Merge pull request #2849 from MicrosoftDocs/main

Publish main to live, 02/19/25, 3:30 PM PT

Author: Ruchika-mittal01

defender-endpoint/TOC.yml

@@ -66,6 +66,8 @@
     - name: Evaluate Microsoft Defender Antivirus
       href: evaluate-microsoft-defender-antivirus.md
       items:
+      - name: Guidance for pen testing and BAS scenarios
+        href: guidance-for-pen-testing-and-bas.md
       - name: Evaluate Microsoft Defender Antivirus using PowerShell
         href: microsoft-defender-antivirus-using-powershell.md
       - name: Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management

defender-endpoint/api/device-health-export-antivirus-health-report-api.md

@@ -5,7 +5,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 06/25/2024
+ms.date: 02/19/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -24,8 +24,8 @@ search.appverid: met150
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](../microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](../microsoft-defender-endpoint.md)
+
 - [Microsoft Defender XDR](/defender-xdr)
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)

defender-endpoint/configure-notifications-microsoft-defender-antivirus.md

@@ -8,7 +8,7 @@ author: emmwalshh
 ms.topic: conceptual
 ms.author: ewalsh
 ms.custom: nextgen
-ms.date: 10/18/2021
+ms.date: 02/19/2025
 ms.reviewer: yongrhee
 manager: deniseb
 ms.collection: 
@@ -31,12 +31,27 @@ search.appverid: met150
 
 In Windows 10 and Windows 11, application notifications about malware detection and remediation are more robust, consistent, and concise. Microsoft Defender Antivirus notifications appear on endpoints when scans are completed and threats are detected. Notifications follow both scheduled and manually triggered scans. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
 
-If you're part of your organization's security team, you can configure how notifications appear on endpoints, such as notifications that prompt for a system reboot or that indicate a threat has been detected and remediated.
+If you're part of your organization's security team, you can configure how notifications appear on endpoints, such as notifications that prompt for a system reboot or that indicate a threat was detected and remediated.
 
 ## Configure antivirus notifications using Group Policy or the Windows Security app
 
 You can configure the display of more notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy.
 
+
+| Setting| Description |
+| -------- | -------- |
+| Configure time interval for service health reports | This policy setting configures the time interval (in minutes) for the service health reports to be sent from endpoints. If you disable or don't configure this setting, the default value is applied. The default value is set at 60 minutes (1 hour). If you configure this setting to 0, no service health reports are sent. The maximum value allowed to be set is 14400 minutes (10 days). |
+| Configure time out for detections in critically failed state | This policy setting configures the time in minutes before a detection in the "critically failed" state to moves to either the "additional action" state or the "cleared" state. |
+| Configure time out for detections in noncritical failed state | This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. |
+| Configure time out for detections in recently remediated state | This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. |
+| Configure time out for detections in requiring additional action | This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. |
+| Configure Watson events | This policy setting allows you to configure whether or not Watson events are sent. If you enable or don't configure this setting, Watson events are sent. If you disable this setting, Watson events aren't sent. |
+| Configure whether to report Dynamic Signature dropped events | This policy setting configures whether to report Dynamic Signature dropped events. If you don't configure this setting, the default value is applied. The default value is set to disabled (such events aren't reported). If you configure this setting to be enabled, Dynamic Signature dropped events are reported. If you configure this setting to disabled, Dynamic Signature dropped events aren't reported. |
+| Configure Windows software trace preprocessor components | This policy configures Windows software trace preprocessor (WPP Software Tracing) components. |
+| Configure WPP tracing level | This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing levels are defined as:  1 - Error  2 - Warning  3 - Info  4 - Debug |
+| Turn off enhanced notifications | Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients. |
+
+
 > [!NOTE]
 > In Windows 10, version 1607 the feature was called **Enhanced notifications** and was configured under **Windows Settings** \> **Update & security** \> **Windows Defender**. In Group Policy settings for all versions of Windows 10 and Windows 11, the notification feature is called **Enhanced notifications**.
 

defender-endpoint/device-health-microsoft-defender-antivirus-health.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
-ms.date: 02/11/2025
+ms.date: 02/19/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -23,9 +23,8 @@ ms.reviewer: mkaminska, yongrhee
 **Applies to:**
 
 - [Microsoft Defender XDR](/defender-xdr)
-- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+
 - [Microsoft Defender for Business](/defender-business/mdb-overview)
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)

defender-endpoint/device-health-reports.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: ewalsh
 author: emmwalshh
 ms.localizationpriority: medium
-ms.date: 06/25/2024
+ms.date: 02/19/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -22,9 +22,8 @@ ms.reviewer: mkaminska
 **Applies to:**
 
