Merge branch 'main' into maccruz-custompanes

Author: schmurky

defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md

@@ -8,7 +8,7 @@ ms.author: ewalsh
 ms.custom: nextgen
 ms.reviewer: ksarens
 manager: deniseb
-ms.date: 06/06/2023
+ms.date: 01/16/2025
 ms.subservice: ngp
 ms.topic: how-to
 ms.collection: 
@@ -32,7 +32,7 @@ search.appverid: met150
 You can perform various functions in Microsoft Defender Antivirus using the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus tasks. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
 
 > [!TIP]
-> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**. If you're running an updated Microsoft Defender antimalware platform version, run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>`. For more information about the antimalware platform, see [Microsoft Defender Antivirus updates and baselines](microsoft-defender-antivirus-updates.md).
+> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the **Start** menu, choose **Run as administrator**. If you're running an updated Microsoft Defender antimalware platform version, run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>`. For more information about the antimalware platform, see [Microsoft Defender Antivirus updates and baselines](microsoft-defender-antivirus-updates.md).
 
 The MpCmdRun utility uses the following syntax:
 
@@ -52,38 +52,45 @@ In our example, the MpCmdRun utility starts a full antivirus scan on the device.
 
 |Command|Description|
 |---|---|
-|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool|
+|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool.|
 |`-Scan [-ScanType [<value>]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]`|Scans for malicious software. Values for **ScanType** are:<p>**0** Default, according to your configuration<p>**1** Quick scan<p>**2** Full scan<p>**3** File and directory custom scan.<p>CpuThrottling runs according to policy configurations.|
-|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing|
+|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing.|
 |`-CaptureNetworkTrace -Path <path>`|Captures all the network input into the Network Protection service and saves it to a file at `<path>`. <br/>Supply an empty path to stop tracing.|
 |`-GetFiles [-SupportLogLocation <path>]`|Collects support information. See [collecting diagnostic data](collect-diagnostic-data.md).|
 |`-GetFilesDiagTrack`|Same as `-GetFiles`, but outputs to temporary DiagTrack folder.|
 |`-RemoveDefinitions [-All]`|Restores the installed security intelligence to a previous backup copy or to the original default set.|
 |`-RemoveDefinitions [-DynamicSignatures]`|Removes only the dynamically downloaded security intelligence.|
 |`-RemoveDefinitions [-Engine]`|Restores the previous installed engine.|
-|`-SignatureUpdate [-UNC \|-MMPC]`|Checks for new security intelligence updates.|
-|`-Restore  [-ListAll \|[[-Name <name>] [-All] \|[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined item(s).|
+|`-SignatureUpdate [-UNC |-MMPC]`|Checks for new security intelligence updates.|
+|`-Restore  [-ListAll |[[-Name <name>] [-All] |[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined items.|
 |`-AddDynamicSignature [-Path]`|Loads dynamic security intelligence.|
 |`-ListAllDynamicSignatures`|Lists the loaded dynamic security intelligence.|
 |`-RemoveDynamicSignature [-SignatureSetID]`|Removes dynamic security intelligence.|
 |`-CheckExclusion -path <path>`|Checks whether a path is excluded.|
+|`-TDT [-on|-off|-default]`|Disable or Enable TDT feature or sets it to default. If no option is specified, it retrieves the current status.|
+|`-OSCA`|Prints OS Copy Acceleration feature status.|
+|`-DeviceControl -TestPolicyXml  <FilePath> [-Rules | -Groups]`|Validate xml policy groups and rules.|
+|`-TrustCheck -File <FilePath>`|Checks trust status of a file.|
 |`-ValidateMapsConnection`|Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
+|`-ListCustomASR`|List the custom Azure Site Recovery rules present on this device.|
+|`-DisplayECSConnection`|Displays URLs that Defender Core service uses to establish connection to ECS.|
+|`-HeapSnapshotConfig <-Enable|-Disable> [-Pid <ProcessID>]`|Enable or Disable heap snapshot (tracing) configuration for process. Replace `<ProcessID>` with the actual process ID.|
 |`-ResetPlatform`| Reset platform binaries back to `%ProgramFiles%\Windows Defender`.|
 |`-RevertPlatform`| Revert platform binaries back to the previously installed version of the Defender platform.|
 
