Merge pull request #1613 from MicrosoftDocs/main

AMSI demonstration article -- fix needs to go live

Author: garycentric

.openpublishing.redirection.defender.json

@@ -214,6 +214,11 @@
       "source_path": "defender-endpoint/defender-endpoint-antivirus-exclusions.md",
       "redirect_url": "/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-endpoint/defender-endpoint-demonstration-amsi.md",
+      "redirect_url": "/defender-endpoint/mde-demonstration-amsi",
+      "redirect_document_id": true
     }
   ]
 }

defender-endpoint/TOC.yml

@@ -59,44 +59,43 @@
     - name: Antivirus solution compatibility with Defender for Endpoint
       href: defender-compatibility.md
 
-  - name: Microsoft Defender for Endpoint demonstrations
+  - name: Microsoft Defender for Endpoint demonstrations and evaluation
     items:
-    - name: Microsoft Defender for Endpoint demonstrations
+    - name: Evaluate Microsoft Defender Antivirus
+      href: evaluate-microsoft-defender-antivirus.md
       items:
-      - name: Overview
-        href: evaluate-microsoft-defender-antivirus.md
       - name: Evaluate Microsoft Defender Antivirus using PowerShell
         href: microsoft-defender-antivirus-using-powershell.md
       - name: Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management
         href: evaluate-mda-using-mde-security-settings-management.md
       - name: Evaluate Microsoft Defender Antivirus using Group Policy 
         href: evaluate-mdav-using-gp.md  
-      - name: Microsoft Defender for Endpoint demonstration scenarios
-        href: defender-endpoint-demonstrations.md
+    - name: Demonstration scenarios
+      href: defender-endpoint-demonstrations.md
+      items:
+      - name: AMSI demonstrations
+        href: mde-demonstration-amsi.md
+      - name: Antimalware validation demonstration
+        href: validate-antimalware.md
+      - name: Attack surface reduction rules demonstration
+        href: defender-endpoint-demonstration-attack-surface-reduction-rules.md
       - name: App reputation demonstration
         href: defender-endpoint-demonstration-app-reputation.md
-      - name: Behavior monitoring demonstrations
+      - name: Behavior monitoring demonstration
         href: demonstration-behavior-monitoring.md
-      - name: Validate antimalware
-        href: validate-antimalware.md
-      - name: AMSI demonstrations
-        href: defender-endpoint-demonstration-amsi.md
-        displayName: Antimalware Scan Interface (AMSI), AMSI
-      - name: Attack surface reduction rules demonstrations
-        href: defender-endpoint-demonstration-attack-surface-reduction-rules.md
-      - name: Cloud-delivered protection demonstration
+      - name: Cloud-delivered protection
         href: defender-endpoint-demonstration-cloud-delivered-protection.md
-      - name: Controlled folder access (CFA) demonstration (block script)
+      - name: Controlled folder access (block script) demonstration
         href: defender-endpoint-demonstration-controlled-folder-access-test-tool.md
-      - name: Controlled folder access (CFA) demonstrations (block ransomware)
+      - name: Controlled folder access (block ransomware) demonstration
         href: defender-endpoint-demonstration-controlled-folder-access.md
-      - name: EDR detections
+      - name: EDR detections demonstration
         href: edr-detection.md
-      - name: Exploit protection (EP) demonstrations
+      - name: Exploit protection demonstration
         href: defender-endpoint-demonstration-exploit-protection.md
-      - name: Network protection demonstrations
+      - name: Network protection demonstration
         href: defender-endpoint-demonstration-network-protection.md
-      - name: Potentially unwanted applications (PUA) demonstration
+      - name: Potentially unwanted applications demonstration
         href: defender-endpoint-demonstration-potentially-unwanted-applications.md
       - name: URL reputation demonstrations
         href: defender-endpoint-demonstration-smartscreen-url-reputation.md

defender-endpoint/defender-endpoint-demonstration-amsi.md

@@ -14,27 +14,27 @@ ms.collection:
 - demo
 ms.topic: article
 ms.subservice: ngp
-ms.date: 01/15/2024
+ms.date: 10/16/2024
 ---
 
 # Microsoft Defender for Endpoint - demonstration scenarios
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)
+- [Microsoft Defender for Endpoint Plan 1 or 2](microsoft-defender-endpoint.md)
+- Microsoft Defender for Servers
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
 - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
 
-The following demonstration scenarios will help you learn about the capabilities of Microsoft Defender for Endpoint on Windows, Mac, and Linux. Demonstration scenarios are provided for the following Microsoft Defender for Endpoint protection areas:
-
-:::image type="content" source="media/microsoft-defender-for-endpoint-cloud-protection.png" alt-text="Shows the areas of Microsoft Defender for Endpoint demonstration scenarios covered in this collection" lightbox="media/microsoft-defender-for-endpoint-cloud-protection.png":::
+Demonstration scenarios help you learn about the capabilities of Microsoft Defender for Endpoint on Windows, Mac, and Linux. Demonstration scenarios are provided for the following Microsoft Defender for Endpoint protection areas:
 
 - Attack surface protection (**ASR**)
 - Next Generation Protection (**NGP**)
 - Endpoint detection and response (**EDR**)
 
+:::image type="content" source="media/microsoft-defender-for-endpoint-cloud-protection.png" alt-text="Shows the areas of Microsoft Defender for Endpoint demonstration scenarios covered in this collection" lightbox="media/microsoft-defender-for-endpoint-cloud-protection.png":::
+
 > [!NOTE]
 > None of the sample files or _suspicious_ links provided in this collection are actually malicious; all links and demonstration files are harmless.
 >
@@ -44,26 +44,28 @@ The following demonstration scenarios will help you learn about the capabilities
 
 The following table lists the available demonstrations alphabetically, with their associated protection area.
 