 - [Microsoft Defender XDR](/defender-xdr)
-- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+
 - [Microsoft Defender for Business](/defender-business/mdb-overview)
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)

defender-endpoint/device-health-sensor-health-os.md

@@ -22,9 +22,8 @@ ms.reviewer: mkaminska
 **Applies to:**
 
 - [Microsoft Defender XDR](/defender-xdr)
-- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
-- [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
+
 - [Microsoft Defender for Business](/defender-business/mdb-overview)
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630&clcid=0x409&culture=en-us&country=us)
@@ -34,7 +33,7 @@ The Device Health report provides information about the devices in your organiza
 > [!IMPORTANT]
 > For Windows Server 2012 R2 and Windows Server 2016 to appear in device health reports, these devices must be onboarded using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows Server 2012 R2 and 2016](configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
 
-In the Microsoft Defender portalnel, select **Reports**, and then open **Device health and compliance**.
+In the Microsoft Defender portal, select **Reports**, and then open **Device health and compliance**.
 
 - The [**Sensor health & OS** tab](#sensor-health--os-tab) provides general operating system information, divided into three cards that display the following device attributes:
   - [Sensor health card](#sensor-health-card)

defender-endpoint/guidance-for-pen-testing-and-bas.md

@@ -0,0 +1,128 @@
+---
+title: Guidance for pen testing and breach-and-attack-simulation (BAS) scenarios with Microsoft Defender for Endpoint 
+description: This article provides guidance for conducting penetration testing and breach-and-attack simulation (BAS) scenarios using Microsoft Defender for Endpoint and Microsoft Defender Antivirus. 
+ms.service: defender-endpoint
+ms.localizationpriority: medium
+ms.topic: conceptual
+author: emmwalshh
+ms.author: ewalsh
+ms.reviewer: yongrhee
+manager: deniseb
+ms.custom: nextgen
+ms.date: 02/19/2025
+ms.subservice: ngp
+ms.collection: 
+- m365-security
+- tier2
+- mde-ngp
+search.appverid: met150
+---
+
+# Guidance for penetration testing and breach-and-attack-simulation scenarios with Microsoft Defender for Endpoint
+
+This article describes common challenges and potential misconfigurations that might arise during penetration testing (pen testing) or using breach and attack simulation (BAS) tools. This article also describes how to submit potential false negatives for investigation.
+
+## Common challenges during pen testing
+
+- Testing the current configuration of the environment, which might not be the optimal configuration for Microsoft Defender for Endpoint or Microsoft Defender Antivirus.
+
+- Concerns about enabling [cloud protection](cloud-protection-microsoft-defender-antivirus.md), as it might proceed to cloud protection detonation if it doesn't find metadata. For more information about Microsoft Defender Antivirus and cloud protection, see [hybrid detection and protection](/defender-endpoint/adv-tech-of-mdav).
+
+> [!NOTE]
+> If you're downloading multiple payloads and notice that Microsoft Defender Antivirus doesn't remediate some of the payloads, keep in mind that what's occurring might not be a true positive, and a non-Microsoft vendor might be showing a false positive. See [How to submit possible false negatives for investigation](#how-to-submit-possible-false-negatives-for-investigation) (in this article).
+
+## Common misconfigurations of Microsoft Defender Antivirus during pen testing
+
+It's common for penetration testers to disable features of Microsoft Defender Antivirus while executing their attack. Before doing so, confirm that the following settings are configured:
+
+- [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) is enabled in block mode.
+
+- Microsoft Defender Antivirus is running as the primary antivirus, and not in [passive mode](/defender-endpoint/microsoft-defender-antivirus-compatibility). If you're using non-Microsoft antivirus, we recommend uninstalling it during pen testing.
+
+- [Platform update, engine update, and/or Security intelligence updates](/defender-endpoint/microsoft-defender-antivirus-updates) are up to date.
+
+- [Real-time protection](configure-protection-features-microsoft-defender-antivirus.md) is enabled.
+
+- [Behavior monitoring](/defender-endpoint/behavior-monitor) is enabled.
+
+- Adding [antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md) to where the payload is, after the payload is copied. After you copy the payload to the device, remove the antivirus exclusion so that Microsoft Defender Antivirus can block detections during pen testing.
+
+- Make sure that you don't have antivirus exclusions for your BAS tools, such as AttackIQ, Cymulate, SafeBreach, and others.
+
+- [Cloud-delivered protection](/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus) is enabled.
+
+- [Cloud protection sample submission](/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus) is enabled.
+
+- [Cloud protection network connection](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) is working.
+
+- [Protection from potentially unwanted apps](/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA) is enabled.
+
+- [Attack surface reduction rules](/defender-endpoint/overview-attack-surface-reduction)  (ASR rules) are set to block mode.
