From 00b1bd967dd1fd4293696ab4e6603568f34f13be Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Thu, 31 Oct 2024 16:35:22 -0700
Subject: [PATCH 01/13] Learn Editor: Update
configure-advanced-scan-types-microsoft-defender-antivirus.md
---
...onfigure-advanced-scan-types-microsoft-defender-antivirus.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md b/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
index 8a2c22f5e9..b2aeb18bc3 100644
--- a/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -68,7 +68,7 @@ For details on configuring Microsoft Configuration Manager (current branch), see
|Scan mapped network drives
**Scan** \> **Run full scan on mapped network drives**|Disabled|`-DisableScanningMappedNetworkDrivesForFullScan`|
|Scan archive files (such as .zip or .rar files).
**Scan** \> **Scan archive files**|Enabled|`-DisableArchiveScanning`
The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting.|
|Scan files on the network
**Scan** \> **Scan network files**|Disabled|`-DisableScanningNetworkFiles`|
-|Scan packed executables
**Scan** \> **Scan packed executables**|Enabled|Not available
Scan packed executables were removed from the following templates:
- Administrative Templates (.admx) for Windows 11 2022 Update (22H2)
- Administrative Templates (.admx) for Windows 11 October 2021 Update (21H2)|
+|Scan packed executables
**Scan** \> **Scan packed executables**|Enabled|Not available
Scan packed executables were removed from the following templates:
- Administrative Templates (.admx) for Windows 11 2023 Update (23H2)
- Administrative Templates (.admx) for Windows 11 2022 Update (22H2) - v3.0
- Administrative Templates (.admx) for Windows 11 2022 Update (22H2)
- Administrative Templates (.admx) for Windows 11 October 2021 Update (21H2)|
|Scan removable drives during full scans only
**Scan** \> **Scan removable drives**|Disabled|`-DisableRemovableDriveScanning`|
|Specify the level of subfolders within an archive folder to scan **Scan** \> **Specify the maximum depth to scan archive files**|0|Not available|
|Specify the maximum CPU load (as a percentage) during a scan.
**Scan** \> **Specify the maximum percentage of CPU utilization during a scan**|50|`-ScanAvgCPULoadFactor`
The maximum CPU load is not a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manual scans ignore this setting and run without any CPU limits.|
From c84c72b5d41abe8c243223bba8ddba5c3a92e54a Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Thu, 31 Oct 2024 16:35:32 -0700
Subject: [PATCH 02/13] Learn Editor: Update
configure-advanced-scan-types-microsoft-defender-antivirus.md
From e306d3d91b1d8e260fd444ebb8b5aa79cf95e775 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Thu, 31 Oct 2024 16:50:35 -0700
Subject: [PATCH 03/13] Learn Editor: Update run-analyzer-macos.md
---
defender-endpoint/run-analyzer-macos.md | 89 +++----------------------
1 file changed, 11 insertions(+), 78 deletions(-)
diff --git a/defender-endpoint/run-analyzer-macos.md b/defender-endpoint/run-analyzer-macos.md
index acfa05e458..3c570d70c2 100644
--- a/defender-endpoint/run-analyzer-macos.md
+++ b/defender-endpoint/run-analyzer-macos.md
@@ -24,9 +24,6 @@ f1.keywords: NOCSH
If you're experiencing reliability or device health issues with Microsoft Defender for Endpoint on macOS, you can use the XMDE Client Analyzer to diagnose these issues. This article describes two ways to use the client analyzer tool:
-- [Use the binary version of the client analyzer](#use-the-binary-version-of-the-client-analyzer)
--
-
1. Using a binary version (no external Python dependency)
2. Using a Python-based solution
@@ -65,13 +62,12 @@ If you're experiencing reliability or device health issues with Microsoft Defend
- `SupportToolLinuxBinary.zip`: For all Linux devices
- `SupportToolMacOSBinary.zip`: For Mac devices
-5. Depending on the machine you're investigating, unzip the appropriate file.
-
- | OS type | Terminal command |
- |---|---|
- | Linux | `unzip -q SupportToolLinuxBinary.zip` |
- | Mac | `unzip -q SupportToolMacOSBinary.zip` |
+1. Unzip the SupportToolMacOSBinary.zip.
