Merge pull request #3780 from MicrosoftDocs/main

padmagit77 · web-flow · commit 2074da592bb3 · 2025-05-14T23:05:15.000+05:30
[AutoPublish] main to live - 05/14 10:31 PDT | 05/14 23:01 IST
diff --git a/defender-endpoint/android-configure.md b/defender-endpoint/android-configure.md
@@ -109,7 +109,15 @@ In the Microsoft Intune admin center, navigate to Apps > App configuration polic
 > [!NOTE]
 > - The other config keys of Network Protection will only work if the parent key '**Enable Network Protection in Microsoft Defender'** is enabled.
 > - To ensure comprehensive protection against Wi-Fi threats, users should enable location permission and select the "Allow All the Time" option. This permission is optional but highly recommended, even when the app is not actively in use. If location permission is denied, Defender for Endpoint will only offer limited protection against network threats and will only safeguard users from rogue certificates.
-**An open wi-fi network alert** is generated whenever a user connects to an open Wi-Fi network. If the user reconnects to the same network within a seven-day period, no new alert will be generated. However, connecting to a different open Wi-Fi network will result in an immediate alert.
+
+> [!IMPORTANT]
+> Starting May 19, 2025, alerts are no longer generated in the Microsoft Defender portal for mobile devices connecting or disconnecting to an open wireless network and for downloading/installing/deleting self-signed certificates. Instead, these activities are now generated as events and are viewable in the device timeline.</br></br>
+> Here are a key changes about this new experience:</br>
+> - For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on Android available on May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.</br>
+> - WWhen an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.</br>
+> - Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including to trusted networks, are sent to the device timeline as events.
+> - Users allow-listed certificates: After the update, downloading/installing/deleting self-signed certificates events, including user-trusted certificates, are sent to the device timeline as events.</br>
+> - The previous experience of generating alerts for these activities still continue to apply to GCC tenants.
 
 ## Privacy Controls
 
diff --git a/defender-endpoint/android-whatsnew.md b/defender-endpoint/android-whatsnew.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 04/18/2025
+ms.date: 05/15/2025
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
@@ -28,6 +28,17 @@ ms.date: 04/18/2025
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
+#### Alerts for activities related to open wireless connection and certificates are now detected as events
+
+May 2025
+
+Starting May 19, 2025, security operations center (SOC) analysts can now view the following as events instead of alerts:
+
+- Connecting or disconnecting to open wireless networks
+- Download/installation/removal of self-signed certificates
+
+These events can be viewed in the Timeline tab of a device page. For more information, see [Network protection](android-configure.md#network-protection).
+
 #### Deploy Defender for Endpoint prerelease builds on Android devices using Google Play preproduction tracks
 
 April 2025
diff --git a/defender-endpoint/ios-configure-features.md b/defender-endpoint/ios-configure-features.md
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: ios
 search.appverid: met150
-ms.date: 03/27/2025
+ms.date: 05/15/2025
 ---
 
 # Configure Microsoft Defender for Endpoint on iOS features
@@ -167,9 +167,13 @@ Use the following procedure to set up MAM config for unenrolled devices for netw
 
 6. Review and create the configuration policy.
 
-> [!NOTE]
-> **Open Wi-Fi Network Alert:**
-> An alert is generated whenever a user connects to an open Wi-Fi network. If the user reconnects to the same network within a seven-day period, no new alert is generated. However, connecting to a different open Wi-Fi network results in an immediate alert.
+> [!IMPORTANT]
+> Starting May 19, 2025, alerts in the Microsoft Defender portal are no longer generated when users connect to an open wireless network. Instead, this activity now generates events and are viewable in the device timeline. With this change, security operations center (SOC) analysts can now view connection/disconnection to open wireless networks as events. If auto-remediation key is enabled, old alerts are resolved automatically after the changes take effect.</br></br>
+> Here are key points about this change:</br>
+> - For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on iOS available on May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.</br>
+> - When an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.</br>
+> - Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including to user trusted networks, are sent to the device timeline as events.</br>
+> - This change doesn't impact GCC customers. The previous experience of receiving alerts while connecting to open wireless networks still apply to them.
 
