Merge branch 'main' into pr/3000

Author: denisebmsft

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 02/06/2025
+ms.date: 03/04/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -29,9 +29,6 @@ search.appverid: met150
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Business](/defender-business/mdb-overview)
 
-> [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
 > [!IMPORTANT]
 > In Defender for Endpoint Plan 1 and Defender for Business, you can create an indicator to block or allow a file. In Defender for Business, your indicator is applied across your environment and cannot be scoped to specific devices.
 
@@ -52,37 +49,33 @@ There are three ways you can create indicators for files:
 Understand the following prerequisites before you create indicators for files:
 
 - [Behavior Monitoring is enabled](behavior-monitor.md)
-
 - [Cloud-based protection is turned on](/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus).
-
 - [Cloud Protection network connectivity is functional](configure-network-connections-microsoft-defender-antivirus.md)
-
 - To start blocking files, [turn on the "block or allow" feature](advanced-features.md) in Settings (in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**).
 
 ### Windows prerequisites
 
 - This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode) 
-
-- The Antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
-
+- The antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
 - This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, or Windows Server 2022.
-
 - File hash computation is enabled, by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\` to **Enabled**
 
 > [!NOTE]
 > File indicators support portable executable (PE) files, including `.exe` and `.dll` files only.
 
 ### macOS prerequisites
 
-- [File hash computation is enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line) by running `mdatp config enable-file-hash-computation --value enabled`
-
-### Linux prerequisites
+- Real-time protection (RTP) needs to be active.
+- [File hash computation must be enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line). Run the following command: `mdatp config enable-file-hash-computation --value enabled`
 
-- Available in Defender for Endpoint version 101.85.27 or later.
+> [!NOTE]
+> On Mac, file indicators support Mach-O files (akin to `.exe` and `.dll` in Windows) scripts, such as sh/bash and AppleScript File (`.scpt`) files only.
 
-- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
+### Linux prerequisites
 
-- Behavior monitoring is preferred, but this will work with any other scan (RTP or Custom).
+- Available in Defender for Endpoint version `101.85.27` or later.
+- [File hash computation must be enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
+- Behavior monitoring enabled is preferred, but this feature works with any other scan (RTP or Custom).
 
 ## Create an indicator for files from the settings page
 
@@ -95,9 +88,7 @@ Understand the following prerequisites before you create indicators for files:
 4. Specify the following details:
 
    - Indicator: Specify the entity details and define the expiration of the indicator.
-
    - Action: Specify the action to be taken and provide a description.
-   
    - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)).
 
    > [!NOTE]
@@ -156,7 +147,7 @@ Timestamp > ago(30d)
 
 For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview).
 
-Below are other thread names that can be used in the sample query from above:
+Here are other thread names that can be used in the sample query:
 
 Files:
 

defender-endpoint/mac-whatsnew.md

@@ -64,6 +64,18 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
+### Mar-2025 (Build: 101.25012.0008  | Release version: 20.125012.7.0)
+
+| Build:             | **101.25012.0008**    |
+|--------------------|-----------------------|
+| Release version:   | **20.125012.7.0**    |
+| Engine version:    | **1.1.25020.3000**      |
+| Signature version: | **1.423.211.0**       |
+
+##### What's new
+
+- Bug fixes and performance improvements
+
 ### Feb-2025 (Build: 101.24122.0011  | Release version: 20.124122.11.0)
 
 | Build:             | **101.24122.0011**    |

defender-endpoint/validate-antimalware.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 01/31/2024
+ms.date: 03/04/2025
 ---
 
 # AV detection test for verifying device's onboarding and reporting services

defender-vulnerability-management/tvm-security-recommendation.md

@@ -10,9 +10,10 @@ audience: ITPro
 ms.collection:
   - m365-security
   - Tier1
-ms.topic: conceptual
+ms.topic: concept-article
 search.appverid: met150
-ms.date: 02/19/2025
+ms.date: 03/04/2025
+#customer intent: Get information on how to view and act on security recommendations in Microsoft Defender Vulnerability Management.
 ---
 
 # Security recommendations
@@ -32,7 +33,7 @@ Cybersecurity weaknesses identified in your organization are mapped to actionabl
 Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
 
 > [!TIP]
-> To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](/defender-endpoint/configure-vulnerability-email-notifications)
+> To get email notifications about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](/defender-endpoint/configure-vulnerability-email-notifications).
 
 ## How it works
 
@@ -51,15 +52,15 @@ Access the Security recommendations page a few different ways:
 
 ### Navigation menu
 
-In the [Microsoft Defender portal](https://security.microsoft.com), go to the **Vulnerability management** navigation menu and select **Recommendations**. 
+In the [Microsoft Defender portal](https://security.microsoft.com), go to **Endpoints** > **Vulnerability management** navigation menu and select **Recommendations**.
 
 The page contains a list of security recommendations for the threats and vulnerabilities found in your organization.
 
