Merge branch 'main' into portals-admin-centers

Author: aditisrivastava07

.openpublishing.redirection.defender-xdr.json

@@ -170,6 +170,31 @@
       "redirect_url": "/defender-xdr/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/microsoft-threat-actor-naming.md",
+      "redirect_url": "/unified-secops-platform/microsoft-threat-actor-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/malware-naming.md",
+      "redirect_url": "/unified-secops-platform/malware-naming",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/criteria.md",
+      "redirect_url": "/unified-secops-platform/criteria",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/submission-guide.md",
+      "redirect_url": "/unified-secops-platform/submission-guide",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "defender-xdr/virus-initiative-criteria.md",
+      "redirect_url": "/unified-secops-platform/virus-initiative-criteria",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-xdr/tickets.md",
       "redirect_url": "/defender-xdr/troubleshoot",

defender-endpoint/TOC.yml

@@ -234,6 +234,8 @@
               href: mac-troubleshoot-mode.md
             - name: Troubleshoot macOS installation issues
               href: mac-support-install.md
+            - name: Troubleshoot macOS configuration
+              href: mac-support-configuration.md
             - name: Troubleshoot macOS performance issues overview
               href: mac-support-perf-overview.md
               displayName: Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS

defender-endpoint/evaluate-mda-using-mde-security-settings-management.md

@@ -3,8 +3,8 @@ title: Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint S
 ms.reviewer: yonghree
 description: Learn how to evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management (Endpoint security policies).
 ms.service: defender-endpoint
-ms.author: vpattnaik
-author: vpattnai
+ms.author: ewalsh
+author: emmwalshh
 ms.localizationpriority: medium
 manager: dolmont
 audience: ITPro
@@ -17,14 +17,14 @@ ms.custom:
 - cx-ean
 ms.subservice: edr
 search.appverid: met150
-ms.date: 10/30/2024
+ms.date: 02/12/2025
 ---
 
 # Evaluate Microsoft Defender Antivirus using Microsoft Defender Endpoint Security Settings Management (Endpoint security policies)
 
 In Windows 10 or later, and in Windows Server 2016 or later, you can use next-generation protection features offered by Microsoft Defender Antivirus (MDAV) and Microsoft Defender Exploit Guard (Microsoft Defender EG).
 
-This article describes configuration options in Windows 10 or later, and in Windows Server 2016 or later, that guide you to activate and test the key protection features in MDAV and Microsoft Defender EG; and provides you with guidance and with links to more information.
+This article outlines the configuration options available in Windows 10 and later versions, as well as in Windows Server 2016 and later versions. It provides step-by-step guidance on how to activate and test the key protection features in Microsoft Defender Antivirus (MDAV) and Microsoft Defender for Endpoint (EG).
 
 If you have any questions about a detection that MDAV makes, or you discover a missed detection, you can submit a file to us at our [sample submission help site](/defender-xdr/submission-guide).
 
@@ -49,24 +49,24 @@ To configure the options that you must use to test the protection features, perf
 1. From these groups of settings, select those settings that you want to manage with this profile.
 1. Set the policies for the chosen groups of settings by configuring the settings as described in the following tables:
 
-**Real-time Protection (Always-on protection, real-time scanning)**:
+   **Real-time Protection (Always-on protection, real-time scanning)**:
 
-|Description|Settings|
-|---|---|
-|Allow Realtime Monitoring|Allowed|
-|Real Time Scan Direction|Monitor all files (bi-directional)|
-|Allow Behavior Monitoring|Allowed|
-|Allow On Access Protection|Allowed|
-|PUA Protection|PUA Protection on|
+   |Description|Settings|
+   |---|---|
+   |Allow Real-time Monitoring|Allowed|
+   |Real Time Scan Direction|Monitor all files (bi-directional)|
+   |Allow Behavior Monitoring|Allowed|
+   |Allow On Access Protection|Allowed|
+   |PUA Protection|PUA Protection on|
 
-**Cloud protection features**:
+   **Cloud protection features**:
 
-|Description|Setting|
-|---|---|
-|Allow Cloud Protection|Allowed|
-|Cloud Block Level|High|
-|Cloud Extended Timeout|Configured, 50|
-|Submit Samples Consent|Send all samples automatically|
+   |Description|Setting|
+   |---|---|
+   |Allow Cloud Protection|Allowed|
+   |Cloud Block Level|High|
+   |Cloud Extended Time-out|Configured, 50|
+   |Submit Samples Consent|Send all samples automatically|
 
 Standard security intelligence updates can take hours to prepare and deliver; our cloud-delivered protection service can deliver this protection in seconds. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md).
 
