Merge pull request #2704 from MicrosoftDocs/main

Publish main to live, 02/10/25, 10:30 AM PT

Author: Ruchika-mittal01

CloudAppSecurityDocs/network-requirements.md

@@ -46,6 +46,9 @@ dev.virtualearth.net
 flow.microsoft.com
 static2.sharepointonline.com
 *.blob.core.windows.net
+discoveryresources-cdn-prod.cloudappsecurity.com
+discoveryresources-cdn-gov.cloudappsecurity.com
+
 ```
 
 Additionally, the following items should be allowed, depending on which data center you use:

defender-endpoint/edr-in-block-mode.md

@@ -14,7 +14,7 @@ ms.custom:
 - next-gen
 - mde-edr
 - admindeeplinkDEFENDER
-ms.date: 06/25/2024
+ms.date: 02/10/2025
 ms.collection: 
 - m365-security
 - tier2
@@ -80,16 +80,32 @@ When EDR in block mode is turned on, and a malicious artifact is detected, Defen
 
 1. Go to the Microsoft Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) and sign in.
 
-2. Choose **Settings** \> **Endpoints** \> **General** \> **Advanced features**.
+1. Choose **Settings** > **Endpoints** > **General** > **Advanced features**.
 
-3. Scroll down, and then turn on **Enable EDR in block mode**.
+1. Scroll down, and then turn on **Enable EDR in block mode**.
 
 ### Intune
 
 To create a custom policy in Intune, see [Deploy OMA-URIs to target a CSP through Intune, and a comparison to on-premises](/troubleshoot/mem/intune/deploy-oma-uris-to-target-csp-via-intune).
 
 For more information on the Defender CSP used for EDR in block mode, see "Configuration/PassiveRemediation" under [Defender CSP](/windows/client-management/mdm/defender-csp).
 
+### Group Policy
+
+You can use Group Policy to enable EDR in block mode.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
+
+1. Right-click the Group Policy Object you want to configure, and then select **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and then select **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Features**.
+
+4. Double-click **Enable EDR in block mode** and set the option to **Enabled**.
+
+5. Select **OK**. 
+
 ## Requirements for EDR in block mode
 
 The following table lists requirements for EDR in block mode:

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 12/30/2024
+ms.date: 02/06/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -53,7 +53,7 @@ Understand the following prerequisites before you create indicators for files:
 
 - [Behavior Monitoring is enabled](behavior-monitor.md)
 
-- [Cloud-based protection is turned on](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).
+- [Cloud-based protection is turned on](/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus).
 
 - [Cloud Protection network connectivity is functional](configure-network-connections-microsoft-defender-antivirus.md)
 

defender-endpoint/network-protection.md

@@ -3,7 +3,7 @@ title: Use network protection to help prevent connections to malicious or suspic
 description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 01/16/2025
+ms.date: 02/10/2025
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
@@ -63,9 +63,7 @@ The following table summarizes network protection areas of coverage.
 - Encrypted URLs (full path) are only blocked on Microsoft browsers (Internet Explorer, Microsoft Edge).
 - Encrypted URLs (FQDN only) are blocked in non-Microsoft browsers.
 - URLs loaded via HTTP connection coalescing, such as content loaded by modern CDNs, are only blocked on Microsoft browsers (Internet Explorer, Microsoft Edge), unless the CDN URL itself is added to the indicator list.
-
 - Network Protection will block connections on both standard and non-standard ports.
-
 - Full URL path blocks are applied for unencrypted URLs.
 
 There might be up to two hours of latency (usually less) between the time when the action is taken and the URL/IP is blocked.
@@ -125,7 +123,7 @@ Support for Command and Control servers (C2) is an important part of this ransom
 #### Network protection: New toast notifications
 
 | New mapping  | Response category  | Sources |
-| :--- | :--- | :--- |
+| --- | --- | --- |
 | `phishing` | `Phishing` | `SmartScreen` |
 | `malicious` | `Malicious` | `SmartScreen` |
 | `command and control` | `C2` | `SmartScreen` |
@@ -135,7 +133,7 @@ Support for Command and Control servers (C2) is an important part of this ransom
 | `by your IT admin` | `CustomPolicy` |   |
 
 > [!NOTE]
-> **customAllowList** does not generate notifications on endpoints.
