Merge branch 'patch-1' of https://github.com/v-rakegurram-MSFT/defender-docs-pr into pr/5085

Author: limwainstein

defender-endpoint/indicators-overview.md

@@ -159,10 +159,9 @@ The IoC API schema and the threat IDs in Advanced Hunting are updated to align w
 
 Microsoft Store apps cannot be blocked by Microsoft Defender because they're signed by Microsoft.
 
-Customers might experience issues with alerts for IoCs. The following scenarios are situations where alerts aren't created or are created with inaccurate information. Each issue is investigated by our engineering team.
+Customers might experience issues with alerts for IoCs. The following scenarios are situations where alerts aren't created or are created with inaccurate information. 
 
-- **Block indicators**: Generic alerts with informational severity only are created. Custom alerts (that is, custom title and severity) aren't fired in these cases.
-- **Warn indicators**: Generic alerts and custom alerts are possible in this scenario; however, the results aren't deterministic due to an issue with the alert detection logic. In some cases, customers might see a generic alert, whereas a custom alert might show in other cases.
+- **Block and Warn indicators**: Generic alerts with informational severity only are created. Custom alerts (that is, custom title and severity) aren't fired in these cases.
 - **Allow**: No alerts are generated (by design).
 - **Audit**: Alerts are generated based on the severity provided by the customer (by design).
 - In some cases, alerts coming from EDR detections might take precedence over alerts stemming from antivirus blocks, in which case an information alert is generated.

defender-endpoint/linux-preferences.md

@@ -446,17 +446,18 @@ Configure filesystems to be unmonitored/excluded from real-time protection (RTP)
 > [!NOTE] 
 > Configured filesystem is unmonitored only if it's present in Microsoft's list of permitted unmonitored filesystems.
 
-By default, NFS and Fuse are unmonitored from RTP, Quick, and Full scans. However, they can still be scanned by a custom scan. For example, to remove NFS from the list of unmonitored filesystems list, update the managed config file as shown below. This will automatically add NFS to the list of monitored filesystems for RTP.
+By default, `cifs`, `fuse`, `nfs`, `nfs4` and `smb` are unmonitored from RTP, Quick, and Full scans. However, they can still be scanned by a custom scan. For example, to remove `nfs` and `nfs4` from the list of unmonitored filesystems list, update the managed config file as shown below. This will add `nfs`/`nfs4` to the list of monitored filesystems for RTP. 
+Currently monitoring `nfs4`, `cifs` and `smb` filesystems is in preview mode for RTP mode.
 
 ```JSON
 {
    "antivirusEngine":{
-      "unmonitoredFilesystems": ["Fuse"]
+      "unmonitoredFilesystems": ["cifs","fuse","smb"]
   }
 }
 ```
 