-| # | Demonstration name | Protection area | Description |
-|:--|:---|:---|:---|
-| 1 |[Endpoint Detection and Response (EDR) detections](edr-detection.md)| EDR |Confirm that EDR is detecting cyber threats such as malware.|
-| 2 |[Validate antimalware](validate-antimalware.md)| NGP |Confirm that antivirus/antimalware is detecting and blocking malware. |
-| 3 |[Behavior Monitoring demonstration](demonstration-behavior-monitoring.md)| NGP |Confirm that behavior monitoring is detecting and blocking malware. |
-| 4 |[Potentially unwanted applications (PUA) demonstration](defender-endpoint-demonstration-potentially-unwanted-applications.md)| NGP |Confirm that potentially unwanted applications (PUAs) are being blocked on your network by downloading a fake (safe) PUA file. |
-| 5 |[Cloud-delivered protection demonstration](defender-endpoint-demonstration-cloud-delivered-protection.md)| NGP |Confirm that cloud-delivered protection is working properly on your computer. |
-| 6 |[App reputation demonstration](defender-endpoint-demonstration-app-reputation.md)| NGP | Navigate to the app reputation page to see the demonstration scenario using Microsoft Edge.|
-| 7 |[URL reputation demonstrations](defender-endpoint-demonstration-smartscreen-url-reputation.md)| NGP | Navigate to the URL Reputation page to see the demonstration scenarios using Microsoft Edge. |
-| 8 | [Network protection demonstrations](defender-endpoint-demonstration-network-protection.md)| ASR | Navigate to a suspicious URL to trigger network protection. |
-| 9 | [Attack surface reduction rules (ASR rules) demonstrations](defender-endpoint-demonstration-attack-surface-reduction-rules.md)| ASR | Download sample files to trigger each ASR rule. |
-| 10 | [Exploit protection (EP) demonstrations](defender-endpoint-demonstration-exploit-protection.md) | ASR | Apply custom exploit protection settings. |
-| 11 | [Controlled folder access (CFA) demonstration (block script)](defender-endpoint-demonstration-controlled-folder-access-test-tool.md)| ASR | Download the CFA test tool. |
-| 12 | [Controlled folder access (CFA) demonstrations (block ransomware)](defender-endpoint-demonstration-controlled-folder-access.md)|  ASR| Download and execute a sample file to trigger CFA ransomware protection.|
+| Demonstration name | Protection area | Description |
+|---|---|---|
+| [AMSI demonstrations](mde-demonstration-amsi.md) | Microsoft Defender Antivirus | Confirm that an AMSI script is detected and blocked. |
+|[Antimalware validation](validate-antimalware.md)| NGP |Confirm that antivirus/antimalware is detecting and blocking malware. |
+| [Attack surface reduction rules demonstrations](defender-endpoint-demonstration-attack-surface-reduction-rules.md)| ASR | Download sample files to trigger each ASR rule. |
+|[App reputation demonstration](defender-endpoint-demonstration-app-reputation.md)| NGP | Navigate to the app reputation page to see the demonstration scenario using Microsoft Edge.|
+|[Behavior Monitoring demonstration](demonstration-behavior-monitoring.md)| NGP |Confirm that behavior monitoring is detecting and blocking malware. |
+|[Cloud-delivered protection demonstration](defender-endpoint-demonstration-cloud-delivered-protection.md)| NGP |Confirm that cloud-delivered protection is working properly on your computer. |
+| [Controlled folder access (CFA) demonstration (block script)](defender-endpoint-demonstration-controlled-folder-access-test-tool.md)| ASR | Download the CFA test tool. |
+| [Controlled folder access (CFA) demonstrations (block ransomware)](defender-endpoint-demonstration-controlled-folder-access.md)|  ASR| Download and execute a sample file to trigger CFA ransomware protection.|
+|[Endpoint Detection and Response (EDR) detections](edr-detection.md)| EDR |Confirm that EDR is detecting cyber threats such as malware.|
+| [Exploit protection (EP) demonstrations](defender-endpoint-demonstration-exploit-protection.md) | ASR | Apply custom exploit protection settings. |
+| [Network protection demonstrations](defender-endpoint-demonstration-network-protection.md)| ASR | Navigate to a suspicious URL to trigger network protection. |
+|[Potentially unwanted applications (PUA) demonstration](defender-endpoint-demonstration-potentially-unwanted-applications.md)| NGP |Confirm that potentially unwanted applications (PUAs) are being blocked on your network by downloading a fake (safe) PUA file. |
+|[URL reputation demonstrations](defender-endpoint-demonstration-smartscreen-url-reputation.md)| NGP | Navigate to the URL Reputation page to see the demonstration scenarios using Microsoft Edge. |
+
 ## See also
 
-[Attack surface protection \(ASR\) overview](overview-attack-surface-reduction.md)
+[Attack surface protection overview](overview-attack-surface-reduction.md)
 [Test attack surface reduction rules](attack-surface-reduction-rules-deployment-test.md)
-[Next Generation Protection \(NGP\) overview](next-generation-protection.md)
-[Endpoint detection and response \(EDR\) overview](overview-endpoint-detection-response.md)
+[Next Generation Protection overview](next-generation-protection.md)
+[Endpoint detection and response overview](overview-endpoint-detection-response.md)
 [Microsoft Defender for Endpoint security blog](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]