Merge pull request #3003 from YongRhee-MSFT/docs-editor/indicator-file-1741106879

denisebmsft · web-flow · commit 3e00cb940637 · 2025-03-04T09:04:11.000-08:00
Update indicator-file.md
diff --git a/defender-endpoint/indicator-file.md b/defender-endpoint/indicator-file.md
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 02/06/2025
+ms.date: 03/04/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -29,9 +29,6 @@ search.appverid: met150
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Business](/defender-business/mdb-overview)
 
-> [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
 > [!IMPORTANT]
 > In Defender for Endpoint Plan 1 and Defender for Business, you can create an indicator to block or allow a file. In Defender for Business, your indicator is applied across your environment and cannot be scoped to specific devices.
 
@@ -52,37 +49,33 @@ There are three ways you can create indicators for files:
 Understand the following prerequisites before you create indicators for files:
 
 - [Behavior Monitoring is enabled](behavior-monitor.md)
-
 - [Cloud-based protection is turned on](/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus).
-
 - [Cloud Protection network connectivity is functional](configure-network-connections-microsoft-defender-antivirus.md)
-
 - To start blocking files, [turn on the "block or allow" feature](advanced-features.md) in Settings (in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**).
 
 ### Windows prerequisites
 
 - This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode) 
-
-- The Antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
-
+- The antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
 - This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, or Windows Server 2022.
-
 - File hash computation is enabled, by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\` to **Enabled**
 
 > [!NOTE]
 > File indicators support portable executable (PE) files, including `.exe` and `.dll` files only.
 
 ### macOS prerequisites
 
-- [File hash computation is enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line) by running `mdatp config enable-file-hash-computation --value enabled`
-
-### Linux prerequisites
+- Real-time protection (RTP) needs to be active.
+- [File hash computation must be enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line). Run the following command: `mdatp config enable-file-hash-computation --value enabled`
 
-- Available in Defender for Endpoint version 101.85.27 or later.
+> [!NOTE]
+> On Mac, file indicators support Mach-O files (akin to `.exe` and `.dll` in Windows) scripts, such as sh/bash and AppleScript File (`.scpt`) files only.
 
-- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
+### Linux prerequisites
 
-- Behavior monitoring is preferred, but this will work with any other scan (RTP or Custom).
+- Available in Defender for Endpoint version `101.85.27` or later.
+- [File hash computation must be enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
+- Behavior monitoring enabled is preferred, but this feature works with any other scan (RTP or Custom).
 
 ## Create an indicator for files from the settings page
 
@@ -95,9 +88,7 @@ Understand the following prerequisites before you create indicators for files:
 4. Specify the following details:
 
    - Indicator: Specify the entity details and define the expiration of the indicator.
-
    - Action: Specify the action to be taken and provide a description.
-   
    - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)).
 
    > [!NOTE]
@@ -156,7 +147,7 @@ Timestamp > ago(30d)
 
 For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview).
 
-Below are other thread names that can be used in the sample query from above:
+Here are other thread names that can be used in the sample query:
 
 Files:
 