-To remove both NFS and Fuse from unmonitored list of filesystems, use the following snippet:
+To remove all entries from unmonitored list of filesystems, use the following snippet:
 
 ```JSON
 {
@@ -1126,4 +1127,4 @@ To verify that your `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json` is wor
 
 Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint on Linux reads the managed configuration from `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`.
 
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/linux-whatsnew.md

@@ -46,6 +46,24 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
+### September-2025 Build: 101.25082.0003 | Release version: 30.125082.0003.0
+
+|Build:             |**101.25082.0003**    |
+|-------------------|----------------------|
+|Released:          |**September 25, 2025**|
+|Published:         |**September 25, 2025**|
+|Expiry:            |**Jun 04, 2026**|
+|Release version:   |**30.125082.0003.0**|
+|Engine version:    |**1.1.25070.4000**|
+|Signature version: |**1.435.242.0**|
+
+What's new
+- Vulnerability detection for Langflow, an open-source Python framework for building AI workflows and agents, has been enhanced with dynamic detection using advanced telemetry and Python package scanning. This includes the detection of CVE-2025-3248 with a CVSS score of 9.8, ensuring comprehensive vulnerability coverage.
+
+- Client Analyzer is now bundled directly within the MDE package, eliminating the need for separate downloads. Both the binary and Python versions are included by default and can be found at /opt/microsoft/mdatp/tools/client_analyzer/. This ensures consistent availability across environments and streamlines troubleshooting for customers by making diagnostic tools readily accessible out-of-the-box.
+
+- Other quality and stability fixes.
+
 ### September-2025 Build: 101.25072.0003 | Release version: 30.125072.0003.0
 
 |Build:             |**101.25072.0003**    |
@@ -77,7 +95,6 @@ What's new
 - The `mdatp threat quarantine add` command now requires superuser (root) privileges.
 - Custom definition path can now be updated without stopping Defender for Endpoint. Previously, this required stopping the service, but with this release onwards, updates to the definition path can be made dynamically, improving operational efficiency and reducing downtime.
 - Running Defender for Endpoint on Linux alongside Fapolicyd is now supported on RHEL and Fedora-based distributions, enabling both antivirus (real-time protection) and EDR functionality to operate without conflict. For other fanotify-based tools, MDE can still be used safely by setting the antivirus enforcement level to passive, helping avoid system instability.
-- Both the binary and Python versions of Client Analyzer are now included in the local package. There is no longer a need to download it separately, as it comes bundled by default. You can find it at the location `/opt/microsoft/mdatp/conf/client_analyzer/`.
 - Other stability enhancements and bug fixes.
 
 ### July-2025 Build: 101.25052.0007 | Release version: 30.125052.0007.0

defender-endpoint/mac-install-manually.md

@@ -44,9 +44,10 @@ Before you get started, see [the main Microsoft Defender for Endpoint on macOS p
 
 > [!IMPORTANT]
 > Manual installation of Microsoft Defender for Endpoint on macOS requires changes to the Privacy & Security Settings on macOS.  Please consult Apple's documentation for details.  
-> [Change Privacy & Security settings on MacOS Sonoma 14](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/14.0/mac/14.0)
-> [Change Privacy & Security settings on MacOS Sequoia 15](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/15.0/mac/15.0)
-> 
+> - [Change Privacy & Security settings on MacOS Sonoma 14](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/14.0/mac/14.0)
+> -  [Change Privacy & Security settings on MacOS Sequoia 15](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/15.0/mac/15.0)
+> - [Change Privacy & Security settings on MacOS Tahoe 26](https://support.apple.com/guide/mac-help/change-privacy-security-settings-on-mac-mchl211c911f/mac)
+
 ## Download installation and onboarding packages
 
 Download the installation and onboarding packages from Microsoft Defender portal.

defender-endpoint/mac-whatsnew.md

@@ -59,14 +59,6 @@ To get the latest features, including preview capabilities (such as endpoint det
 
 If an end user encounters a prompt for Defender for Endpoint on macOS processes such as `wdavdaemon_enterprise` or `Microsoft Defender Helper`, the end user can safely choose the **Deny** option. This selection doesn't affect Defender for Endpoint's functionality.  Enterprises can also add *Microsoft Defender* to allow [incoming connections](https://support.apple.com/en-ca/guide/deployment/dep8d306275f/web). This issue is fixed in macOS Sequoia 15.2.
 
-## Tahoe support
-
-- Microsoft Defender for Endpoint supports version 26.0 or newer.
-
-## Sequoia support
-
-- Microsoft Defender for Endpoint supports version 15.0.1 or newer.
-
 ## macOS Deprecation
 
 - Microsoft Defender for Endpoint no longer supports macOS 11 (Big Sur), 12 (Monterey) and 13 (Ventura)

defender-endpoint/microsoft-defender-antivirus-updates.md

@@ -3,70 +3,45 @@ title: Microsoft Defender Antivirus security intelligence and product updates
 description: Manage how Microsoft Defender Antivirus receives protection and product updates.
 ms.service: defender-endpoint
 ms.localizationpriority: high
-ms.date: 07/23/2025
+ms.date: 09/18/2025
 audience: ITPro
 ms.topic: reference
-author: batamig
-ms.author: bagol
-ms.custom: nextgen
-ms.reviewer: pahuijbr, tudobril, yongrhee
-manager: bagol
+author: KesemSharabi
+ms.author: kesharab
 ms.subservice: ngp
-ms.collection: 
-- m365-security
-- tier2
-- mde-ngp
 search.appverid: met150
+appliesto:
+- Microsoft Defender for Endpoint Plan 1
+- Microsoft Defender for Endpoint Plan 2
 ---
 
 # Microsoft Defender Antivirus security intelligence and product updates
 
-**Applies to:**
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices are protected against new malware and attack techniques. Update your antivirus protection, even if Microsoft Defender Antivirus is running in [passive mode](microsoft-defender-antivirus-compatibility.md). You can find the lates engine, platform, and signature date in [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](https://www.microsoft.com/en-us/wdsi/defenderupdates)
 
-- [Microsoft Defender for Endpoint Plans 1 and 2](microsoft-defender-endpoint.md)
-- Microsoft Defender Antivirus
-
-**Platforms**
-
-- Windows
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Update your antivirus protection, even if Microsoft Defender Antivirus is running in [passive mode](microsoft-defender-antivirus-compatibility.md). This article includes information about the two types of updates for keeping Microsoft Defender Antivirus current:
