You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/attack-surface-reduction-rules-reference.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -160,7 +160,7 @@ Links to information about configuration management system versions referenced i
160
160
|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands)| Y ||Y | Y |
161
161
|[Block rebooting machine in Safe Mode](#block-rebooting-machine-in-safe-mode)| Y || Y | Y |
162
162
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)| Y |Y <br><br> CB 1802 | Y | Y |
163
-
|[Block use of copied or impersonated system tools](#block-use-of-copied-or-impersonated-system-tools-preview)| Y || Y | Y |
163
+
|[Block use of copied or impersonated system tools](#block-use-of-copied-or-impersonated-system-tools)| Y || Y | Y |
164
164
|[Block Webshell creation for Servers](#block-webshell-creation-for-servers)| Y || Y | Y |
165
165
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros)| Y |Y <br><br> CB 1710 | Y | Y |
166
166
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)| Y |Y <br><br> CB 1802 | Y | Y |
@@ -334,7 +334,7 @@ Enabling this rule doesn't provide additional protection if you have LSA protect
334
334
> 1. ASR audit events don't generate toast notifications. However, since the LSASS ASR rule produces large volume of audit events, almost all of which are safe to ignore when the rule is enabled in block mode, you can choose to skip the audit mode evaluation and proceed to block mode deployment, beginning with a small set of devices and gradually expanding to cover the rest.
335
335
> 2. The rule is designed to suppress block reports/toasts for friendly processes. It's also designed to drop reports for duplicate blocks. As such, the rule is well suited to be enabled in block mode, irrespective of whether toast notifications are enabled or disabled.
336
336
> 3. ASR in warn mode is designed to present users with a block toast notification that includes an "Unblock" button. Due to the "safe to ignore" nature of LSASS ASR blocks and their large volume, WARN mode isn't advisable for this rule (irrespective of whether toast notifications are enabled or disabled).
337
-
> 4. This rule is designed to block the processes from accessing LSASS.EXE process memory. It does not block them from running. If you see processes like svchost.exe being blocked, it is only blocking from accessing LSASS process memory. Thus, svchost.exe and other processes can be safely ignored. The 1 exception is in the known issues below.
337
+
> 4. This rule is designed to block the processes from accessing LSASS.EXE process memory. It doesn't block them from running. If you see processes like svchost.exe being blocked, it's only blocking from accessing LSASS process memory. Thus, svchost.exe and other processes can be safely ignored. The one exception is in the known issues below.
338
338
339
339
> [!NOTE]
340
340
> In this scenario, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal.
@@ -368,7 +368,7 @@ For technical support, contact the software vendor.
368
368
This rule blocks email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers from propagating the following file types:
369
369
370
370
- Executable files (such as .exe, .dll, or .scr)
371
-
- Script files (such as a PowerShell.ps1, Visual Basic .vbs, or JavaScript .js file)
371
+
- Script files (such as a PowerShell.ps1, Visual Basic .vbs, or JavaScript .js file)
Copy file name to clipboardExpand all lines: defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -65,7 +65,7 @@ For more information on what's new with other Microsoft Defender security produc
65
65
66
66
## August 2024
67
67
68
-
-**Network Protection feature is enabled by default** in Microsoft Defender for Endpoint on Android. As a result, users will be able to see a network protection card in the Defender for Endpoint app, along with App Protection and Web Protection. Users are also required to provide location permission to complete the setup process. Admins can change the default value for network protection if they decide not to use it via the Intune App Configuration policies. This feature was already enabled by default earlier on Microsoft Defender for Endpoint on iOS. For more information, see [network protection](/defender-endpoint/android-configure#network-protection).
68
+
-**Network Protection feature is enabled by default** in Microsoft Defender for Endpoint on Android. As a result, users are able to see a network protection card in the Defender for Endpoint app, along with App Protection and Web Protection. Users are also required to provide location permission to complete the setup process. Admins can change the default value for network protection if they decide not to use it via the Intune App Configuration policies. This feature was already enabled by default earlier on Microsoft Defender for Endpoint on iOS. For more information, see [network protection](/defender-endpoint/android-configure#network-protection).
0 commit comments