Merge branch 'main' into WI499501-traffic-log-config-note-update

Author: DeCohen

defender-endpoint/api/post-ti-indicator.md

@@ -25,10 +25,6 @@ appliesto:
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
 
-
-
-
-
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
@@ -71,20 +67,20 @@ Content-Type|string|application/json. **Required**.
 
 In the request body, supply a JSON object with the following parameters:
 
-Parameter|Type|Description
-:---|:---|:---
-indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**
-indicatorType|Enum|Type of the indicator. Possible values are: `FileSha1`, `FileMd5`, `CertificateThumbprint`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`. **Required**
-action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, and `Allowed`. **Required**. The `GenerateAlert` parameter must be set to `TRUE` when creating an action with `Audit`.
-application|String|The application associated with the indicator. This field only works for new indicators. It doesn't update the value on an existing indicator. **Optional**
-title|String|Indicator alert title. **Required**
-description|String|Description of the indicator. **Required**
-expirationTime|DateTimeOffset|The expiration time of the indicator. **Optional**
-severity|Enum|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`. **Optional**
-recommendedActions|String|TI indicator alert recommended actions. **Optional**
-rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
-educateUrl|String|Custom notification/support URL. Supported for Block and Warn action types for URL indicators. **Optional**
-generateAlert|Enum|**True** if alert generation is required, **False** if this indicator shouldn't generate an alert.
+|Parameter|Type|Description|
+|:---|:---|:---|
+|indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**|
+|indicatorType|Enum|Type of the indicator. Possible values are: `FileSha1`, `FileMd5`, `CertificateThumbprint`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`. **Required**|
+|action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, and `Allowed`. **Required**. The `GenerateAlert` parameter must be set to `TRUE` when creating an action with `Audit`.|
+|application|String|A user-friendly name for the content blocked by the indicator. If specified, this text will be shown in the blocking notification in place of the blocked filename or domain. This field only works for new indicators; it doesn't update the value on an existing indicator. **Optional**|
+|title|String|Indicator alert title. **Required**|
+|description|String|Description of the indicator. **Required**|
+|expirationTime|DateTimeOffset|The expiration time of the indicator. **Optional**|
+|severity|Enum|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`. **Optional**|
+|recommendedActions|String|TI indicator alert recommended actions. **Optional**|
+|rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional**|
+|educateUrl|String|Custom notification/support URL. Supported for Block and Warn action types for URL indicators. **Optional**|
+|generateAlert|Enum|**True** if alert generation is required, **False** if this indicator shouldn't generate an alert.|
 ## Response
 
 - If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body.

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -197,7 +197,7 @@ For rules with the "Rule State" specified:
 |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) |   | N | Y |
 |[Block rebooting machine in Safe Mode](#block-rebooting-machine-in-safe-mode)| | N | N |
 |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | | Y| Y (in block mode)  |
-|[Block use of copied or impersonated system tools](#block-use-of-copied-or-impersonated-system-tools)| | N | N |
+|[Block use of copied or impersonated system tools](#block-use-of-copied-or-impersonated-system-tools)| | N | Y (in block mode) |
 |[Block Webshell creation for Servers](#block-webshell-creation-for-servers) |   | N | N |
 |[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) |   | N | Y |
 |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) |   | Y | Y (in block mode)  |

defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md

@@ -109,7 +109,6 @@ The following table lists solutions:
 |Solution|Description|
 |:---|:---|
 | Solution (Preferred) | Configure the system-wide WinHttp proxy that allows the CRL check.|
-| Solution (Preferred 2) | 1. Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **Certificate Path Validation Settings**.<br/>2. Select the **Network Retrieval** tab, and then select **Define these policy settings**.<br/>3. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box.<br/><br/> Here are some useful resources: <br/> - [Configure Trusted Roots and Disallowed Certificates](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11))<br/>- [Improving application Start up time: GeneratePublisherEvidence setting in Machine.config](/archive/blogs/amolravande/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config)|
 | Work-around solution (Alternative) <br/> *This is not a best practice since you're no longer checking for revoked certificates or certificate pinning.*| Disable CRL check only for SPYNET. <br/> Configuring this registry SSLOption disables CRL check only for SPYNET reporting. It won't impact other services.<br/><br/> Go to **HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet**, and then set `SSLOptions (dword)` to `2` (hex). <br/>For reference, here are possible values for the DWORD: <br/> - `0 – disable pinning and revocation checks` <br/> - `1 – disable pinning` <br/>  - `2 – disable revocation checks only` <br/> - `3 – enable revocation checks and pinning (default)` |
 
