Merge branch 'main' into WI360959-delete-page-tutorial-ueba

Author: DeCohen

defender-endpoint/adv-tech-of-mdav.md

@@ -7,7 +7,7 @@ ms.reviewer: yongrhee
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 02/28/2024
+ms.date: 01/24/2025
 ms.subservice: ngp
 ms.localizationpriority: medium
 ms.custom: partner-contribution
@@ -53,6 +53,7 @@ When the client encounters unknown threats, it sends metadata or the file itself
 |**Heuristics engine** <br/> Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.|**Detonation-based ML engine** <br/> Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.|
 |**Emulation engine** <br/> The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.|**Reputation ML engine** <br/> Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Defender for Office 365 for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.|
 |**Network engine** <br/> Network activities are inspected to identify and stop malicious activities from threats.|**Smart rules engine** <br/> Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.|
+|**CommandLine scanning engine** <br/> This engine scans the commandlines of all processes before they execute. If the commandline for a process is found to be malicious it is blocked from execution.|**CommandLine ML engine** <br/> Multiple advanced ML models scan the suspicious commandlines in the cloud. If a commandline is found to be malicious, cloud sends a signal to the client to block the corresponding process from starting.|
 
 For more information, see [Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK&reg; Evaluations: Enterprise](https://www.microsoft.com/security/blog/2023/09/20/microsoft-365-defender-demonstrates-100-percent-protection-coverage-in-the-2023-mitre-engenuity-attck-evaluations-enterprise/).
 
@@ -97,6 +98,6 @@ We focus on every industry.
 
 ### Do your detection/protection require a human analyst?
 
-When you're pen-testing, you should demand where no human analysts are engaged on detect/protect, to see how the actual antivirus engine (prebreach) efficacy truly is, and a separate one where human analysts are engaged.You can add [Microsoft Defender Experts for XDR](/defender-xdr/dex-xdr-overview) a managed extended detection and response service to augment your SOC.
+When you're pen-testing, you should demand where no human analysts are engaged on detect/protect, to see how the actual antivirus engine (prebreach) efficacy truly is, and a separate one where human analysts are engaged. You can add [Microsoft Defender Experts for XDR](/defender-xdr/dex-xdr-overview) a managed extended detection and response service to augment your SOC.
 
 The ***continuous iterative enhancement*** each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent [top scores in industry tests](/defender-xdr/top-scoring-industry-tests), but more importantly, translate to [threats and malware outbreaks](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) stopped and [more customers protected](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/).

defender-endpoint/device-control-walkthroughs.md

@@ -4,7 +4,7 @@ description: Learn how to work with device control in Defender for Endpoint.
 author: denisebmsft
 ms.author: deniseb
 manager: deniseb
-ms.date: 02/14/2024
+ms.date: 01/24/2025
 ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: asr
@@ -36,7 +36,7 @@ By default, [device control](device-control-overview.md) is disabled and there a
 
 Device control in Defender for Endpoint identifies a device based on its properties. Device properties are visible by selecting an entry in the report. 
 
-The **Device ID**, **Vendor ID** (VID), **Serial number**, and **Bus type** can all be used to identify a device (see [Device control policies in Microsoft Defender for Endpoint](device-control-policies.mddata is also available in [advanced hunting](/defender-xdr/advanced-hunting-overview), by searching for the `Plug and Play Device Connected action` (`PnPDeviceConnected`), as shown in the following example query:
+The **Device ID**, **Vendor ID** (VID), **Serial number**, and **Bus type** can all be used to identify a device (see [Device control policies in Microsoft Defender for Endpoint](device-control-policies.md)). Data is also available in [Advanced Hunting](/defender-xdr/advanced-hunting-overview), by searching for the Plug and Play Device Connected action (`PnPDeviceConnected`), as shown in the following example query:
 
 ```kusto
 
@@ -62,7 +62,7 @@ DeviceControlState                : Disabled
 