+ ```bash
+ unzip -q SupportToolMacOSBinary.zip
+ ```
+
6. Run the tool as root to generate your diagnostic package:
```bash
@@ -87,11 +83,11 @@ The tool currently requires Python version 3 or later to be installed on your de
> [!WARNING]
> Running the Python-based client analyzer requires the installation of PIP packages which could cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.
-1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the Mac or Linux machine you're investigating.
+1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the Mac machine you're investigating.
If you're using a terminal, download the tool by running the following command:
- ```bash
+ ```bash
wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
```
@@ -128,9 +124,9 @@ The tool currently requires Python version 3 or later to be installed on your de
./mde_support_tool.sh
```
-7. To collect actual diagnostic package and generate the result archive file, run again as root:
+1. To collect actual diagnostic package and generate the result archive file, run again as root:
- ```bash
+ ```bash
sudo ./mde_support_tool.sh -d
```
@@ -196,75 +192,12 @@ To approve profile installation, see the [Apple Support Guide](https://support.a
Usage example `./mde_support_tool.sh trace --length 5`
-#### Exclude mode
-
-Add exclusions for audit-d monitoring.
-
-> [!NOTE]
-> This functionality exists for Linux only.
-
-```console
- -h, --help show this help message and exit
- -e , --exe
- exclude by executable name, i.e: bash
- -p , --pid
- exclude by process id, i.e: 911
- -d , --dir
- exclude by target path, i.e: /var/foo/bar
- -x , --exe_dir
- exclude by executable path and target path, i.e: /bin/bash /var/foo/bar
- -q , --queue
- set dispatcher q_depth size
- -r, --remove remove exclusion file
- -s, --stat get statistics about common executables
- -l, --list list auditd rules
- -o, --override Override the existing auditd exclusion rules file for mdatp
- -c , --syscall
- exclude all process of the given syscall
-```
-
-Usage example: `sudo ./MDESupportTool exclude -d /var/foo/bar`
-
-### AuditD Rate Limiter
-
-Syntax that can be used to limit the number of events being reported by the auditD plugin. This option sets the rate limit globally for AuditD causing a drop in all the audit events. When the limiter is enabled the number of auditd events are limited to 2500 events/sec. This option can be used in cases where we see high CPU usage from AuditD side.
-
-> [!NOTE]
-> This functionality exists for Linux only.
-
-```console
--h, --help show this help message and exit
--e , --enable enable/disable the rate limit with default values
-```
-
-Usage example: `sudo ./mde_support_tool.sh ratelimit -e true`
-
-> [!NOTE]
-> This functionality should be carefully used as limits the number of events being reported by the auditd subsystem as a whole. This could reduces the number of events for other subscribers as well.
-
-### AuditD Skip Faulty Rules
-
-This option enables you to skip the faulty rules added in the auditd rules file while loading them. This option allows the auditd subsystem to continue loading rules even if there's a faulty rule. This option summarizes the results of loading the rules. In the background, this option runs the auditctl with the -c option.
-
-> [!NOTE]
-> This functionality is only available on Linux.
-
-```console
--h, --help show this help message and exit
--e , --enable enable/disable the option to skip the faulty rules. In case no argumanet is passed, the option will be true by default.
-```
-
-Usage example: `sudo ./mde_support_tool.sh skipfaultyrules -e true`
-
-> [!NOTE]
-> This functionality skips faulty rules. The faulty rule then needs to be further identified and fixed.