 ## Coexistence of multiple VPN profiles
 
diff --git a/defender-endpoint/ios-whatsnew.md b/defender-endpoint/ios-whatsnew.md
@@ -6,7 +6,7 @@ ms.author: ewalsh
 author: emmwalshh
 ms.reviewer: sunasing; denishdonga
 ms.localizationpriority: medium
-ms.date: 03/28/2025
+ms.date: 05/15/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -29,6 +29,14 @@ search.appverid: met150
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
+#### Alerts for activities related to open wireless connections are now detected as events
+
+**May 2025**
+
+Starting May 19, 2025, when a user connects to an open wireless network on a mobile device, an alert is no longer generated on the Microsoft Defender portal. Instead, this activity is added as an event and viewable under the device timeline.
+
+For more information, see [Configure network protection](ios-configure-features.md#configure-network-protection).
+
 #### Improving Usability: Key updates to the Microsoft Defender app interface on iOS
 
 **March 2025**
diff --git a/defender-xdr/whats-new.md b/defender-xdr/whats-new.md
@@ -32,11 +32,17 @@ For more information on what's new with other Microsoft Defender security produc
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
+
 ## May 2025
 
 - (Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the **unified security summary**. The unified security summary is available in the Microsoft Defender portal and streamlines the process for SOC teams to generate security reports, saving time usually spent on collecting data from various sources and creating reports. For more information, see [Visualize security impact with the unified security summary](security-summary-report.md).
 - Defender portal users who have onboarded Microsoft Sentinel and have enabled the [User and Entity Behavior Analytics (UEBA)](/azure/sentinel/ueba-reference) can now take advantage of the new unified [`IdentityInfo` table](advanced-hunting-identityinfo-table.md) in advanced hunting. This latest version now includes the largest possible set of fields common to both Defender and Azure portals. 
-
+- (Preview) The following advanced hunting schema tables are now available for preview to help you look through Microsoft Teams events and related information:
+    - The [MessageEvents](advanced-hunting-messageevents-table.md) table contains details about messages sent and received within your organization at the time of delivery
+    - The [MessagePostDeliveryEvents](advanced-hunting-messagepostdeliveryevents-table.md) table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization
+    - The [MessageUrlInfo](advanced-hunting-messageurlinfo-table.md) table contains information about URLs sent through Microsoft Teams messages in your organization
+     
+    
 ## April 2025
 
 - (Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. For more information, see [Create data security investigations in the Microsoft Defender portal](create-dsi-in-defender.md).
@@ -48,6 +54,7 @@ You can also get product updates and important notifications through the [messag
 - The `OnboardingStatus` and `NetworkAdapterDnsSuffix` columns are now available in the [`DeviceNetworkInfo`](advanced-hunting-devicenetworkinfo-table.md) table in advanced hunting.
 
 
+
 ## March 2025
 
 - (Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see [Incident details](investigate-incidents.md#incident-details).
diff --git a/unified-secops-platform/malware-naming.md b/unified-secops-platform/malware-naming.md
@@ -1,6 +1,5 @@
 ---
 title: How Microsoft names malware
-ms.reviewer: 
 description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware.
 ms.service: unified-secops-platform
 ms.localizationpriority: medium
@@ -12,7 +11,7 @@ ms.collection:
 - must-keep
 ms.topic: reference
 search.appverid: met150
-ms.date: 01/29/2024
+ms.date: 05/09/2025
 ---
 