 ```
 
-Change the device control state to be enabled* on a test device. Make sure the policy is applied by checking [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus), as illustrated in the following snippet:
+Change the device control state to be enabled on a test device. Make sure the policy is applied by checking [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus), as illustrated in the following snippet:
 
 ```powershell
 
@@ -184,7 +184,7 @@ The following screenshot shows the settings we used for our example:
 
 By default, the sample uses the Global SID of `S-1-1-0`. Before deploying the policy, you can change the SID associated with the authorized USBs (writeable USBs) to `User1` and change the SID associated with the Read Only USBs to `User2`. 
 
-Once the policy is deployed, only User 1 has write access to the Authorized USBs, and only User 2 has read access to the ReadOnly USBs. 
+Once the policy is deployed, only User 1 has write access to the Authorized USBs, and only User 2 has read access to the ReadOnly USBs.
 
 Device control also supports group SIDs. Change the SID in the read-only policy to a group that contains `User2`. Once the policy is redeployed, the rules are the same for User 2 or any other user in that group.
 

defender-endpoint/linux-update-mde-linux.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 12/16/2024
+ms.date: 01/24/2025
 ---
 
 # Schedule an update for Microsoft Defender for Endpoint on Linux
@@ -27,9 +27,9 @@ ms.date: 12/16/2024
 
 To run an update on Microsoft Defender for Endpoint on Linux, see [Deploy updates for Microsoft Defender for Endpoint on Linux](linux-updates.md).
 
-Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks.
+Linux and Unix have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks.
 
-## Pre-requisite
+## Prerequisite
 
 > [!NOTE]
 > To get a list of all the time zones, run the following command:
@@ -53,7 +53,7 @@ sudo crontab -l > /var/tmp/cron_backup_201118.dat
 ```
 
 > [!NOTE]
-> Where 201118 == YYMMDD
+> In our example, `201118` == `YYMMDD`.
 
 > [!TIP]
 > Do this before you edit or remove.
@@ -108,7 +108,9 @@ CRON_TZ=America/Los_Angeles
 > ```
 
 > [!NOTE]
-> In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour format), any day of the month, any month, on Sundays.[$(date +\%d) -le 15] == Won't run unless it's equal or less than the 15th day (3rd week). Meaning it will run every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8).
+> In the previous examples, we specified `00` minutes, 6 a.m. (hour using the 24-hour format), any day of the month, any month, on Sundays. 
+> `[$(date +\%d) -le 15]` doesn't run unless it's equal or less than the 15th day (third week). 
+> This means the job runs at 6 a.m. every Sunday, but only if the day of the month is the 15th or earlier.
 
 Press "Esc"
 

defender-endpoint/live-response-command-examples.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 04/03/2024
+ms.date: 01/24/2025
 ---
 
 # Live response command examples
@@ -107,12 +107,12 @@ getfile c:\Users\user\Desktop\work.txt -auto
 
 > [!NOTE]
 >
-> The following file types *cannot* be downloaded using this command from within Live Response:
+> The following file types *can't* be downloaded using this command from within Live Response:
 >
 > - [Reparse point files](/windows-hardware/drivers/ifs/reparse-points)
 > - [Sparse files](/windows-server/administration/windows-commands/fsutil-sparse)
 > - Empty files
-> - Virtual files, or files that are not fully present locally
+> - Virtual files, or files that aren't fully present locally
 >
 > These file types *are* supported by [PowerShell](/powershell/scripting/overview).
 >
@@ -199,6 +199,9 @@ remediate process 7960
 remediate list
 ```
 
+> [!NOTE]
+> Currently, `HKEY_USERS` reg hive isn't supported for `remediate`. This is a known issue, and we're looking into it. 
+
 ## `run`
 
 ```console
@@ -214,9 +217,9 @@ run get-process-by-name.ps1 -parameters "-processName Registry"
 > [!NOTE]
 >
 > For long running commands such as '**run**' or '**getfile**', you may want to use the '**&**' symbol at the end of the command to perform that action in the background.
-> This will allow you to continue investigating the machine and return to the background command when done using '**fg**' [basic command](live-response.md#basic-commands).
+> This allows you to continue investigating the machine and return to the background command when done using '**fg**' [basic command](live-response.md#basic-commands).
 >
-> When passing parameters to a live response script, do not include the following forbidden characters: **';'**, **'&'**, **'|'**, **'!'**, and **'$'**.
+> When passing parameters to a live response script, don't include the following forbidden characters: **';'**, **'&'**, **'|'**, **'!'**, and **'$'**.
 