@@ -86,7 +86,7 @@ Standard security intelligence updates can take hours to prepare and deliver; ou
 |Description|Setting|
 |---|---|
 |Enable Network Protection|Enabled (block mode)|
-|Allow Network Protection Down Level|Network protection will be enabled downlevel.|
+|Allow Network Protection Down Level|Network protection is enabled downlevel.|
 |Allow Datagram Processing On Win Server|Datagram processing on Windows Server is enabled.|
 |Disable DNS over TCP parsing|DNS over TCP parsing is enabled.|
 |Disable HTTP parsing|HTTP parsing is enabled.|
@@ -158,23 +158,54 @@ To enable Attack Surface Reduction (ASR) rules using the endpoint security polic
    |[PREVIEW] Block use of copied or impersonated system tools|Block|
    |Block JavaScript or VBScript from launching downloaded executable content|Block|
    |Block credential stealing from the Windows local security authority subsystem|Block|
-   |Block Webshell creation for Servers|Block|
+   |Block Web shell creation for Servers|Block|
    |Block Office applications from creating executable content|Block|
    |Block untrusted and unsigned processes that run from USB|Block|
    |Block Office applications from injecting code into other processes|Block|
    |Block persistence through WMI event subscription|Block|
    |Use advanced protection against ransomware|Block|
-   |Block process creations originating from PSExec and WMI commands|Block <br/> **NOTE**: If you have Configuration Manager (formerly SCCM), or other management tools, that use WMI, you might need to set this to **Audit** instead of **Block**.|
+   |Block process creations originating from PSExec and WMI commands|Block (If you have Configuration Manager (formerly SCCM), or other management tools that use WMI you might need to set this to **Audit** instead of **Block**)|
    |[PREVIEW] Block rebooting machine in Safe Mode|Block|
    |Enable Controlled Folder Access|Enabled|
 
 > [!TIP]
-> Any of the rules may block behavior you find acceptable in your organization. In these cases, add the per-rule exclusions named "Attack Surface Reduction Only Exclusions".  And, change the rule from **Enabled** to **Audit** to prevent unwanted blocks.
+> Any of the rules might block behavior you find acceptable in your organization. In these cases, add the per-rule exclusions named "Attack Surface Reduction Only Exclusions." Additionally, change the rule from **Enabled** to **Audit** to prevent unwanted blocks.
 
 1. Select **Next**.
-1. On the **Assignments** tab, select **Device Group** or **User Group** or **All devices** or **All Users**.
+2. On the **Assignments** tab, select **Device Group** or **User Group** or **All devices** or **All Users**.
+3. Select **Next**.
+4. On the **Review + create** tab, review your policy settings, and then select **Save**.
+
+#### Enable Tamper Protection
+
+1. Sign in to [Microsoft Defender XDR](https://sip.security.microsoft.com/).
+1. Go to **Endpoints > Configuration management > Endpoint security policies > Windows policies > Create new policy**.
+1. Select **Windows 10, Windows 11, and Windows Server** from the **Select Platform** drop-down list.
+1. Select **Security Experience** from the **Select Template** drop-down list.
+1. Select **Create policy**. The **Create a new policy** page appears.
+1. On the **Basics** page, enter a name and description for the profile in the **Name** and **Description** fields, respectively.
 1. Select **Next**.
-1. On the **Review + create** tab, review your policy settings, and then select **Save**.
+1. On the **Configuration settings** page, expand the groups of settings.
+1. From these groups, select the settings that you want to manage with this profile.
+1. Set the policies for the chosen groups of settings by configuring them as described in the following table:
+
+   |Description| Setting|
+   | -------- | -------- |
+   | TamperProtection (Device) | On|
+
+#### Check the Cloud Protection network connectivity
+
+It's important to check that the Cloud Protection network connectivity is working during your penetration testing.
+
+CMD (Run as admin)
+
+
+```powershell
+cd "C:\Program Files\Windows Defender"
+MpCmdRun.exe -ValidateMapsConnection
+```
+
+For more information [Use the cmdline tool to validate cloud-delivered protection](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus).
 
 #### Check the platform update version
 
@@ -188,7 +219,7 @@ Get-MPComputerStatus | Format-Table AMProductVersion
 
 #### Check the Security Intelligence Update version
 
-The latest "Security Intelligence Update" version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/defenderupdates).
+The latest "Security Intelligence Update" version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/defenderupdates).
 
 To check which "Security Intelligence Update" version you have installed, run the following command in PowerShell using the privileges of an administrator:
 
@@ -198,7 +229,7 @@ Get-MPComputerStatus | Format-Table AntivirusSignatureVersion
 
 #### Check the Engine Update version
 
-The latest scan "engine update" version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/defenderupdates).
+The latest scan "engine update" version is available in [Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/defenderupdates).
 