-
-## Result package contents on macOS and Linux
+## Result package contents on macOS
| File | Description |
|---|---|
| `report.html` | The main HTML output file that contains the findings and guidance from running the client analyzer tool on the device. This file is only generated when running the Python-based version of the client analyzer tool. |
-| `mde_diagnostic.zip` | Same diagnostic output that gets generated when running `mdatp diagnostic create` on either [macOS](mac-resources.md#collecting-diagnostic-information) or [Linux](linux-resources.md#collect-diagnostic-information). |
+| `mde_diagnostic.zip` | Same diagnostic output that gets generated when running `mdatp diagnostic create` on either [macOS](mac-resources.md#collecting-diagnostic-information). |
| `mde.xml` | XML output that is generated while running and is used to build the html report file. |
| `Processes_information.txt` | Contains the details of the running Microsoft Defender for Endpoint related processes on the system. |
| `Log.txt` | Contains the same log messages written on screen during the data collection. |
From e7244d0ca1d63f2c55f9da2e6afc1e7a5a64580f Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Thu, 31 Oct 2024 16:50:44 -0700
Subject: [PATCH 04/13] Learn Editor: Update run-analyzer-macos.md
From 3c98abf0b47b928876a60cf952a080fda7782aa7 Mon Sep 17 00:00:00 2001
From: Chris Davis
Date: Thu, 31 Oct 2024 17:15:23 -0700
Subject: [PATCH 05/13] Lint/formatting fixes
---
defender-endpoint/machine-tags.md | 9 +-
defender-endpoint/respond-machine-alerts.md | 88 +++++++++----------
.../tvm-assign-device-value.md | 13 ++-
.../tvm-software-inventory.md | 2 +-
4 files changed, 54 insertions(+), 58 deletions(-)
diff --git a/defender-endpoint/machine-tags.md b/defender-endpoint/machine-tags.md
index 6a2be81dd4..15eb3f343e 100644
--- a/defender-endpoint/machine-tags.md
+++ b/defender-endpoint/machine-tags.md
@@ -7,7 +7,7 @@ author: denisebmsft
ms.localizationpriority: medium
manager: deniseb
audience: ITPro
-ms.collection:
+ms.collection:
- m365-security
- tier2
ms.topic: reference
@@ -32,7 +32,7 @@ ms.date: 02/27/2023
Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in the **Device inventory** view, or to group devices. For more information on device grouping, see [Create and manage device groups](machine-groups.md).
> [!NOTE]
-> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
+> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
You can add tags on devices using the following ways:
@@ -62,7 +62,6 @@ To add device tags using API, see [Add or remove device tags API](api/add-or-rem
2. Select **Manage tags** from the row of Response actions.
:::image type="content" source="media/manage-tags-option.png" alt-text="Image of manage tags button" lightbox="media/manage-tags-option.png":::
-
3. Type to find or create tags
@@ -81,7 +80,7 @@ You can also delete tags from this view.
## Add device tags using dynamic rules for device tagging
-You can create and manage rules that automatically assign and remove tags from devices based on user-defined criteria directly in the Microsoft Defender portal. Please refer to following documents for details
+You can create and manage rules that automatically assign and remove tags from devices based on user-defined criteria directly in the Microsoft Defender portal. Please refer to following documents for details:
- [Manage your devices with ease using dynamic rules for device tagging in Microsoft Defender](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/manage-your-devices-with-ease-using-dynamic-rules-for-device/ba-p/4024988)
- [Asset rule management - Dynamic rules for devices](/defender-xdr/configure-asset-rules)
@@ -157,8 +156,6 @@ You can use Microsoft Intune to define and apply device tags. You can perform th
- In the [OMA-IRU settings](/mem/intune/configuration/custom-settings-windows-10) section, for **Data type**, choose **String**. For **OMA-URI**, type (or paste) `./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group`.
-
-
## Add device tags by creating app configuration policy in Microsoft Intune
> [!NOTE]
diff --git a/defender-endpoint/respond-machine-alerts.md b/defender-endpoint/respond-machine-alerts.md
index 8799a2b4ce..0f01126f98 100644
--- a/defender-endpoint/respond-machine-alerts.md
+++ b/defender-endpoint/respond-machine-alerts.md
@@ -102,53 +102,53 @@ Alternate steps:
1. Select **Collect Investigation Package** from the response actions section of the device page.
- 
-
+ 
+
1. Add comments and select **Confirm**.
- 
-
+ 
+
1. Select **Action center** from the response actions section of the device page.
- 
-
+ 
+
1. Click the **Package collection package available** to download the collection package.
- 
-
+ 
+
For Windows devices, the package contains the following folders:
|Folder|Description|
-|---|---|
-|Autoruns|Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker's persistency on the device.
NOTE: If the registry key is not found, the file will contain the following message: "ERROR: The system was unable to find the specified registry key or value."
|
-|Installed programs|This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).|
-|Network connections|This folder contains a set of data points related to the connectivity information that can help in identifying connectivity to suspicious URLs, attacker's command and control (C&C) infrastructure, any lateral movement, or remote connections.