 > [!NOTE]
-> For the "Scan" command, the following are the default timeout values for Quick or Full scans where the scan will stop at that time by default.
-> - Portal initiated scans (Quick or Full) or Windows Security app (Quick or Full): No time limit
-> - Scheduled Full Scans or MpCmdRun -scan: 7 day limit
-> - Scheduled Quick Scans or MpCmdRun -scan: 1 day limit
+> For the `Scan` command, the following are the default time out values for Quick or Full scans where the scan will stop at that time by default.
+> - Scheduled Full Scans or MpCmdRun -scan: Seven day limit
+> - Scheduled Quick Scans or MpCmdRun -scan: One day limit
+
 
 ## Common errors in running commands via mpcmdrun.exe
 
 The following table lists common errors that can occur while using the MpCmdRun tool.
 
 |Error message|Possible reason|
 |---|---|
-|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> Note that in Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
+|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-mde-phase-2.md#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> In Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
 |**0x80070667**|You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
 |**MpCmdRun is not recognized as an internal or external command, operable program, or batch file.**|The tool must be run from either `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
 |**ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)**|The command was attempted using insufficient privileges. Use the command prompt (cmd.exe) as an administrator.|
@@ -98,7 +105,7 @@ The following table lists common errors that can occur while using the MpCmdRun
 - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
 - [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
 - [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)
-- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
+- [Reference articles for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
 - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
 - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
 - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

defender-office-365/mdo-email-entity-page.md

@@ -5,7 +5,7 @@ f1.keywords:
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date: 4/12/2024
+ms.date: 01/16/2025
 audience: ITPro
 ms.topic: conceptual
 ms.service: defender-office-365
@@ -196,6 +196,7 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
 The **Analysis** view contains information that helps you analyze the message in depth. The following information is available in this view:
 
 - **Threat detection details** section: Information about threats detected in the message:
+  - **Threat classification**: AI determination of the threat. For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).
   - **Threats**: The primary threat is indicated by :::image type="icon" source="media/m365-cc-sc-primary-threat-icon.png" border="false"::: **Primary threat**.
   - **Confidence level**: Values are **High**, **Medium**, or **Low**.
   - **Priority account protection**: Values are **Yes** or **No**. For more information, see [Configure and review priority account protection in Microsoft Defender for Office 365](priority-accounts-turn-on-priority-account-protection.md).
@@ -511,6 +512,7 @@ The following sections are available on the Email summary panel for all features
   - **Delivery action**
   - **Detection technologies**
   - **Primary override : Source**
+  - **Threat classification**
 
 - **Email details** section:
   - **Sender display name**

defender-office-365/threat-explorer-real-time-detections-about.md

@@ -7,7 +7,7 @@ author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: conceptual
-ms.date: 10/07/2024
+ms.date: 01/15/2025
 ms.localizationpriority: medium
 ms.collection:
   - m365-security
@@ -181,6 +181,7 @@ The filterable properties that are available in the **Delivery action** box in t
 |Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**: The message was retroactively identified as good.</li><li>**ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md).</li></ul>|
 |Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-org**</li><li>**Outbound**</li></ul>|
 |Detection technology|Select one or more values: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li><li>**URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.</li></ul>|
+|Threat classification|Select one or more values: <ul><li>**Business inteligence**</li><li>**Contact establishment**</li><li>**Gift card**</li><li>**Invoice**</li><li>**Payroll**</li><li><**PII gathering**/li><li>**Task**</li></ul> For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).|
 |Original delivery location|Select one or more values: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>|
 |Latest delivery location¹|Same values as **Original delivery location**</li></ul>|
 |Phish confidence level|Select one or more values: <ul><li>**High**</li><li>**Normal**</li></ul>|
@@ -279,6 +280,12 @@ The **Detection technology** pivot organizes the chart by the feature that ident
 
 Hovering over a data point in the chart shows the count for each detection technology.
 