 ## `scheduledtask`
 

defender-endpoint/live-response.md

@@ -64,7 +64,7 @@ Before you can initiate a session on a device, make sure you fulfill the followi
 
   - **Windows Server 2016** - with [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac)
     > [!NOTE]
-    > For Windows Server 2012R2 or 2016 you must have the [Unified Agent](update-agent-mma-windows.md#update-mma-on-your-devices) installed, and it is recommended to patch to latest sensor version with KB5005292.
+    > For Windows Server 2012 R2 or Windows Server 2016, you must have the [Unified Agent](update-agent-mma-windows.md#update-mma-on-your-devices) installed, and it is recommended to patch to latest sensor version with KB5005292. Live response doesn't work as expected for offline down-level servers onboarded using the streamlined method, because of the static proxy. Consider using a system proxy instead.
     
   - **Windows Server 2019**
     - Version 1903 or (with [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)) later

defender-endpoint/mac-whatsnew.md

@@ -6,7 +6,7 @@ author: deniseb
 ms.author: deniseb
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 12/11/2024
+ms.date: 01/24/2025
 audience: ITPro
 ms.collection:
 - m365-security
@@ -46,7 +46,7 @@ For more information on Microsoft Defender for Endpoint on other operating syste
 - On macOS Sequoia (Version 15.0 - 15.1.1), users may encounter prompts about incoming network connections from applications when the native firewall is active.  
 
    ![Screenshot showing prompts about incoming network connections](media/mac-whatsnew/image.png)
-
+  
 If an end user encounters a prompt for Defender for Endpoint on macOS processes such as `wdavdaemon_enterprise` or `Microsoft Defender Helper`, the end user can safely choose the **Deny** option. This selection doesn't impact Defender for Endpoint's functionality.  Enterprises can also add *Microsoft Defender* to allow [incoming connections](https://support.apple.com/en-ca/guide/deployment/dep8d306275f/web).  This issue is fixed in macOS Sequoia 15.2.
 
 ## Sequoia support
@@ -64,6 +64,21 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
+### Dec-2024 (Build: 101.24102.0018  | Release version: 20.124102.18.0)
+
+| Build:             | **101.24102.0018**         |
+|--------------------|-----------------------|
+| Release version:   | **20.124102.18.0** |
+| Engine version:    | **1.1.24080.10**       |
+| Signature version: | **1.419.298.0**      |
+
+##### What's new
+
+- **Improved User/Group Permission Handling** - Added reporting in `mdatp-health` for user/group permission issues for Defender files. On restart Defender attempts to cure these issues.
+
+- Bug and performance fixes.
+
+
 ### Oct-2024 (Build: 101.24092.0004  | Release version: 20.124092.4.0)
 
 | Build:             | **101.24092.0004**         |
@@ -98,15 +113,15 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 ##### What's new
 
-- Resolved the issue causing outdated vulnerability assessments impacting some MAC OSs devices
+- Resolved the issue causing outdated vulnerability assessments impacting some macOS devices
 
 ### Aug-2024 (Build: 101.24072.0006  | Release version: 20.124072.6.0)
 
 | Build:             | **101.24072.0006**    |
 |--------------------|-----------------------|
-| Release version:   | 20.124072.6.0         |
-| Engine version:    | 1.1.24060.7           |
-| Signature version: | 1.417.325.0           |
+| Release version:   | **20.124072.6.0** |
+| Engine version:    | **1.1.24060.7**  |
+| Signature version: | **1.417.325.0**  |
 
 ##### What's new
 
@@ -116,9 +131,9 @@ Behavior monitoring monitors process behavior to detect and analyze potential th
 
 | Build:             | **101.24062.0009**         |
 |--------------------|-----------------------|
-| Release version:   | 20.124062.9.0 |
-| Engine version:    | 1.1.24050.7       |
-| Signature version: | 1.411.410.0      |
+| Release version:   | **20.124062.9.0** |
+| Engine version:    | **1.1.24050.7**       |
+| Signature version: | **1.411.410.0**      |
 
 ##### What's new
 

defender-office-365/submissions-users-report-message-add-in-configure.md

@@ -8,7 +8,7 @@ manager: deniseb
 audience: Admin
 ms.reviewer: dhagarwal
 ms.topic: how-to
-ms.date: 09/27/2024
+ms.date: 01/24/2025
 ms.localizationpriority: medium
 search.appverid:
   - MET150
@@ -66,15 +66,10 @@ After the add-in is installed and enabled, users see the following icons based o
 
 - **Outlook on the web**:
 
-  - <u>The Report Message add-in</u>:
+  - <u>The Report Message or Report Phishing icons in Outlook on the web (formerly known as Outlook Web App or OWA)</u>:
 