- ActiveNetConnections.txt: Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.
- Arp.txt: Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal other hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack.
- DnsCache.txt: Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.
- IpConfig.txt: Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
- FirewallExecutionLog.txt and pfirewall.log
NOTE: The pfirewall.log file must exist in %windir%\system32\logfiles\firewall\pfirewall.log, so it will be included in the investigation package. For more information on creating the firewall log file, see [Configure the Windows Defender Firewall with Advanced Security Log](/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log)
|
-|Prefetch files|Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.
- Prefetch folder: Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.
- PrefetchFilesList.txt: Contains the list of all the copied files that can be used to track if there were any copy failures to the prefetch folder.
|
-|Processes|Contains a .CSV file listing the running processes and provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state.|
-|Scheduled tasks|Contains a .CSV file listing the scheduled tasks, which can be used to identify routines performed automatically on a chosen device to look for suspicious code that was set to run automatically.|
-|Security event log|Contains the security event log, which contains records of login or logout activity, or other security-related events specified by the system's audit policy.
NOTE: Open the event log file using Event viewer.
|
-|Services|Contains a .CSV file that lists services and their states.|
-|Windows Server Message Block (SMB) sessions|Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and SMBOutboundSession.
NOTE: If there are no sessions (inbound or outbound), you'll get a text file that tells you that there are no SMB sessions found.
|
-|System Information|Contains a SystemInformation.txt file that lists system information such as OS version and network cards.|
-|Temp Directories|Contains a set of text files that lists the files located in %Temp% for every user in the system.
This can help to track suspicious files that an attacker may have dropped on the system.
NOTE: If the file contains the following message: "The system cannot find the path specified", it means that there is no temp directory for this user, and might be because the user didn't log in to the system.
|
-|Users and Groups|Provides a list of files that each represent a group and its members.|
-|WdSupportLogs|Provides the MpCmdRunLog.txt and MPSupportFiles.cab
NOTE: This folder will only be created on Windows 10, version 1709 or later with February 2020 update rollup or more recent installed:
- Win10 1709 (RS3) Build 16299.1717: [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
- Win10 1803 (RS4) Build 17134.1345: [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- Win10 1809 (RS5) Build 17763.1075: [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- Win10 1903/1909 (19h1/19h2) Builds 18362.693 and 18363.693: [KB4535996](https://support.microsoft.com/help/4535996/windows-10-update-kb4535996)
|
-|CollectionSummaryReport.xls|This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code if there is failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.|
+ |---|---|
+ |Autoruns|Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker's persistency on the device.
NOTE: If the registry key is not found, the file will contain the following message: "ERROR: The system was unable to find the specified registry key or value."
|
+ |Installed programs|This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509).|
+ |Network connections|This folder contains a set of data points related to the connectivity information that can help in identifying connectivity to suspicious URLs, attacker's command and control (C&C) infrastructure, any lateral movement, or remote connections.
- ActiveNetConnections.txt: Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.
- Arp.txt: Displays the current address resolution protocol (ARP) cache tables for all interfaces. ARP cache can reveal other hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack.
- DnsCache.txt: Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.
- IpConfig.txt: Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
- FirewallExecutionLog.txt and pfirewall.log
NOTE: The pfirewall.log file must exist in %windir%\system32\logfiles\firewall\pfirewall.log, so it will be included in the investigation package. For more information on creating the firewall log file, see [Configure the Windows Defender Firewall with Advanced Security Log](/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log)
|
+ |Prefetch files|Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.
- Prefetch folder: Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.
- PrefetchFilesList.txt: Contains the list of all the copied files that can be used to track if there were any copy failures to the prefetch folder.
|
+ |Processes|Contains a .CSV file listing the running processes and provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state.|
+ |Scheduled tasks|Contains a .CSV file listing the scheduled tasks, which can be used to identify routines performed automatically on a chosen device to look for suspicious code that was set to run automatically.|
+ |Security event log|Contains the security event log, which contains records of login or logout activity, or other security-related events specified by the system's audit policy.