 ### Top security recommendations in the vulnerability management dashboard
 
-As a Security Administrator, you can take a look at the [vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+As a Security Administrator, you can take a look at the [vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
 
-:::image type="content" alt-text="Screenshot of the vulnerability management dashboard with security recommendations highlighted." source="/defender/media/defender-vulnerability-management/top-security-recommendations.png" lightbox="/defender/media/defender-vulnerability-management/top-security-recommendations.png":::
+:::image type="content" alt-text="Screenshot of the vulnerability management dashboard with security recommendations highlighted." source="/defender/media/defender-vulnerability-management/tvm-sec-recommendations-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sec-recommendations.png":::
 
 The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation takes you to the security recommendations page with more details.
 
@@ -72,7 +73,7 @@ The color of the **Exposed devices** graph changes as the trend changes. If the
 > [!NOTE]
 > Vulnerability management shows devices that were in use within the last 30 days. This is different from device status in Defender for Endpoint, where if a device has `Inactive` status if it doesn't communicate with the service for more than seven days.
 
-:::image type="content" alt-text="Screenshot of the security recommendations landing page." source="/defender/media/defender-vulnerability-management/tvm-security-recommendations.png" lightbox="/defender/media/defender-vulnerability-management/tvm-security-recommendations.png":::
+:::image type="content" alt-text="Screenshot of the security recommendations landing page." source="/defender/media/defender-vulnerability-management/tvm-sec-reco-expanded-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sec-reco-expanded.png":::
 
 ### Icons
 
@@ -92,9 +93,9 @@ The impact column shows the potential impact on your exposure score and Secure S
 
 ### Explore security recommendation options
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), select the security recommendation that you want to investigate or process.
+1. Select the security recommendation that you want to investigate or process from the list.
 
-   :::image type="content" alt-text="Example of a security recommendation flyout page." source="/defender/media/defender-vulnerability-management/secrec-flyouteolsw.png" lightbox="/defender/media/defender-vulnerability-management/secrec-flyouteolsw.png":::
+   :::image type="content" alt-text="Example of a security recommendation flyout page." source="/defender/media/defender-vulnerability-management/tvm-sec-reco-flyout-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sec-reco-flyout.png":::
 
 2. In the flyout, you can choose any of the following options:
 
@@ -111,21 +112,21 @@ The impact column shows the potential impact on your exposure score and Secure S
 
 If there's a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Secure Score for Devices, then that security recommendation is worth investigating.
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), select a recommendation, and then select **Open software page**
+1. Select a recommendation, and then select **Open software page**.
 
-2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)
+2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md).
 
-3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request
+3. Decide how to address the increase or your organization's exposure, like submitting a remediation request.
 
 ### Recommendations on devices
 
 To see the list of security recommendations that apply to a device, follow these steps:
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), in the **Device inventory** page, select a device. 
+1. Navigate to the **Device inventory** through **Assets** > **Devices** navigation menu, then select a device.
 
 2. Select the **Security recommendations** tab to see a list of security recommendations for the device.
 
-   :::image type="content" source="/defender/media/defender-vulnerability-management/security-recommendation-devicepage.png" alt-text="Screenshot of the certificate inventory page" lightbox="/defender/media/defender-vulnerability-management/security-recommendation-devicepage.png":::
+   :::image type="content" source="/defender/media/defender-vulnerability-management/tvm-device-secreco-small.png" alt-text="Screenshot of the certificate inventory page" lightbox="/defender/media/defender-vulnerability-management/tvm-device-secreco.png":::
 
 > [!NOTE]
 > If you have the [Microsoft Defender for IoT](/azure/defender-for-iot/organizations/concept-enterprise/) integration enabled in Defender for Endpoint, recommendations for Enterprise IoT devices that appear on IoT devices tab appears on the security recommendations page. For more information, see [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/).
@@ -136,7 +137,7 @@ The vulnerability management remediation capability bridges the gap between Secu
 
 ### How to request remediation
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), select a security recommendation you would like to request remediation for, and then select **Remediation options**. 
+1. Select a security recommendation you would like to request remediation for and then select **Remediation options**. 
 
 2. Fill out the form and select **Submit request**. 
 
@@ -154,13 +155,13 @@ When an exception is created for a recommendation, the recommendation is no long
 
 ### How to create an exception
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), select the security recommendation you want to create an exception for, and then select **Exception options**.
+1. Select the security recommendation you want to create an exception for, and then select **Exception options**.
 
-   ![Showing where the button for "exception options" is located in a security recommendation flyout.](/defender/media/defender-vulnerability-management/tvm-exception-options.png)
+   :::image type="content" alt-text="Showing where the exception options is located in a security recommendation flyout." source="/defender/media/defender-vulnerability-management/tvm-reco-exception-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-reco-exception.png":::
 
 2. Fill out the form and submit. 
 
-3. To view your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu, and select the **Exceptions** tab. 
+3. To view your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Endpoints** > **Vulnerability management** navigation menu and select **Remediation**, and then select the **Exceptions** tab. 
 
 For more information, see [Learn more about how to create an exception](tvm-exception.md#create-an-exception).