     > [!div class="mx-imgBorder"]
-    > :::image type="content" source="media/owa-report-message-icon.png" alt-text="The Report Message add-in icon in Outlook on the web." lightbox="media/owa-report-message-icon.png":::
-
-  - <u>The Report Phishing add-in</u>:
-
-    > [!div class="mx-imgBorder"]
-    > :::image type="content" source="media/OWA-ReportPhishing.png" alt-text="The Report Phishing add-in icon in Outlook on the web." lightbox="media/OWA-ReportPhishing.png":::
+    > :::image type="content" source="media/owa-report-message-icon.png" alt-text="The Report Message or Report Phishing add-in icons in Outlook on the web." lightbox="media/owa-report-message-icon.png":::
 
 ## What do you need to know before you begin?
 
@@ -185,7 +180,7 @@ Install and configure the Report Message or Report Phishing add-ins for the orga
 
 ### Get the Report Message or the Report Phishing add-ins for your Microsoft 365 GCC or GCC High organization
 
-Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use the steps in this section to get the Report Message or Report Phishing add-ins for their organizations. These steps apply to Outlook and Outlook on the web (formerly known as Outlook Web App or OWA) and don't apply to Outlook for iOS and Android.
+Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use the steps in this section to get the Report Message or Report Phishing add-ins for their organizations. These steps apply to Outlook and Outlook on the web and don't apply to Outlook for iOS and Android.
 
 > [!NOTE]
 > It could take up to 24 hours for the add-in to appear in your organization.

defender-vulnerability-management/fixed-reported-inaccuracies.md

@@ -13,7 +13,7 @@ ms.collection:
 - tier2
 ms.localizationpriority: medium
 ms.topic: troubleshooting
-ms.date: 01/09/2025
+ms.date: 01/24/2025
 ---
 
 # Vulnerability support in Microsoft Defender Vulnerability Management
@@ -45,6 +45,17 @@ The following tables present the relevant vulnerability information organized by
 | - | Fixed inaccuracy in Overwolf vulnerability - CVE-2024-7834 | 08-Jan-25 |
 | 87255 | Fixed inaccuracy in GOG Galaxy vulnerability - CVE-2023-50914 | 08-Jan-25 |
 | 86948 | Fixed inaccuracy in Samsung Video Player vulnerability - CVE-2024-49404 | 08-Jan-25 |
+| 69723 | Fixed vulnerability detection in Adobe Campaign | 14-Jan-25 |
+| 83313 | Fixed inaccuracy in Debian Inetutils | 16-Jan-25 |
+| - | Fixed inaccuracy in RedHat Kernel-debug packages | 16-Jan-25 |
+| - | Defender Vulnerability Management doesn't currently support Nvidia Cuda Pilot | 20-Jan-25 |
+| - | Fixed inaccuracy in Mattermost Desktop vulnerability- CVE-2024-39613 | 21-Jan-25 |
+| - | Added Microsoft Defender Vulnerability Management support to BeyondTrust Privileged Remote Access | 21-Jan-25 |
+| - | Fixed inaccuracy in BeyondTrust Remote Support | 21-Jan-25 |
+| - | Fixed vulnerability detection in InfluxDB | 22-Jan-25 |
+| 68411 | Fixed inaccurate detections in WebM Project libwebp by excluding razer file path | 22-Jan-25 |
+| 77999 | Defender Vulnerability Management doesn't currently support these four ESET vulnerabilities: <br/>- CVE-2020-11446<br/>- CVE-2023-5594<br/>- CVE-2023-3160<br/>- CVE-2024-7400 | 22-Jan-25 |
+
 
 ## November 2024
 
@@ -54,6 +65,7 @@ The following tables present the relevant vulnerability information organized by
 | 78428 | Added Microsoft Defender Vulnerability Management support to TeamViewer vulnerabilities- CVE-2024-7479 and CVE-2024-7481 | 12-Nov-24 |
 | 80922 | Fixed inaccuracy in Kingsoft WPS office vulnerability - CVE-2024-7263 | 12-Nov-24 |
 | 78951 | Fixed inaccuracy in Kingsoft WPS Office vulnerability - CVE-2024-35205 | 12-Nov-24 |
+| - | Defender Vulnerability Management doesn't currently support CVE-2006-5745 | 12-Nov-24 |
 
 ## October 2024