NOTE: Open the event log file using Event viewer.
|
+ |Services|Contains a .CSV file that lists services and their states.|
+ |Windows Server Message Block (SMB) sessions|Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and SMBOutboundSession.
NOTE: If there are no sessions (inbound or outbound), you'll get a text file that tells you that there are no SMB sessions found.
|
+ |System Information|Contains a SystemInformation.txt file that lists system information such as OS version and network cards.|
+ |Temp Directories|Contains a set of text files that lists the files located in %Temp% for every user in the system.
This can help to track suspicious files that an attacker may have dropped on the system.
NOTE: If the file contains the following message: "The system cannot find the path specified", it means that there is no temp directory for this user, and might be because the user didn't log in to the system.
|
+ |Users and Groups|Provides a list of files that each represent a group and its members.|
+ |WdSupportLogs|Provides the MpCmdRunLog.txt and MPSupportFiles.cab
NOTE: This folder will only be created on Windows 10, version 1709 or later with February 2020 update rollup or more recent installed:
- Win10 1709 (RS3) Build 16299.1717: [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
- Win10 1803 (RS4) Build 17134.1345: [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- Win10 1809 (RS5) Build 17763.1075: [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- Win10 1903/1909 (19h1/19h2) Builds 18362.693 and 18363.693: [KB4535996](https://support.microsoft.com/help/4535996/windows-10-update-kb4535996)
|
+ |CollectionSummaryReport.xls|This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code if there is failure. You can use this report to track if the package includes all the expected data and identify if there were any errors.|
The collection packages for macOS and Linux devices contain the following:
|Object|macOS|Linux|
-|---|---|---|
-|Applications|A list of all installed applications|Not applicable|
-|Disk volume|
- Amount of free space
- List of all mounted disk volumes
- List of all partitions
|- Amount of free space
- List of all mounted disk volumes
- List of all partitions
|
-|File|A list of all open files with the corresponding processes using these files|A list of all open files with the corresponding processes using these files|
-|History|Shell history|Not applicable|
-|Kernel modules|All loaded modules|Not applicable|
-|Network connections|- Active connections
- Active listening connections
- ARP table
- Firewall rules
- Interface configuration
- Proxy settings
- VPN settings
|- Active connections
- Active listening connections
- ARP table
- Firewall rules
- IP list
- Proxy settings
|
-|Processes|A list of all running processes|A list of all running processes|
-|Services and scheduled tasks|- Certificates
- Configuration profiles
- Hardware information|
- CPU details
- Hardware information
- Operating system information
|
-|System security information|- Extensible Firmware Interface (EFI) integrity information
- Firewall status
- Malware Removal Tool (MRT) information
- System Integrity Protection (SIP) status
|Not applicable|
-|Users and groups|||
+ |---|---|---|
+ |Applications|A list of all installed applications|Not applicable|
+ |Disk volume|- Amount of free space
- List of all mounted disk volumes
- List of all partitions
|- Amount of free space
- List of all mounted disk volumes
- List of all partitions
|
+ |File|A list of all open files with the corresponding processes using these files|A list of all open files with the corresponding processes using these files|
+ |History|Shell history|Not applicable|
+ |Kernel modules|All loaded modules|Not applicable|
+ |Network connections|- Active connections
- Active listening connections
- ARP table
- Firewall rules
- Interface configuration
- Proxy settings
- VPN settings
|- Active connections
- Active listening connections
- ARP table
- Firewall rules
- IP list
- Proxy settings
|
+ |Processes|A list of all running processes|A list of all running processes|
+ |Services and scheduled tasks|- Certificates
- Configuration profiles
- Hardware information|
- CPU details
- Hardware information
- Operating system information
|
+ |System security information|- Extensible Firmware Interface (EFI) integrity information
- Firewall status
- Malware Removal Tool (MRT) information
- System Integrity Protection (SIP) status
|Not applicable|
+ |Users and groups|||
## Run Microsoft Defender Antivirus scan on devices
@@ -204,7 +204,7 @@ Depending on the severity of the attack and the sensitivity of the device, you m
> [!IMPORTANT]
>
-> - Isolating devices from the network is supported for macOS for client version 101.98.84 and above. You can also use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md)
+> - Isolating devices from the network is supported for macOS for client version 101.98.84 and above. You can also use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md)
> - Full isolation is available for devices running Windows 11, Windows 10, version 1703 or later, Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2.