 To check which "Engine Update" version you have installed, run the following command in PowerShell using the privileges of an administrator:
 

defender-endpoint/linux-installer-script.md

@@ -50,7 +50,7 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
 
     4. Select **Download onboarding package**. Save the file as `WindowsDefenderATPOnboardingPackage.zip`.
 
-   :::image type="content" source="media/linux-script-image.png" alt-text="Screenshot showing the options to select to download the onboarding package." lightbox="media/linux-script-image.png":::
+       :::image type="content" source="media/linux-script-image.png" alt-text="Screenshot showing the options to select to download the onboarding package." lightbox="media/linux-script-image.png":::
 
     5. From a command prompt, extract the contents of the archive:
 
@@ -77,19 +77,19 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
    chmod +x mde_installer.sh
    ```
 
-4. Execute the installer script and provide the onboarding package as a parameter to install the agent and onboard the device to the Defender portal.
+1. Execute the installer script and provide the onboarding package as a parameter to install the agent and onboard the device to the Defender portal.
 
    ```bash
-
-   sudo ./mde_installer.sh --install --onboard ~/MicrosoftDefenderATPOnboardingLinuxServer.py --channel prod --min_req -y
-
+   
+   sudo ./mde_installer.sh --install --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --channel prod --min_req
+   
    ```
+   
+      This command deploys the latest agent version to the production channel, check for min system requisites and onboard the device to Defender Portal.
 
-   This command deploys the latest agent version to the production channel, check for min system requisites and onboard the device to Defender Portal.
-
-   Additionally you can pass more parameter based on your requirements to modify the installation. Check help for all the available options:
+      Additionally you can pass more parameter based on your requirements to modify the installation. Check help for all the available options:
 
-   ```bash
+      ```bash
 
     ❯ ./mde_installer.sh --help
    mde_installer.sh v0.7.0
@@ -108,7 +108,7 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
    -m|--min_req         enforce minimum requirements
    -x|--skip_conflict   skip conflicting application verification
    -w|--clean           remove repo from package manager for a specific channel
-   -y|--yes             assume yes for all mid-process prompts (default, depracated)
+   -y|--yes             assume yes for all mid-process prompts (default, deprecated)
    -n|--no              remove assume yes sign
    -s|--verbose         verbose output
    -v|--version         print out script version
@@ -124,19 +124,19 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
 
    | Scenario | Command |
    |---|---|
-   | Install a specific agent version | `sudo ~/mde_installer.sh --install --channel prod --onboard ~/MicrosoftDefenderATPOnboardingLinuxServer.py --min_req -y –-mdatp 101.24082.0004 ` |
-   | To upgrade to the latest version | `sudo ~/mde_installer.sh --upgrade -y` |
-   | For upgrading to a specific version | `sudo ~/mde_installer.sh --upgrade -y –-mdatp 101.24082.0004` |
-   | To downgrade to a specific version | `sudo ~/mde_installer.sh --downgrade -y –-mdatp 101.24082.0004` |
-   | To remove `mdatp` | `sudo ~/mde_installer.sh --remove -y` |
-
-
-   > [!NOTE]
-   > Upgrading your operating system to a new major version after the product installation requires the product to be reinstalled. You need to uninstall the existing Defender for Endpoint on Linux, upgrade the operating system, and then reconfigure Defender for Endpoint on Linux.
+   |Install a specific agent version | `sudo ./mde_installer.sh --install --channel prod --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --min_req –-mdatp 101.24082.0004 ` |
+   |Upgrade to the latest agent version | `sudo ./mde_installer.sh --upgrade` |
+   |Upgrade to a specific agent version | `sudo ./mde_installer.sh --upgrade –-mdatp 101.24082.0004` |
+   |Downgrade to a specific agent version | `sudo ./mde_installer.sh --downgrade –-mdatp 101.24082.0004` |
+   |Uninstall agent | `sudo ./mde_installer.sh --remove` |
+   
+   
+      > [!NOTE]
+      > Upgrading your operating system to a new major version after the product installation requires the product to be reinstalled. You need to uninstall the existing Defender for Endpoint on Linux, upgrade the operating system, and then reconfigure Defender for Endpoint on Linux.
 
 ## Verify deployment status
 
-1. In the [Microsoft Defender portal](https://security.microsoft.com), open the device inventory. It might take 5-20 mins for the device to show up in the portal.
+1. In the [Microsoft Defender portal](https://security.microsoft.com), open the device inventory. It might take 5-20 minutes for the device to show up in the portal.
 
 2. Run an antivirus detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
 
@@ -170,14 +170,22 @@ Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
       mdatp threat list
       ```
 
-3. Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
+1. Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
 
-   1. Verify that the onboarded Linux server appears in the Microsoft Defender portal. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
-
-   2. Download and extract the [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server, and run the following command: 
-   
-      `./mde_linux_edr_diy.sh`
+   1. Download and extract the [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server.
+      
+   1. Grant executable permissions to the script:
 
+      ```bash
+      chmod +x mde_linux_edr_diy.sh
+      ```
+      
+   1. Run the following command: 
+
+      ```bash
+      ./mde_linux_edr_diy.sh
+      ```
+      
    3. After a few minutes, a detection should be raised in the Microsoft Defender XDR.
 
    4. Check the alert details, machine timeline, and perform your typical investigation steps.