@@ -91,9 +91,6 @@ Understand the following prerequisites before you create indicators for files:
91
91
- Action: Specify the action to be taken and provide a description.
92
92
- Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)).
93
93
94
-
> [!NOTE]
95
-
> Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2
96
-
97
94
5. Review the details in the Summary tab, then select **Save**.
98
95
99
96
## Create a contextual indicator from the file details page
@@ -124,7 +121,7 @@ The current supported actions for file IOC are allow, audit and block, and remed
124
121
:::image type="content" source="media/indicators-generate-alert.png" alt-text="The Alert settings for file indicators" lightbox="media/indicators-generate-alert.png":::
125
122
126
123
> [!IMPORTANT]
127
-
> - Typically, file blocks are enforced and removed within15 minutes, average 30 minutes but can take upwards of 2 hours.
124
+
> - Typically, file blocks are enforced and removed within 15 minutes, average 30 minutes but can take upwards of 2 hours.
128
125
> - If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash
129
126
IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
130
127
> - In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
@@ -147,7 +144,7 @@ Timestamp > ago(30d)
147
144
148
145
For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview).
149
146
150
-
Here are other thread names that can be used in the sample query:
147
+
Here are other threat names that can be used in the sample query:
0 commit comments