> - You can use the device isolation capability on all supported Microsoft Defender for Endpoint on Linux listed in [System requirements](microsoft-defender-endpoint-linux.md#system-requirements). Ensure that the following prerequisites are enabled: iptables, ip6tables, and Linux kernel with CONFIG_NETFILTER, CONFID_IP_NF_IPTABLES, and CONFIG_IP_NF_MATCH_OWNER.
> - Selective isolation is available for devices running Windows 10, version 1709 or later, and Windows 11.
@@ -232,11 +232,13 @@ Once you have selected **Isolate device** on the device page, type a comment and
### Forcibly release device from isolation
-The device isolation feature is an invaluable tool for safeguarding devices against external threats. However, there are instances when isolated devices become unresponsive.
+The device isolation feature is an invaluable tool for safeguarding devices against external threats. However, there are instances when isolated devices become unresponsive.
+
There's a downloadable script for these instances that you can run to forcibly release devices from isolation. The script is available through a link in the UI.
> [!NOTE]
-> - Admins and manage security settings in Security Center permissions can forcibly release devices from isolation.
+>
+> - Admins and manage security settings in Security Center permissions can forcibly release devices from isolation.
> - The script is valid for the specific device only.
> - The script will expire in three days.
@@ -246,14 +248,13 @@ To forcibly release device from isolation:
1. On the right-hand side wizard, select **Download script**.
#### Minimum requirements
+
The minimum requirements for 'forcibly release device from isolation' feature are:
-- Supports only Windows
-- The following Windows versions are supported:
- - Windows 10 21H2 and 22H2 with KB KB5023773
- - Windows 11 version 21H2, all editions with KB5023774
- - Windows 11 version 22H2, all editions with KB5023778
-
+- Windows only. The following versions are supported:
+ - Windows 10 21H2 and 22H2 with KB KB5023773.
+ - Windows 11 version 21H2, all editions with KB5023774.
+ - Windows 11 version 22H2, all editions with KB5023778.
### Notification on device user
@@ -383,4 +384,3 @@ All other related details are also shown, for example, submission date/time, sub
- [Manual response actions in Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md#manual-response-actions)
- [Report inaccuracy](/defender-vulnerability-management/tvm-security-recommendation#report-inaccuracy)
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
-
diff --git a/defender-vulnerability-management/tvm-assign-device-value.md b/defender-vulnerability-management/tvm-assign-device-value.md
index 462d38a616..49cdb9fbbd 100644
--- a/defender-vulnerability-management/tvm-assign-device-value.md
+++ b/defender-vulnerability-management/tvm-assign-device-value.md
@@ -24,7 +24,7 @@ ms.date: 03/04/2022
- [Microsoft Defender XDR](/defender-xdr)
- [Microsoft Defender for Servers Plan 1 & 2](/azure/defender-for-cloud/plan-defender-for-servers-select-plan)
-Defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight.
+Defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" receive more weight.
You can also use the [set device value API](/defender-endpoint/api/set-device-value).
@@ -50,11 +50,11 @@ Examples of devices that should be assigned a high value:
2. Select **Device value** from three dots next to the actions bar at the top of the page.
-:::image type="content" source="/defender/media/defender-vulnerability-management/tvm-device-value-dropdown.png" alt-text="The Device value option" lightbox="/defender/media/defender-vulnerability-management/tvm-device-value-dropdown.png":::
+ :::image type="content" source="/defender/media/defender-vulnerability-management/tvm-device-value-dropdown.png" alt-text="The Device value option" lightbox="/defender/media/defender-vulnerability-management/tvm-device-value-dropdown.png":::
-3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.
+3. A flyout opens with the current device value and what it means. Review the current value and choose the value that best fits your device.
-:::image type="content" source="/defender/media/defender-vulnerability-management/tvm-device-value-flyout.png" alt-text="The Device value page" lightbox="/defender/media/defender-vulnerability-management/tvm-device-value-flyout.png":::
+ :::image type="content" source="/defender/media/defender-vulnerability-management/tvm-device-value-flyout.png" alt-text="The Device value page" lightbox="/defender/media/defender-vulnerability-management/tvm-device-value-flyout.png":::
## How device value impacts your exposure score
@@ -62,9 +62,8 @@ The exposure score is a weighted average across all devices. If you have device
- Normal devices have a weight of 1
- Low value devices have a weight of 0.75
-- High value devices have a weight of NumberOfAssets / 10.