+> `customAllowList` does not generate notifications on endpoints.
 
 ### New notifications for network protection determination
 
@@ -297,7 +295,7 @@ Defender for Endpoint provides detailed reporting into events and blocks as part
 
 You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
 
-1. [Copy the XML directly](overview-attack-surface-reduction.md).
+1. [Copy the XML directly](/defender-endpoint/overview-attack-surface-reduction#copy-the-xml-directly).
 
 2. Select **OK**.
 
@@ -454,9 +452,34 @@ You can disable QUIC at the web browser level. However, this method of disabling
 
 ## Optimizing network protection performance
 
-Network protection includes performance optimization that allows `block` mode to asynchronously inspect long-lived connections, which might provide a performance improvement. This optimization can also help with app compatibility problems. This capability is on by default. You can turn off this capability by using the following PowerShell cmdlet:
+Network protection includes performance optimization that allows `block` mode to asynchronously inspect long-lived connections, which might provide a performance improvement. This optimization can also help with app compatibility problems. This capability is on by default. 
+
+#### Use CSP to enable AllowSwitchToAsyncInspection
+
+[/windows/client-management/mdm/defender-csp](/windows/client-management/mdm/defender-csp#configurationallowswitchtoasyncinspection)
+
+#### Use Group Policy to enable Turn on asynchronous inspection
+
+This procedure enables network protection to improve performance by switching from real-time inspection to asynchronous inspection.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)).
+
+2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
+
+3. In the Group Policy Management Editor, go to **Computer configuration**, and then select **Administrative templates**.
+
+4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Network inspection system**.
+
+5. Double-click **Turn on asynchronous inspection**, and then set the option to **Enabled**.
+
+6. Select **OK**. 
+
+
+#### Use Microsoft Defender Antivirus Powershell cmdlet to enable Turn on asynchronous inspection
+
+You can turn on this capability by using the following PowerShell cmdlet: 
 
-`Set-MpPreference -AllowSwitchToAsyncInspection $false`
+`Set-MpPreference -AllowSwitchToAsyncInspection $true`
 
 ## See also
 

defender-endpoint/web-content-filtering.md

@@ -6,7 +6,7 @@ ms.author: deniseb
 author: denisebmsft
 ms.reviewer: tdoucett
 ms.localizationpriority: medium
-ms.date: 08/15/2024
+ms.date: 02/10/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -99,7 +99,7 @@ Policies can be deployed to block any of the following parent or child categorie
 |---|---|
 | **Adult content** | - **Cults**: Sites related to groups or movements whose members demonstrate passion for a belief system that is different from those that are socially accepted.<br/><br/>- **Gambling**: Online gambling and sites that promote gambling skills and practice.<br/><br/>- **Nudity**: Sites that provide full-frontal and semi-nude images or videos, typically in artistic form, and might allow the download or sale of such materials.<br/><br/>- **Pornography / Sexually explicit**: Sites containing sexually explicit content in an image-based or textual form. Any form of sexually oriented material is also listed here.<br/><br/>- **Sex education**: Sites that discuss sex and sexuality in an informative and nonvoyeuristic way, including sites that provide education about human reproduction and contraception, sites that offer advice on preventing infection from sexual diseases, and sites that offer advice on sexual health matters.<br/><br/>- **Tasteless**: Sites oriented towards content unsuitable for school children to view or that an employer would be uncomfortable with their staff accessing, but not necessarily violent or pornographic.<br/><br/>- **Violence**: Sites that display or promote content related to violence against humans or animals. |
 | **High bandwidth** | - **Download sites**: Sites whose primary function is to allow users to download media content or programs, such as computer programs.<br/><br/>- **Image sharing**: Sites that are used primarily for searching or sharing photos, including those that have social aspects.<br/><br/>- **Peer-to-peer**: Sites that host peer-to-peer (P2P) software or facilitate the sharing of files using P2P software.<br/><br/>- **Streaming media & downloads**: Sites whose primary function is the distribution of streaming media, or sites that allow users to search, watch, or listen to streaming media. |
