Merge branch 'main' into pr/2998

Author: denisebmsft

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 02/06/2025
+ms.date: 03/04/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -29,9 +29,6 @@ search.appverid: met150
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Business](/defender-business/mdb-overview)
 
-> [!TIP]
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
 > [!IMPORTANT]
 > In Defender for Endpoint Plan 1 and Defender for Business, you can create an indicator to block or allow a file. In Defender for Business, your indicator is applied across your environment and cannot be scoped to specific devices.
 
@@ -52,37 +49,33 @@ There are three ways you can create indicators for files:
 Understand the following prerequisites before you create indicators for files:
 
 - [Behavior Monitoring is enabled](behavior-monitor.md)
-
 - [Cloud-based protection is turned on](/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus).
-
 - [Cloud Protection network connectivity is functional](configure-network-connections-microsoft-defender-antivirus.md)
-
 - To start blocking files, [turn on the "block or allow" feature](advanced-features.md) in Settings (in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**).
 
 ### Windows prerequisites
 
 - This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode) 
-
-- The Antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
-
+- The antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
 - This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, or Windows Server 2022.
-
 - File hash computation is enabled, by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\` to **Enabled**
 
 > [!NOTE]
 > File indicators support portable executable (PE) files, including `.exe` and `.dll` files only.
 
 ### macOS prerequisites
 
-- [File hash computation is enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line) by running `mdatp config enable-file-hash-computation --value enabled`
-
-### Linux prerequisites
+- Real-time protection (RTP) needs to be active.
+- [File hash computation must be enabled](/defender-endpoint/mac-resources#configuring-from-the-command-line). Run the following command: `mdatp config enable-file-hash-computation --value enabled`
 
-- Available in Defender for Endpoint version 101.85.27 or later.
+> [!NOTE]
+> On Mac, file indicators support Mach-O files (akin to `.exe` and `.dll` in Windows) scripts, such as sh/bash and AppleScript File (`.scpt`) files only.
 
-- [File hash computation is enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
+### Linux prerequisites
 
-- Behavior monitoring is preferred, but this will work with any other scan (RTP or Custom).
+- Available in Defender for Endpoint version `101.85.27` or later.
+- [File hash computation must be enabled](/defender-endpoint/linux-preferences#configure-file-hash-computation-feature) in the Microsoft Defender portal or in the managed JSON
+- Behavior monitoring enabled is preferred, but this feature works with any other scan (RTP or Custom).
 
 ## Create an indicator for files from the settings page
 
@@ -95,9 +88,7 @@ Understand the following prerequisites before you create indicators for files:
 4. Specify the following details:
 
    - Indicator: Specify the entity details and define the expiration of the indicator.
-
    - Action: Specify the action to be taken and provide a description.
-   
    - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)).
 
    > [!NOTE]
@@ -156,7 +147,7 @@ Timestamp > ago(30d)
 
 For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview).
 
-Below are other thread names that can be used in the sample query from above:
+Here are other thread names that can be used in the sample query:
 
 Files:
 

defender-endpoint/mac-whatsnew.md

@@ -64,6 +64,18 @@ If an end user encounters a prompt for Defender for Endpoint on macOS processes
 
 Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see [Behavior Monitoring in Microsoft Defender for Endpoint on macOS](behavior-monitor-macos.md).
 
+### Mar-2025 (Build: 101.25012.0008  | Release version: 20.125012.7.0)
+
+| Build:             | **101.25012.0008**    |
+|--------------------|-----------------------|
+| Release version:   | **20.125012.7.0**    |
+| Engine version:    | **1.1.25020.3000**      |
+| Signature version: | **1.423.211.0**       |
+
+##### What's new
+
+- Bug fixes and performance improvements
+
 ### Feb-2025 (Build: 101.24122.0011  | Release version: 20.124122.11.0)
 
 | Build:             | **101.24122.0011**    |

defender-endpoint/microsoft-defender-security-center-antivirus.md

@@ -14,7 +14,7 @@ ms.collection:
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 08/28/2023
+ms.date: 03/03/2025
 ---
 
 # Microsoft Defender Antivirus in the Windows Security app

defender-endpoint/validate-antimalware.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 01/31/2024
+ms.date: 03/04/2025
 ---
 
 # AV detection test for verifying device's onboarding and reporting services

defender-office-365/defender-for-office-365-whats-new.md

@@ -8,7 +8,7 @@ ms.author: chrisda
 author: chrisda
 manager: deniseb
 ms.localizationpriority: medium
-ms.date: 02/25/2025
+ms.date: 03/03/2025
 audience: ITPro
 ms.collection:
   - m365-security
@@ -39,10 +39,12 @@ For more information on what's new with other Microsoft Defender security produc
 - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new)
 - [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
 
-## February 2025
+## March 2025
 
 - **User reported messages by third-party add-ins can be sent to Microsoft for analysis**: In [user reported settings](submissions-user-reported-messages-custom-mailbox.md), admins can select **Monitor reported messages in Outlook** \> **Use a non-Microsoft add-in button**. In the **Reported message destination** section, select **Microsoft and my reporting mailbox**, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the **User reported** tab of **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>.
 