- - If you have 100 devices, each high value device will have a weight of 10 (100/10)
+- High value devices have a weight of (number of assets) / 10. For example, if you have 100 devices, each high value device has a weight of 100/10 = 10.
-## Related topics
+## Related articles
- [Exposure Score](tvm-exposure-score.md)
diff --git a/defender-vulnerability-management/tvm-software-inventory.md b/defender-vulnerability-management/tvm-software-inventory.md
index 3f15ddccfd..7eccc6fd11 100644
--- a/defender-vulnerability-management/tvm-software-inventory.md
+++ b/defender-vulnerability-management/tvm-software-inventory.md
@@ -122,7 +122,7 @@ Report an inaccuracy when you see vulnerability information and assessment resul
4. Fill in the requested details about the inaccuracy. This will vary depending on the issue you're reporting.
-
+ 
5. Select **Submit**. Your feedback is immediately sent to the vulnerability management experts.
From cbea3623792483ac9ef0cb5c75b4626f58489589 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Thu, 31 Oct 2024 17:38:06 -0700
Subject: [PATCH 06/13] Learn Editor: Update run-analyzer-linux.md
---
defender-endpoint/run-analyzer-linux.md | 54 ++++++++++++++++++++-----
1 file changed, 43 insertions(+), 11 deletions(-)
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
index a4ce0edd40..4aa23444a1 100644
--- a/defender-endpoint/run-analyzer-linux.md
+++ b/defender-endpoint/run-analyzer-linux.md
@@ -189,6 +189,39 @@ This section provides instructions on how to run the tool locally on the Linux m
### Run the binary version of the client analyzer
+Summary:
+
+1. Obtain from [https://aka.ms/xmdeclientanalyzerbinary](https://aka.ms/xmdeclientanalyzerbinary)
+
+or if your Linux server has internet access use wget to download the file
+
+
+```bash
+wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
+```
+
+1. Unzip the file that is downloaded, and then of the extracted files unzip again the SupportToolLinuxBinary.zip
+
+
+```bash
+unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
+
+```
+
+1. Run the binary
+
+ ```
+ sudo ./MDESupportTool -d --mdatp-log debug
+ ```
+
+1. Follow the on-screen instructions and then follow up with at the end of the log collection, the logs will be located in the /tmp directory
+
+1. The log set will be owned by root user so you may need root privileges to remove the log set
+
+1. Upload the file for the support engineer
+
+Details:
+
1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the Linux machine you need to investigate.
If you're using a terminal, download the tool by entering the following command:
@@ -217,18 +250,17 @@ This section provides instructions on how to run the tool locally on the Linux m
cd XMDEClientAnalyzerBinary
```
-4. Two new zip files are produced:
+1. Two new zip files are produced:
- `SupportToolLinuxBinary.zip`: For all Linux devices
- - `SupportToolMacOSBinary.zip`: For Mac devices
-
-5. Depending on the operating system, unzip the appropriate file for the machine you want to investigate.
-
- | OS type | Command |
- |--|--|
- | Linux | `unzip -q SupportToolLinuxBinary.zip` |
- | Mac | `unzip -q SupportToolMacOSBinary.zip` |
+ - `SupportToolMacOSBinary.zip`: For Mac devices, ignore this one.
+
+1. Unzip the SupportToolLinuxBinary.zip for the Linux machine you want to investigate.
+ ```bash
+ unzip -q SupportToolLinuxBinary.zip
+ ```
+
6. Run the tool as root to generate diagnostic package:
```bash
@@ -245,11 +277,11 @@ This section provides instructions on how to run the tool locally on the Linux m
> [!WARNING]
> Running the Python-based client analyzer requires the installation of PIP packages which may cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.
-1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate.
+1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the Linux machine you need to investigate.