 # Malware names
@@ -25,30 +24,24 @@ When our analysts research a particular threat, they determine what each of the
 
 ## Type
 
-Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are some of the most common types of malware.
+Type describes what the malware does on your computer. The following are the different types of malware that Microsoft products detect.
+
+### Malware
+
+Following are the types of malware that Microsoft detects. To know more about how Microsoft defines malware, see [How Microsoft identifies malware and potentially unwanted applications - Malware](criteria.md#malware).
+
 ```
-* Adware
 * Backdoor
-* Behavior
-* BrowserModifier
 * Constructor
 * DDoS
 * Exploit
 * HackTool
 * Joke
-* Misleading
-* MonitoringTool
-* Program
 * Password Stealer (PWS)
 * Ransom
-* RemoteAccess
 * Rogue
-* SettingsModifier
-* SoftwareBundler
 * Spammer
 * Spoofer
-* Spyware
-* Tool
 * Trojan
 * TrojanClicker
 * TrojanDownloader
@@ -59,6 +52,52 @@ Describes what the malware does on your computer. Worms, viruses, trojans, backd
 * Virus
 * Worm
 ```
+
+### Unwanted software
+
+Following are the types of unwanted software that Microsoft products detect. For more information on what unwanted software is and what is classified as unwanted software, see [Unwanted software](criteria.md#unwanted-software).
+
+```
+* Adware
+* BrowserModifier
+* Misleading
+* MonitoringTool
+* Program
+* SoftwareBundler
+* UwS
+```
+
+### Potentially unwanted applications
+
+Following are the types of potentially unwanted applications (PUAs) that Microsoft products detect. To know what PUAs are, see [Potentially unwanted application (PUA)](criteria.md#potentially-unwanted-application-pua).
+
+```
+* PUA
+* App
+* PUAAdvertising
+* PUATorrent
+* PUAMiner
+* PUAMarketing
+* PUABundler
+* PUADlManager
+```
+### Tampering software
+
+Tampering software, detected as ***Tampering** are tools that can lower device security. To know more, see [Tampering software](criteria.md#tampering-software).
+
+### Vulnerable software
+
+Following are the types of vulnerable software that Microsoft products detect. Know more about this detection in [Vulnerable software](criteria.md#vulnerable-software).
+
+```
+* Vulnerable
+* VulnerableDriver
+```
+
+### Other malware types
+
+Microsoft also detects ***Behavior** and ***Tool** types of malware.
+
 ## Platforms
 
 Platforms guide the malware to its compatible operating system (such as Windows, macOS, and Android). The platform's guidance is also used for programming languages and file formats.
@@ -157,29 +196,8 @@ Grouping of malware based on common characteristics, including attribution to th
 
 ## Variant letter
 
-Used sequentially for every distinct version of a malware family. For example, the detection for the variant **".AF"** would have been created after the detection for the variant **".AE"**.
+Used sequentially for every distinct version of a malware family. For example, the detection for the variant **".AF"** is created after the detection for the variant **".AE"**.
 
 ## Suffixes
 
-Provides extra detail about the malware, including how it's used as part of a multicomponent threat. In the preceding example, **"!lnk"** indicates that the threat component is a shortcut file used by Trojan: **Win32/Reveton.T**.
-```
-* .dam: damaged malware
-* .dll: Dynamic Link Library component of a malware
-* .dr: dropper component of a malware
-* .gen: malware that is detected using a generic signature
-* .kit: virus constructor
-* .ldr: loader component of a malware
-* .pak: compressed malware
-* .plugin: plug-in component
-* .remnants: remnants of a virus
-* .worm: worm component of that malware
-* !bit: an internal category used to refer to some threats
-* !cl: an internal category used to refer to some threats
-* !dha: an internal category used to refer to some threats
-* !pfn: an internal category used to refer to some threats
-* !plock: an internal category used to refer to some threats
-* !rfn: an internal category used to refer to some threats
-* !rootkit: rootkit component of that malware
-* @m: worm mailers
-* @mm: mass mailer worm
-```
+A suffix that begins with **!** is an indicator used by Microsoft internally. 