-| **Legal liability** | - **Child abuse images**: Sites that include child abuse images or pornography.<br/><br/>- **Criminal activity**: Sites that give instruction on, advice about, or promotion of illegal activities.<br/><br/>- **Hacking**: Sites that provide resources for illegal or questionable use of computer software or hardware, including sites that distribute copyrighted material that has been cracked.<br/><br/>- **Hate & intolerance**: Sites promoting aggressive, degrading, or abusive opinions about any section of the population that could be identified by race, religion, gender, age, nationality, physical disability, economic situation, sexual orientations or any other lifestyle choice.<br/><br/>- **Illegal drug**: Sites that sell illegal/controlled substances, promote substance abuse, or sell related paraphernalia.<br/><br/>- **Illegal software**: Sites that contain or promote the use of malware, spyware, botnets, phishing scams, or piracy & copyright theft.<br/><br/>- **School cheating**: Sites related to plagiarism or school cheating.<br/><br/>- **Self-harm**: Sites that promote self-harm, including cyberbullying sites that contain abusive and/or threatening messages towards users.<br/><br/>- **Weapons**: Any site that sells weapons or advocates the use of weapons, including but not limited to guns, knives, and ammunition. |
+| **Legal liability** | - **Child abuse images**: Sites that include child abuse images or pornography.<br/><br/>- **Criminal activity**: Sites that give instruction on, advise about, or promotion of illegal activities.<br/><br/>- **Hacking**: Sites that provide resources for illegal or questionable use of computer software or hardware, including sites that distribute copyrighted material that has been cracked.<br/><br/>- **Hate & intolerance**: Sites promoting aggressive, degrading, or abusive opinions about any section of the population that could be identified by race, religion, gender, age, nationality, physical disability, economic situation, sexual orientations or any other lifestyle choice.<br/><br/>- **Illegal drug**: Sites that sell illegal/controlled substances, promote substance abuse, or sell related paraphernalia.<br/><br/>- **Illegal software**: Sites that contain or promote the use of malware, spyware, botnets, phishing scams, or piracy & copyright theft.<br/><br/>- **School cheating**: Sites related to plagiarism or school cheating.<br/><br/>- **Self-harm**: Sites that promote self-harm, including cyberbullying sites that contain abusive and/or threatening messages towards users.<br/><br/>- **Weapons**: Any site that sells weapons or advocates the use of weapons, including but not limited to guns, knives, and ammunition. |
 | **Leisure** | - **Chat**: Sites that are primarily web-based chat rooms.<br/><br/>- **Games**: Sites relating to video or computer games, including sites that promote gaming through hosting online services or information related to gaming.<br/><br/>- **Instant messaging**: Sites that can be used to download instant messaging software or client based instant messaging.<br/><br/>- **Professional network**: Sites that provide professional networking services.<br/><br/>- **Social networking**: Sites that provide social networking services.<br/><br/>- **Web-based email**: Sites offering web-based mail services. |
 | **Uncategorized** | - **Newly registered domains**: Sites that are newly registered in the past 30 days and haven't yet been moved to another category.<br/><br/>- **Parked domains**: Sites that have no content or are parked for later use. |
 
@@ -155,7 +155,7 @@ If you encounter a domain that has been incorrectly categorized, you can dispute
 
 To dispute the category of a domain, navigate to **Reports** \> **Web protection** \> **Web content filtering categories details** \> **Domains**. On the domains tab of the Web Content Filtering reports, find the ellipsis beside each of the domains. Hover over the ellipsis and then select **Dispute Category**.
 
-A panel opens where you can select the priority and add more details such as the suggested category for recategorization. Once you complete the form, select **Submit**. Our team will review the request within one business day. For immediate unblocking, create a [custom allow indicator](indicator-ip-domain.md).
+A panel opens where you can select the priority and add more details such as the suggested category for recategorization. Once you complete the form, select **Submit**. Our team will review the request within one business day. For manual unblocking, create a [custom allow indicator](indicator-ip-domain.md) .
 
 ## Web content filtering cards and details