+- **Create allow entries directly in the Tenant Allow/Block List**: You can now create allow entries for domains & addresses and URLs directly in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet.
+
 ## January 2025
 
 - [Use the built-in Report button in Outlook](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook): The built-in **Report** button in Outlook for iOS version 4.2508 or, later and Android version 4.2446 or later now supports the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) experience to report messages as Phishing, Junk, and Not Junk.

defender-office-365/submissions-admin.md

@@ -309,6 +309,7 @@ After a few moments, the associated allow entries appear on the **Domains & addr
 > - By default, allow entries for domains and email addresses are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. For all other values like 1 day, 7 days, 30 days, specific date the allow entry expire at the defined date. By default, allow entries for spoofed senders never expire.
 > - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message.
 > - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>.
+> - If you allow at least 7 email addresses in the same domain in the Tenant Allow/Block List, submissions automatically roll up the email addresses into a domain allow entry. This action happens when submission is trying to add an email address allow for that domain.
 
 ### Report good email attachments to Microsoft
 

defender-office-365/tenant-allow-block-list-about.md

@@ -8,7 +8,7 @@ manager: deniseb
 audience: ITPro
 ms.topic: how-to
 ms.localizationpriority: medium
-ms.date: 09/20/2024
+ms.date: 03/03/2025
 search.appverid:
 - MET150
 ms.collection:
@@ -79,9 +79,17 @@ Block entries for [spoofed senders](tenant-allow-block-list-email-spoof-configur
 
 ## Allow entries in the Tenant Allow/Block List
 
-In most cases, you can't directly create allow entries in the Tenant Allow/Block List. Unnecessary allow entries expose your organization to malicious email that could have been filtered by the system.
+Unnecessary allow entries expose your organization to malicious email that could have been filtered by the system, so there are limitations for creating allow entries directly in the Tenant Allow/Block List:
 
-- **Domains and email addresses**, **files**, and **URLs**: You can't create allow entries directly in the Tenant Allow/Block List. Instead you use the **Submissions** page at <https://security.microsoft.com/reportsubmission> to submit the **[email](submissions-admin.md#report-good-email-to-microsoft)**, **[email attachment](submissions-admin.md#report-good-email-attachments-to-microsoft)**, or **[URL](submissions-admin.md#report-good-urls-to-microsoft)** to Microsoft. After you select **I've confirmed it's clean**, you can then select **Allow this message**, **Allow this file**, or **Allow this URL** to create an allow entry for the domains and email addresses, files, or URLs.
+- **Domains and email addresses** and **URLs**: You can create allow entries directly in the Tenant Allow/Block List to override the following verdicts:
+  - Bulk
+  - Spam
+  - High confidence spam
+  - Phishing (not high confidence phishing)
+
+  For malware and high confidence phishing verdicts, you can't create allow entries directly in the Tenant Allow/Block List. Instead, use the **Submissions** page at <https://security.microsoft.com/reportsubmission> to submit the **[email](submissions-admin.md#report-good-email-to-microsoft)** or **[URL](submissions-admin.md#report-good-urls-to-microsoft)** to Microsoft. After you select **I've confirmed it's clean**, you can then select **Allow this message** or **Allow this URL** to create an allow entry for the domains and email addresses or URLs.
+
+- **Files**: You can't create allow entries directly in the Tenant Allow/Block List. Instead, use the **Submissions** page at <https://security.microsoft.com/reportsubmission> to submit the **[email attachment](submissions-admin.md#report-good-email-attachments-to-microsoft)** to Microsoft. After you select **I've confirmed it's clean**, you can then select **Allow this file** to create an allow entry for the files.
 