+This article is aimed at **Windows** devices, and includes information about the following two types of updates:
 
 - [Security intelligence updates](#security-intelligence-updates)
-- [Product updates](#product-updates)
-
-This article also includes:
-
-- [Microsoft Defender Antivirus platform support](#microsoft-defender-antivirus-platform-and-engine-support)
-- [How to roll back an update](#how-to-roll-back-an-update) (if necessary)
-- [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)
-- [Updates for Deployment Image Servicing and Management (DISM)](#updates-for-deployment-image-servicing-and-management-dism)
-
-To see the most current engine, platform, and signature date, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
 
-[!INCLUDE [MDE automated setup guide](../includes/security-analyzer-setup-guide.md)]
+- [Product updates](#product-updates)
 
 ## Security intelligence updates
 
-Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (also called the *Microsoft Advanced Protection Service*, or MAPS) and periodically downloads dynamic security intelligence updates to provide more protection. These dynamic updates don't take the place of regular security intelligence updates via security intelligence update KB2267602.
+Microsoft Defender Antivirus uses [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md), also known as *Microsoft Advanced Protection Service*, or *MAPS*. Defender Antivirus periodically downloads dynamic security [intelligence updates](https://www.microsoft.com/en-us/wdsi/defenderupdates). These updates don't replace regular security intelligence updates. Engine updates are included with security intelligence updates and are released monthly.
 
-> [!NOTE]
-> Updates are released under the following KBs:
->
-> - Microsoft Defender Antivirus: KB2267602
-> - System Center Endpoint Protection: KB2461484
+Updates are released under the following KBs:
 
-Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md).
+- Microsoft Defender Antivirus: KB2267602
 
-For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+- System Center Endpoint Protection: KB2461484
 
-Engine updates are included with security intelligence updates and are released on a monthly cadence.
+[Cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) is always on and requires an active connection to the internet to function. Security intelligence updates occur on a scheduled cadence which you can configure using a policy.
 
 ## Product updates
 
 Microsoft Defender Antivirus requires monthly updates (KB4052623) known as *platform updates*.
 
-You can manage the distribution of updates through one of the following methods:
+You can manage the distribution of updates using one of the following methods:
 
 - [Windows Server Update Service (WSUS)](/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus)
 - [Microsoft Configuration Manager](/configmgr/sum/understand/software-updates-introduction)
@@ -99,6 +74,17 @@ Updates contain:
 - Serviceability improvements
 - Integration improvements (Cloud, [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender))
 
+### August-2025 (Platform: 4.18.25080.5 | Engine: 1.1.25080.5)
+
+- Security intelligence update version: **1.437.1.0**
+- Release date:  **September 16, 2025 (Engine) / September 17, 2025 (Platform)**
+- Platform: **4.18.25080.5**
+- Engine: **1.1.25080.5**
+- Support phase: **Security and Critical Updates**
+
+#### What's new
+
+Improved Defender update reliability by allowing non-admin processes to trigger shared signature updates, reducing unnecessary privilege requirements.
 
 ### July-2025 (Platform: 4.18.25070.5 | Engine: 1.1.25070.4)
 
@@ -181,17 +167,17 @@ Refined exclusion processing and resolved false positives for the Attack Surface
 
 ### Previous version updates: Technical upgrade support only
 
-After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).
+After a new package version is released, support for the previous two versions is reduced to technical upgrade support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).
 
 ## Microsoft Defender Antivirus platform and engine support
 
 Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform and engine updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform and engine version:
 
 - **Security and Critical Updates servicing phase** - When running the latest platform and engine version, you're eligible to receive both Security and Critical updates to the anti-malware platform.
 
-- **Technical Support (Only) phase** - After a new platform and engine version is released, support for older versions (N-2) reduce to [technical support only](msda-updates-previous-versions-technical-upgrade-support.md). Platform and engine versions older than N-2 are no longer supported. Technical support continues to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
+- **Technical Upgrade Support (Only) phase** - After a new platform and engine version is released, support for older versions (N-2) reduce to [technical upgrade support only](msda-updates-previous-versions-technical-upgrade-support.md). Platform and engine versions older than N-2 are no longer supported. Technical upgrade support continues to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
 
-During the technical support (only) phase, commercially reasonable support incidents are provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a nonsecurity update, or requires a security update, customers are asked to upgrade to the latest platform version or an intermediate update (*).
+During the technical upgrade support (only) phase, commercially reasonable support incidents are provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a nonsecurity update, or requires a security update, customers are asked to upgrade to the latest platform version or an intermediate update (*).
 
 > [!NOTE]
 > If you're manually deploying Microsoft Defender Antivirus Platform Update, or if you're using a script or a non-Microsoft management product to deploy Microsoft Defender Antivirus Platform Update, make sure that version `4.18.2001.10` is installed from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=4.18.2001.10) before the latest version of Platform Update (N-2) is installed.

defender-endpoint/microsoft-defender-passive-mode.md

@@ -26,8 +26,6 @@ Some of the key benefits of Defender Antivirus in passive mode are:
 
 * **EDR Block mode** - Post-breach protection by detecting and remediating threats missed by the active antimalware solution
 
-* **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.
-
 * **Security intelligence updates** - Microsoft Defender Antivirus continues to receive updates to stay aware of the latest threats.
 
 * **Data Loss Prevention (DLP)** - Endpoint DLP functionalities operate normally, ensuring sensitive data is safeguarded.