Merge branch 'docs-editor/mac-jamfpro-policies-1727708938' of https://github.com/YongRhee-MSFT/defender-docs-pr into pr/1491

denisebmsft · denisebmsft · commit 6a2c5590f784 · 2024-09-30T09:26:00.000-07:00
diff --git a/defender-endpoint/TOC.yml b/defender-endpoint/TOC.yml
@@ -79,6 +79,9 @@
         href: demonstration-behavior-monitoring.md
       - name: Validate antimalware
         href: validate-antimalware.md
+      - name: AMSI demonstrations
+        href: defender-endpoint-demonstration-amsi.md
+        displayName: Antimalware Scan Interface (AMSI), AMSI
       - name: Attack surface reduction rules demonstrations
         href: defender-endpoint-demonstration-attack-surface-reduction-rules.md
       - name: Cloud-delivered protection demonstration
diff --git a/defender-endpoint/defender-endpoint-demonstration-amsi.md b/defender-endpoint/defender-endpoint-demonstration-amsi.md
@@ -0,0 +1,239 @@
+---
+title: AMSI demonstrations with Microsoft Defender for Endpoint
+description: Demonstration of AMSI detection by Microsoft Defender for Endpoint
+author: denisebmsft
+ms.author: deniseb
+ms.reviewer: yongrhee
+ms.service: defender-endpoint
+ms.topic: how-to
+ms.date: 09/30/2024
+ms.subservice: ngp
+---
+
+# AMSI demonstrations with Microsoft Defender for Endpoint
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
+
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)
+
+Microsoft Defender for Endpoint utilizes the [Antimalware Scan Interface (AMSI)](/defender-endpoint/amsi-on-mdav) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats.  In this article, we describe how to test the AMSI engine with a benign sample.
+
+## Scenario requirements and setup
+
+- Windows 10 or newer
+
+- Windows Server 2016, or newer
+
+- Microsoft Defender Antivirus (as primary) and these need to be enabled:
+
+  - Real-Time Protection (RTP) 
+    
+  - Behavior Monitoring (BM)  
+    
+  - Turn on script scanning
+    
+
+## Testing AMSI
+
+In this demonstration page, you have three engine choices to test AMSI:
+
+- PowerShell
+- VBScript
+
+### Testing AMSI with PowerShell
+
+
+```powershell
+# Save this sample AMSI powershell script as AMSI_PoSh_script.ps1
+$testString = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386" 
+Invoke-Expression $testString
+```
+
+1. As an administrator, open PowerShell.
+
+2. Type `Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1`, and then press **Enter**.
+
+   The result should be as follows:
+
+   ```powershell
+   Invoke-Expression : At line:1 char:1
+
+   + AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386
+
+   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+   This script contains malicious content and has been blocked by your antivirus software.
+
+   At C:\Users\Admin\Desktop\AMSI_PoSh_script.ps1:3 char:1
+
+   + Invoke-Expression $testString
+
+   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
+
+    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
+    
+    ```
+
+
+### Testing AMSI with VBScript
+
+```vbscript
+
+REM Save this sample AMSI vbscript as AMSI_vbscript.vbs
+Dim result 
+result = eval("AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386")
+WScript.Echo result
+
+```
+
+1. Open Command Prompt as an administrator.
+
+2. Type `wscript AMSI_vbscript.js`, and then press **Enter**.
+
+   The result should be as follows:
+
+   ```console
+
+   Windows Script Host
+
+   Script: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+   Line: 3
+
+   Char: 1
+
+   Error: This script contains malicious content and has been blocked by your antivirus software.: 'eval'
+
+   Code: 800A802D
+
+   Source: Microsoft VBScript runtime error
+
+   ```
+
+### Verifying the test results
+
+In your protection history, you should be able to see the following information:
+
+```console
+
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+
+Details: This program is dangerous and replicates by infecting other files.
+
+Affected items:
+
+amsi: \Device\HarddiskVolume3\Windows\System32\WindowsPowershell\v1.0\powershell.exe
+
+or
+
+amsi: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+and/or you might see:
+
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+
+Details: This program is dangerous and replicates by infecting other files
+
+Affected items:
+
+```
+
+### Get the list of Microsoft Defender Antivirus threats
+
+You can view detected threats by using the Event log or PowerShell.
+
+#### Use the Event log
+
+1. Go to **Start**, and search for `EventVwr.msc`. Open Event Viewer in the list of results.
+
+2. Go to **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender operational events**.
+
+3. Look for `event ID 1116`. You should see the following information:
+
+   ```console
+
+   Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
+
+   For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/MpTest!amsi&threatid=2147694217&enterprise=0
+
+   Name: Virus:Win32/MpTest!amsi
+
+   ID: 2147694217
+
+   Severity: Severe
+
+   Category: Virus
+
+   Path: _\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or _C:\Users\Admin\Desktop\AMSI_jscript.js;   file: _C:\Users\Admin\Desktop\AMSI_jscript.js->[Eval] or _C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+   Detection Origin: Local machine or Unknown
+
+   Detection Type: Concrete
+
+   Detection Source: System
+
+   User: NT AUTHORITY\SYSTEM
+
+   Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Windows\System32\cscript.exe or C:\Windows\System32\wscript.exe or Unknown 
+
+   Security intelligence Version: AV: 1.419.221.0, AS: 1.419.221.0, NIS: 1.419.221.0
+
+   Engine Version: AM: 1.1.24080.9, NIS: 1.1.24080.9
+
+   ```
+
+##### Use PowerShell
+
+Open PowerShell, and then type the following command: `Get-MpThreat`.
+
+You might see the following results:
+
+```console
+
+CategoryID       : 42
+
+DidThreatExecute : True
+
+IsActive         : True
+
+Resources        :
+
+RollupStatus     : 97
+
+SchemaVersion    : 1.0.0.0
+
+SeverityID       : 5
+
+ThreatID         : 2147694217
+
+ThreatName       : Virus:Win32/MpTest!amsi
+
+TypeID           : 0
+
+PSComputerName   :
+
+```
+
+## See also
+
+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
+
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/mac-jamfpro-policies.md b/defender-endpoint/mac-jamfpro-policies.md
@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 08/26/2024
+ms.date: 09/30/2024
 ---
 
 # Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro
diff --git a/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md b/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
@@ -14,7 +14,7 @@ ms.collection:
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 09/27/2024
+ms.date: 09/30/2024
 ---
 
 # Manage the sources for Microsoft Defender Antivirus protection updates
@@ -91,7 +91,7 @@ You can manage the order in which update sources are used with Group Policy, Mic
 > [!IMPORTANT]
 > If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
 
-The procedures in this article first describe how to set the order, and then how to set up the **File share** option if it's enabled.
+The procedures in this article first describe how to set the order, and then how to set up the Windows File Server - **File share** option if it's enabled.
 
 ## Use Group Policy to manage the update location
 
@@ -117,10 +117,10 @@ The procedures in this article first describe how to set the order, and then how
 
 7. Edit the **Define file shares for downloading security intelligence updates** setting and then set the option to **Enabled**.
 
-8. On a Windows Server, specify the file share source. If you have multiple sources, specify each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path. For example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. 
+1. On a Windows Server, specify the file share source. If you have multiple sources, specify each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path. For example: `\\WindowsFileServer\share-name\object-name|\\host-name2\share-name\object-name`. 
 
    If you don't enter any paths, then this source is skipped when the VM downloads updates.
-      
+   
 9. Select **OK**. This action sets the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
 
 
@@ -174,7 +174,7 @@ For example, suppose that Contoso has hired Fabrikam to manage their security so
 
 ## Create a UNC share for security intelligence and platform updates
 
-On a Windows Server set up a network file share (UNC/mapped drive) to download security intelligence and platform updates from the MMPC site by using a scheduled task.
+On a Windows File Server set up a network file share (UNC/mapped drive) to download security intelligence and platform updates from the MMPC site by using a scheduled task.
 
 1. On the system for which you want to provision the share and download the updates, create a folder for the script.
 
diff --git a/defender-endpoint/onboard-configure.md b/defender-endpoint/onboard-configure.md
@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: onboard
 search.appverid: met150
-ms.date: 03/28/2024
+ms.date: 09/30/2024
 ---
 
 # Configure Microsoft Defender for Endpoint capabilities
@@ -48,6 +48,7 @@ Onboarding devices effectively enables the endpoint detection and response capab
 | [Configure Next-generation protection (NGP)](configure-microsoft-defender-antivirus-features.md) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:<br> <br>-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.<br> <br> - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").<br><br> - Dedicated protection updates based on machine learning, human and automated big-data analysis, and in-depth threat resistance research. |3|
 | [Configure attack surface reduction](overview-attack-surface-reduction.md) | Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats. |4|
 | [Configure Auto Investigation & Remediation (AIR) capabilities](configure-automated-investigations-remediation.md) | Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature uses various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. AIR significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.|Not applicable|
+| [Activate Microsoft Defender for Identity capabilities directly on a domain controller](/defender-for-identity/deploy/activate-capabilities) | Microsoft Defender for Identity customers, who've already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a Microsoft Defender for Identity sensor. |Not applicable|
 | [Configure Microsoft Defender Experts capabilities](/defender-xdr/defender-experts-for-hunting) | Microsoft  Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.|Not applicable|
 
 For more information, see [Supported Microsoft Defender for Endpoint capabilities by platform](supported-capabilities-by-platform.md).
