Skip to content

Commit 524e979

Browse files
denisebmsftdenisebmsft
authored
Update indicator-file.md
1 parent 6825214 commit 524e979

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

defender-endpoint/indicator-file.md

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,7 @@ Choose if to Generate an alert on the file block event and define the alerts set
122122

123123
> For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp).
124124
> > For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature).
125+
125126
> ## Advanced hunting capabilities (preview)
126127
127128
> [!IMPORTANT]
@@ -155,11 +156,17 @@ The response action activity can also be viewable in the device timeline.
155156
Cert and File IoC policy handling conflicts follow this order:
156157

157158
1. If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policies, then **Block**.
159+
158160
2. Else, if the file is allowed by the Microsoft Defender Antivirus exclusions, then **Allow**.
161+
159162
3. Else, if the file is blocked or warned by a block or warn file IoCs, then **Block/Warn**.
163+
160164
4. Else, if the file is blocked by SmartScreen, then **Block**.
165+
161166
5. Else, if the file is allowed by an allow file IoC policy, then **Allow**.
167+
162168
6. Else, if the file is blocked by attack surface reduction rules, controlled folder access, or antivirus protection, then **Block**.
169+
163170
7. Else, **Allow** (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it).
164171

165172
> [!NOTE]
@@ -181,15 +188,13 @@ Microsoft Defender Vulnerability Management's block vulnerable application featu
181188
|Windows Defender Application Control|Allow|Block|Allow|
182189
|Windows Defender Application Control|Block|Allow|Block|
183190
|Microsoft Defender Antivirus exclusion|Allow|Block|Allow|
184-
|
185191

186192
## See also
187193

188194
- [Create indicators](manage-indicators.md)
189195
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
190196
- [Create indicators based on certificates](indicator-certificates.md)
191197
- [Manage indicators](indicator-manage.md)
192-
193198
- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
194199

195200
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

0 commit comments

Comments
 (0)