+
+- [Network Protection](/defender-endpoint/enable-network-protection) is set to block mode.
+
+- [Controlled Folder Access](/defender-endpoint/enable-controlled-folders) (CFA) is set to block mode.
+
+It's important to get the settings correct. To resolve misconfiguration issues, use the following articles:
+
+| OS | Management tool | Article |
+|--|--|--|
+| Windows | Microsoft Defender for Endpoint security settings management <br/>(*Recommended*) | [Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management (Endpoint security policies)](evaluate-mda-using-mde-security-settings-management.md) |
+| Windows | Group Policy | [Evaluate Microsoft Defender Antivirus using Group Policy](evaluate-mdav-using-gp.md)  |
+| Windows | PowerShell | [Evaluate Microsoft Defender Antivirus using PowerShell](microsoft-defender-antivirus-using-powershell.md) |
+| Mac | Jamf (or another tool)  | [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) |
+| Linux | Configuration profile <br/> Defender for Endpoint security settings management | [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) |
+
+## How to submit possible false negatives for investigation
+
+### Step 1: Gather the Microsoft Defender for Endpoint diagnostic logs
+
+#### Use the MDE Client Analyzer log
+
+| Operating system | What to do |
+|--|--|
+| Windows | You can collect diagnostics logs by using [Live Response](/defender-endpoint/run-analyzer-windows) or [locally](/defender-endpoint/run-analyzer-windows). |
+| Mac | You can collect [locally](/defender-endpoint/run-analyzer-macos). |
+| Linux | You can collect using [Live Response](/defender-endpoint/run-analyzer-linux) or [locally](/defender-endpoint/run-analyzer-linux). |
+
+#### Microsoft Defender Antivirus diagnostic data (MpSupport.cab)
+
+| Operating system | What to do |
+|--|--|
+| Windows | 1. On the device, open Command Prompt as an administrator. <br/>2. Run the following command: [MpCmdRun.exe -getfiles](/defender-endpoint/collect-diagnostic-data). <br/><br/>You can also [collect the investigation package](/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) in the Microsoft Defender portal. |
+| Mac | 1. On the device, open Terminal (shell session). <br/>2. Run the following command: `mdatp log level set--level debug`. <br/>3. Run the following command: `sudo mdatp diagnostic create`. <br/><br/>For more information, see [Resources for Microsoft Defender for Endpoint on Mac](/defender-endpoint/mac-resources). |
+| Linux | 1. On the device, open Terminal (shell session). <br/>2. Run the following command: `mdatp log level set--level debug`. <br/>`sudo mdatp diagnostic create`. <br/><br/>For more information, see [Microsoft Defender for Endpoint on Linux resources](/defender-endpoint/linux-resources). |
+
+### Step 2: Gather information
+
+Ensure you have the following information ready
+
+- **Microsoft Defender OrgID**. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Microsoft Defender XDR** > **Account** > **Org ID**.
+
+- **Device ID**. In the [Microsoft Defender portal](https://security.microsoft.com), open the device page.
+
+- Binary names.
+
+- Start and end of when testing was done in `HH:MM:SS UTC` format.
+
+- It would be highly beneficial if you could provide the steps to reproduce the issue, along with a sample of the payload.
+
+### Step 3: Submit data to Microsoft as soon as possible
+
+It's crucial to report to Microsoft as soon as possible. The advanced hunting telemetry data wraps around and overwrites itself after 30 days. You can use either the Microsoft Defender Security Intelligence (MDSI) portal or the Microsoft Defender portal to submit your files.
+
+| Portal | Description |
+|--|--|
+| MDSI portal | The MDSI portal is a service provided by Microsoft Security Intelligence. It allows users to submit files for malware analysis. Microsoft security researchers analyze these files to determine if they're threats, unwanted applications, or normal files. The portal is used to report detection concerns to Microsoft Defender Research, submit files for analysis, and track the results of submissions.<br/><br/>This portal was formerly known as the Windows Defender Security Intelligence (WSDI). Because it currently supports Mac, Linux, and Android submissions, its name changed. |
+| Microsoft Defender portal | If you have a subscription to Microsoft Defender XDR, or your subscription includes Defender for Endpoint Plan 2, you can use the **Submissions** page in the Microsoft Defender portal. |
+
+1. Submit the data you gathered during steps 1-2 by using either the MDSI portal or the Microsoft Defender portal.
+
+   - **MDSI portal**: Go to the [MDSI portal](https://www.microsoft.com/en-us/wdsi), and then select **Submit files**. Follow the guidance on the page.
+   - **The Microsoft Defender portal**: See [Use admin submission for submitting files in Microsoft Defender for Endpoint](/defender-endpoint/admin-submissions-mde).
+
+2. After you upload the files, note the `Submission ID` for your sample submission (for example, `7c6c214b-17d4-4703-860b-7f1e9da03f7f`).
+
+3. Wait for an update. After Microsoft receives the sample, the file is investigated, and a determination is made. If Microsoft determines that the sample file is malicious, we take corrective action to prevent the malware from going undetected.
+
+   If you have questions, [contact support](/defender-endpoint/contact-support).