You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/indicator-file.md
+9-23Lines changed: 9 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.service: defender-endpoint
6
6
ms.author: deniseb
7
7
author: denisebmsft
8
8
ms.localizationpriority: medium
9
-
ms.date: 02/06/2025
9
+
ms.date: 03/04/2025
10
10
manager: deniseb
11
11
audience: ITPro
12
12
ms.collection:
@@ -29,9 +29,6 @@ search.appverid: met150
29
29
-[Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
30
30
-[Microsoft Defender for Business](/defender-business/mdb-overview)
31
31
32
-
> [!TIP]
33
-
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
34
-
35
32
> [!IMPORTANT]
36
33
> In Defender for Endpoint Plan 1 and Defender for Business, you can create an indicator to block or allow a file. In Defender for Business, your indicator is applied across your environment and cannot be scoped to specific devices.
37
34
@@ -52,42 +49,33 @@ There are three ways you can create indicators for files:
52
49
Understand the following prerequisites before you create indicators for files:
53
50
54
51
-[Behavior Monitoring is enabled](behavior-monitor.md)
55
-
56
52
-[Cloud-based protection is turned on](/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus).
57
-
58
53
-[Cloud Protection network connectivity is functional](configure-network-connections-microsoft-defender-antivirus.md)
59
-
60
54
- To start blocking files, [turn on the "block or allow" feature](advanced-features.md) in Settings (in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**).
61
55
62
56
### Windows prerequisites
63
57
64
58
- This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode)
65
-
66
-
- The Antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
67
-
59
+
- The antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
68
60
- This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, or Windows Server 2022.
69
-
70
61
- File hash computation is enabled, by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\` to **Enabled**
71
62
72
63
> [!NOTE]
73
64
> File indicators support portable executable (PE) files, including `.exe` and `.dll` files only.
74
65
75
66
### macOS prerequisites
76
67
77
-
- Real-Time Protection (RTP) needs to be active.
78
-
79
-
-[File hash computation is enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line) by running `mdatp config enable-file-hash-computation --value enabled`
68
+
- Real-time protection (RTP) needs to be active.
69
+
-[File hash computation must be enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line). Run the following command: `mdatp config enable-file-hash-computation --value enabled`
80
70
81
71
> [!NOTE]
82
-
> File indicators for macOS, supports Mach-O files (akin to .exe's and dll's in Windows), scripts such as sh/bash, and AppleScript File (.scpt) files only.
72
+
> On Mac, file indicators support Mach-O files (akin to `.exe` and `.dll` in Windows) scripts, such as sh/bash and AppleScript File (`.scpt`) files only.
83
73
84
74
### Linux prerequisites
85
75
86
-
- Available in Defender for Endpoint version 101.85.27 or later.
87
-
88
-
-[File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
89
-
90
-
- Behavior monitoring is preferred, but this will work with any other scan (RTP or Custom).
76
+
- Available in Defender for Endpoint version `101.85.27` or later.
77
+
-[File hash computation must be enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
78
+
- Behavior monitoring enabled is preferred, but this feature works with any other scan (RTP or Custom).
91
79
92
80
## Create an indicator for files from the settings page
93
81
@@ -100,9 +88,7 @@ Understand the following prerequisites before you create indicators for files:
100
88
4. Specify the following details:
101
89
102
90
- Indicator: Specify the entity details and define the expiration of the indicator.
103
-
104
91
- Action: Specify the action to be taken and provide a description.
105
-
106
92
- Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)).
107
93
108
94
> [!NOTE]
@@ -161,7 +147,7 @@ Timestamp > ago(30d)
161
147
162
148
For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview).
163
149
164
-
Below are other thread names that can be used in the sample query from above:
150
+
Here are other thread names that can be used in the sample query:
0 commit comments