 ## Attempt to download a fake malware file from Microsoft

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -3,11 +3,11 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 09/18/2025
+ms.date: 10/20/2025
 audience: ITPro
 ms.topic: reference
-author: KesemSharabi
-ms.author: kesharab
+author: limwainstein
+ms.author: lwainstein
 ms.subservice: ngp
 search.appverid: met150
 appliesto:
@@ -74,6 +74,21 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### September-2025 (Platform: 4.18.25090.3009 | Engine: 1.1.25090.3001)
+
+- Security intelligence update version: **1.439.345.0**
+- Release date:  **September 8, 2025 (Engine) / September 21, 2025 (Platform)**
+- Platform: **4.18.25090.3009**
+- Engine: **1.1.25090.3001**
+- Support phase: **Security and Critical Updates**
+
+#### What's new
+
+- **Improved service startup behavior**: The core service now only restarts when necessary, for example, during a successful platform update. This change allows the organization to avoid unnecessary restarts when the service is already running correctly.
+- **Improved stability for RPC services**: Added input validation across multiple RPC endpoints to prevent crashes caused by malformed data, which addresses a reported security vulnerability.
+- **Fixed threat exclusion handling**: Resolved an issue where severity-based exclusions could cause the engine to misidentify threats, potentially skipping high severity detections.
+- **Restored performance optimization for network file access**: Fixed a regression that caused slowdowns during file operations, like robocopy to network shares. The fix included reintroducing the logic to skip unnecessary checks on non-local files when Controlled Folder Access is enabled.
+
 ### August-2025 (Platform: 4.18.25080.5 | Engine: 1.1.25080.5)
 
 - Security intelligence update version: **1.437.1.0**
@@ -98,13 +113,10 @@ Improved Defender update reliability by allowing non-admin processes to trigger
 
 - Enhanced Passive Mode Scanning Behavior
 When Microsoft Defender is in Passive mode, an Antivirus scan will not occur after a signature update , unless specifically set in the policy setting DisableScanOnUpdate.
-
 - Improved Tamper Protection Handling
 Optimized the configuration process for Tamper Protection in multi-threaded environments to ensure more reliable behavior.
-
 - Digital Signature Verification Performance Boost
 Enhanced the efficiency of digital signature verification to improve overall system performance.
-
 - Refined ASR Rule Exclusion Processing
 Refined exclusion processing and resolved false positives for the Attack Surface Reduction (ASR) rule: Block Office applications from injecting code into other processes.
 

defender-endpoint/web-threat-protection.md

@@ -27,47 +27,29 @@ appliesto:
 
 
 
-Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they're away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you are blocked because they're in your [custom indicator list](indicators-overview.md).
+Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they're away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you've blocked because they're in your [custom indicator list](indicators-overview.md).
 
 > [!NOTE]
 > It might take up to two hours for devices to receive new custom indicators.
 
 ## Prerequisites
 
-Web protection uses network protection to provide web browsing security on Microsoft Edge and non-Microsoft web browsers.
+Web threat protection uses network protection to provide web browsing security in Edge (excepting Windows devices), non-Microsoft web browsers and nonbrowser processes. On Windows devices, web threat protection in Edge uses Microsoft Defender SmartScreen and network protection isn't required to be enabled. 
+
+To turn on Microsoft Defender SmartScreen in Edge: [Configure Microsoft Defender SmartScreen](/deployedge/microsoft-edge-policies#smartscreenenabled).
 