+#### Threat classification chart pivot in the All email view in Threat Explorer
+
+The **Threat classification** pivot organizes the chart by classified threats. For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).
+
+Hovering over a data point in the chart shows the count for each classification.
+
 #### Full URL chart pivot in the All email view in Threat Explorer
 
 The **Full URL** pivot organizes the chart by the full URLs in messages for the specified date/time range and property filters.
@@ -340,6 +347,7 @@ The **Email** view shows a details table. You can sort the entries by clicking o
 - **Data loss prevention rule**
 - **Threat type**<sup>\*</sup>
 - **Detection technology**
+- **Threat classification**
 - **Attachment Count**
 - **URL Count**
 - **Email size**
@@ -681,6 +689,7 @@ The chart pivots that are available in the **Malware** view in Threat Explorer a
 |**Sender domain**|✔||
 |**Sender IP**|✔||
 |**Delivery action**|✔|✔|
+|**Threat classification**|✔|✔|
 |**Detection technology**|✔|✔|
 
 The available chart pivots are described in the following subsections.
@@ -721,6 +730,12 @@ The **Delivery action** pivot organizes the chart by what happened to messages t
 
 Hovering over a data point in the chart shows the count for each delivery action.
 
+#### Threat classification chart pivot in the Malware view in Threat Explorer and Real-time detections
+
+The **Threat classification** pivot organizes the chart by classified threats. For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).
+
+Hovering over a data point in the chart shows the count for each classification.
+
 #### Detection technology chart pivot in the Malware view in Threat Explorer and Real-time detections
 
 The **Detection technology** pivot organizes the chart by the feature that identified malware in messages for the specified date/time range and property filters.
@@ -778,6 +793,7 @@ The following table shows the columns that are available in Threat Explorer and
 |**Data loss prevention rule**|✔|✔|
 |**Threat type**<sup>\*</sup>|✔|✔|
 |**Detection technology**|✔|✔|
+|**Threat classification**|✔|✔|
 |**Attachment Count**|✔|✔|
 |**URL Count**|✔|✔|
 |**Email size**|✔|✔|
@@ -895,6 +911,7 @@ The filterable properties that are available in the **Sender address** box in th
 |Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**</li><li>**ZAP**</li></ul>|✔|✔|
 |Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-org**</li><li>**Outbound**</li></ul>|✔|✔|
 |Detection technology|Select one or more values: <ul><li>**Advanced filter**</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**</li><li>**File detonation reputation**</li><li>**File reputation**</li><li>**Fingerprint matching**</li><li>**General filter**</li><li>**Impersonation brand**</li><li>**Impersonation domain**</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**</li><li>**Mixed analysis detection**</li><li>**spoof DMARC**</li><li>**Spoof external domain**</li><li>**Spoof intra-org**</li><li>**URL detonation**</li><li>**URL detonation reputation**</li><li>**URL malicious reputation**</li></ul>|✔|✔|
+|Threat classification|Select one or more values: <ul><li>**Business inteligence**</li><li>**Contact establishment**</li><li>**Gift card**</li><li>**Invoice**</li><li>**Payroll**</li><li><**PII gathering**/li><li>**Task**</li></ul> For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).|✔|✔|
 |Original delivery location|Select one or more values: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>|✔|✔|
 |Latest delivery location|Same values as **Original delivery location**</li></ul>|✔|✔|
 |Phish confidence level|Select one or more values: <ul><li>**High**</li><li>**Normal**</li></ul>|✔||
@@ -947,6 +964,7 @@ The chart pivots that are available in the **Phish** view in Threat Explorer and
 |**Sender IP**|✔||
 |**Delivery action**|✔|✔|
 |**Detection technology**|✔|✔|
+|**Threat classification**|✔|✔|
 |**Full URL**|✔||
 |**URL domain**|✔|✔|
 |**URL domain and path**|✔||
@@ -989,6 +1007,12 @@ The **Detection technology** pivot organizes the chart by the feature that ident
 
 Hovering over a data point in the chart shows the count for each detection technology.
 
+#### Threat classification chart pivot in the Phish view in Threat Explorer and Real-time detections
+
+The **Threat classification** pivot organizes the chart by classified threats. For more information, see [Threat classification in Microsoft Defender for Office 365](mdo-threat-classification.md).
+
+Hovering over a data point in the chart shows the count for each classification.
+
 #### Full URL chart pivot in the Phish view in Threat Explorer
 
 The **Full URL** pivot organizes the chart by the full URLs in phishing messages for the specified date/time range and property filters.
@@ -1065,6 +1089,7 @@ The following table shows the columns that are available in Threat Explorer and
 |**Data loss prevention rule**|✔||
 |**Threat type**<sup>\*</sup>|✔|✔|
 |**Detection technology**|✔|✔|
+|**Threat classification**|✔|✔|
 |**Attachment Count**|✔|✔|
 |**URL Count**|✔|✔|
 |**Email size**|✔|✔|