 - **Spoofed senders**:
   - If spoof intelligence already blocked the message as spoofing, use the **Submissions** page at <https://security.microsoft.com/reportsubmission> to [report the email to Microsoft](submissions-admin.md#report-good-email-to-microsoft) as **I've confirmed it's clean**, and then select **Allow this message**.

defender-office-365/tenant-allow-block-list-email-spoof-configure.md

@@ -15,7 +15,7 @@ ms.collection:
   - tier1
 description: Admins can learn how to allow or block email and spoofed sender entries in the Tenant Allow/Block List.
 ms.service: defender-office-365
-ms.date: 11/27/2024
+ms.date: 03/03/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -73,12 +73,65 @@ This article describes how admins can manage entries for email senders in the Mi
 
 ### Create allow entries for domains and email addresses
 
-You can't create allow entries for domains and email addresses directly in the Tenant Allow/Block List. Unnecessary allow entries expose your organization to malicious email that would have been filtered by the system.
+Unnecessary allow entries expose your organization to malicious email that would have been filtered by the system, so there are limitations for creating allow entries directly in the Tenant Allow/Block List.
 
-Instead, you use the **Emails** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=email>. When you submit a blocked message as **I've confirmed it's clean** and then select **Allow this message**, an allow entry for the sender is added to the **Domains & email addresses** tab on the **Tenant Allow/Block Lists** page. For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).
+To create allow entries for domains and email addresses, use either of the following methods:
+
+- From the **Emails** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=email>. When you submit a blocked message as **I've confirmed it's clean** and then select **Allow this message**, an allow entry for the sender is added to the **Domains & email addresses** tab on the **Tenant Allow/Block Lists** page. For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).
+
+  This method is required to override malware and high confidence phishing verdicts.
+
+- From the **Domains & addresses** tab on the **Tenant Allow/Block Lists** page or in PowerShell as described in this section.
+
+  This method is available to override the following verdicts only:
+
+  - Bulk
+  - Spam
+  - High confidence spam
+  - Phishing (not high confidence phishing)
 
 [!INCLUDE [Allow entry facts](../includes/allow-entry-facts.md)]
 
+#### Use the Microsoft Defender portal to create allow entries for domains and email addresses in the Tenant Allow/Block List
+
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
+
+2. On the **Tenant Allow/Block Lists** page, verify that the **Domains & addresses** tab is selected.
+
+3. On the **Domains & addresses** tab, select :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Add**, and then select **Allow**.
+
+4. In the **Allow domains & addresses** flyout that opens, configure the following settings:
+
+   - **Domains & addresses**: Enter one email address or domain per line, up to a maximum of 20.
+
+   - **Remove allow entry after**: Select from the following values:
+       - **45 days after last used date** (default)
+       - **1 day**
+       - **7 days**
+       - **Specific date**: The maximum value is 30 days from today.
+
+   - **Optional note**: Enter descriptive text for why you're allowing the email addresses or domains.
+
+5. When you're finished in the **Block domains & addresses** flyout, select **Add**.
+
+Back on the **Domains & email addresses** tab, the entry is listed.
+
+##### Use PowerShell to create allow entries for domains and email addresses in the Tenant Allow/Block List
+
+In [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), use the following syntax:
+
+```powershell
+New-TenantAllowBlockListItems -ListType Sender -Allow -Entries "DomainOrEmailAddress1","DomainOrEmailAddress1",..."DomainOrEmailAddressN" [-RemoveAfter 45] [-Notes <String>]
+```
+
+This example adds an allow entry for the specified email addresses. Because we didn't use the ExpirationDate or RemoverAfter parameters, the entry expires after 45 days from last used date.
+
+```powershell
+New-TenantAllowBlockListItems -ListType Sender -Allow -Entries "[email protected]","[email protected]"
+```
+
+For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
+
 ### Create block entries for domains and email addresses
 
 To create block entries for *domains and email addresses*, use either of the following methods:
@@ -102,7 +155,7 @@ Email from these blocked senders is marked as *high confidence phishing* and qua
 
 2. On the **Tenant Allow/Block Lists** page, verify that the **Domains & addresses** tab is selected.
 
-3. On the **Domains & addresses** tab, select :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Block**.
+3. On the **Domains & addresses** tab, select :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Add**, and then select **Block**.
 
 4. In the **Block domains & addresses** flyout that opens, configure the following settings:
 
@@ -147,6 +200,10 @@ On the **Domains & addresses** tab, you can sort the entries by clicking on an a
 
 - **Value**: The domain or email address.
 - **Action**: The value **Allow** or **Block**.
+- **Override verdicts**: The available values are:
+    - **Up to malware** for block entries.
+    - **Up to regular confidence phishing** for allow entries created directly in Tenant Allow/Block List.
+    - **Up to high confidence phishing** for allow entries created via submissions.
 - **Modified by**
 - **Last updated**
 - **Last used date**: The date the entry was last used in the filtering system to override the verdict.