 To turn on network protection on your devices:
 
 - Edit the Defender for Endpoint security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Defender for Endpoint security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline)
 - Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
 
 > [!NOTE]
-> If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
+> If you set network protection to **Audit only**, blocking is unavailable. Also, you are able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
 
 ## Configure web threat protection
 
-The following procedure describes how to configure web threat protection using the Microsoft Intune admin center.
-
-1. Go to the Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)), and sign in.
- 
-2. Choose **Endpoint security** \> **Attack surface reduction**, and then choose **+ Create policy**.
-
-3. Select a platform, such as **Windows 10 and later**, select the **Web protection** profile, and then choose **Create**. 
-
-4. On the **Basics** tab, specify a name and description, and then choose **Next**.
-
-5. On the **Configuration settings** tab, expand **Web Protection**, specify your settings, and then choose **Next**.
-
-   - Set **Enable network protection** to **Enabled** so web protection is turned on. Alternately, you can set network protection to **Audit mode** to see how it works in your environment. In audit mode, network protection doesn't prevent users from visiting sites or domains, but it does track detections as events. 
-   - To protect users from potential phishing scams and malicious software, turn **Require SmartScreen for Microsoft Edge Legacy** to **Yes**.
-   - To prevent users from bypassing warnings about potentially malicious sites, set **Block malicious site access** to **Yes**.
-   - To prevent users from bypassing the warnings and downloading unverified files, set **Block unverified file download** to **Yes**. 
-
-6. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then choose **Next**. (If you aren't using scope tags, choose **Next**.) To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
-
-7. On the **Assignments** tab, specify the users and devices to receive the web protection policy, and then choose **Next**.
+The legacy **Web protection** policy in Intune has been deprecated and web threat protection will be enabled if the prerequisites are met.
 
-8. On the **Review + create** tab, review your policy settings, and then choose **Create**.
 
 ## Related articles
 

defender-for-cloud-apps/discovery-linux-podman.md

@@ -41,7 +41,7 @@ Before you start:
 1. Copy the command displayed and modify it as needed based on the container service you're using. For example:
 
     ```bash
-    (echo <key>) | podman run --privileged --name PodmanRun -p 601:601/tcp -p 21:21 -p 20000-20099:20000-20099 -e "PUBLICIP='10.0.2.15'" -e "PROXY=" -e "SYSLOG=true" -e "CONSOLE= <tenant>.us3.portal.cloudappsecurity.com" -e "COLLECTOR=PodmanTest" --security-opt apparmor:unconfined --cap-add=SYS_ADMIN --restart unless-stopped -a stdin -i mcr.microsoft.com/mcas/logcollector starter 
+    (echo <key>) | podman run --privileged --name PodmanTest -p 601:601/tcp -p 21:21 -p 20000-20099:20000-20099 -e "PUBLICIP='10.0.2.15'" -e "PROXY=" -e "SYSLOG=true" -e "CONSOLE= <tenant>.us3.portal.cloudappsecurity.com" -e "COLLECTOR=PodmanTest" --security-opt apparmor:unconfined --cap-add=SYS_ADMIN --restart unless-stopped -a stdin -i mcr.microsoft.com/mcas/logcollector starter
     ```
 
 1. Run the modified command on your machine to deploy the container. When successful, the logs show pulling an image from mcr.microsoft.com and continuing to create blobs for the container.

defender-for-cloud-apps/protect-atlassian.md

@@ -85,7 +85,7 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
 
     ![Sign in to the  Atlassian Admin portal.](media/atlassian-sign-in.png)
 
-1. Go to **Settings -> API keys** and then **Create API key**. (Atlassian documentation for creating API keys can also be found [here](https://support.atlassian.com/organization-administration/docs/manage-an-organization-with-the-admin-apis/)).
+1. Go to **Settings -> API keys** and then **Create API key** without scopes. (Atlassian documentation for creating API keys can also be found [here](https://support.atlassian.com/organization-administration/docs/manage-an-organization-with-the-admin-apis/)).
 
     ![Atlassian API keys.](media/atlassian-api-keys.png)