If you're using a terminal, download the tool by running the following command:
- ```bash
+ ```bash
wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
```
From 0883fca670a0052c13d13961d5ec3e467a42f169 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Thu, 31 Oct 2024 17:38:45 -0700
Subject: [PATCH 07/13] Learn Editor: Update run-analyzer-linux.md
---
defender-endpoint/run-analyzer-linux.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
index 4aa23444a1..72c6ac48d8 100644
--- a/defender-endpoint/run-analyzer-linux.md
+++ b/defender-endpoint/run-analyzer-linux.md
@@ -200,7 +200,7 @@ or if your Linux server has internet access use wget to download the file
wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
```
-1. Unzip the file that is downloaded, and then of the extracted files unzip again the SupportToolLinuxBinary.zip
+2. Unzip the file that is downloaded, and then of the extracted files unzip again the SupportToolLinuxBinary.zip
```bash
@@ -208,17 +208,17 @@ unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
```
-1. Run the binary
+3. Run the binary
```
sudo ./MDESupportTool -d --mdatp-log debug
```
-1. Follow the on-screen instructions and then follow up with at the end of the log collection, the logs will be located in the /tmp directory
+4. Follow the on-screen instructions and then follow up with at the end of the log collection, the logs will be located in the /tmp directory
-1. The log set will be owned by root user so you may need root privileges to remove the log set
+5. The log set will be owned by root user so you may need root privileges to remove the log set
-1. Upload the file for the support engineer
+6. Upload the file for the support engineer
Details:
From a37d21ea4ac4959a3812c1808c0c301b0b8c6582 Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Thu, 31 Oct 2024 17:40:30 -0700
Subject: [PATCH 08/13] Learn Editor: Update run-analyzer-linux.md
---
defender-endpoint/run-analyzer-linux.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
index 72c6ac48d8..bec9c8314e 100644
--- a/defender-endpoint/run-analyzer-linux.md
+++ b/defender-endpoint/run-analyzer-linux.md
@@ -189,7 +189,7 @@ This section provides instructions on how to run the tool locally on the Linux m
### Run the binary version of the client analyzer
-Summary:
+#### Summary:
1. Obtain from [https://aka.ms/xmdeclientanalyzerbinary](https://aka.ms/xmdeclientanalyzerbinary)
@@ -220,7 +220,7 @@ unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
6. Upload the file for the support engineer
-Details:
+#### Details:
1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the Linux machine you need to investigate.
From d98bc95dba9e72f2fa30b08f0b99fc17cbd164db Mon Sep 17 00:00:00 2001
From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com>
Date: Thu, 31 Oct 2024 17:41:29 -0700
Subject: [PATCH 09/13] Learn Editor: Update run-analyzer-linux.md
From 2c377b9457c7d7756baebde2042b02f1e620fce7 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 1 Nov 2024 07:46:35 -0700
Subject: [PATCH 10/13] Update run-analyzer-linux.md
---
defender-endpoint/run-analyzer-linux.md | 27 ++++++++++---------------
1 file changed, 11 insertions(+), 16 deletions(-)
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
index bec9c8314e..a9e3c63fc5 100644
--- a/defender-endpoint/run-analyzer-linux.md
+++ b/defender-endpoint/run-analyzer-linux.md
@@ -163,7 +163,7 @@ The Python version of the client analyzer accepts command line parameters to per
```
-#### Rung the client analyzer script
+#### Run the client analyzer script
> [!NOTE]
> If you have an active live response session you can skip Step 1.
@@ -191,22 +191,17 @@ This section provides instructions on how to run the tool locally on the Linux m
#### Summary:
-1. Obtain from [https://aka.ms/xmdeclientanalyzerbinary](https://aka.ms/xmdeclientanalyzerbinary)
+1. Obtain from [https://aka.ms/xmdeclientanalyzerbinary](https://aka.ms/xmdeclientanalyzerbinary). Or, if your Linux server has internet access use `wget` to download the file:
-or if your Linux server has internet access use wget to download the file
-
-
-```bash
-wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
-```
+ ```bash
+ wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
+ ```
2. Unzip the file that is downloaded, and then of the extracted files unzip again the SupportToolLinuxBinary.zip
-
-```bash
-unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
-
-```
+ ```bash
+ unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
+ ```
3. Run the binary
@@ -214,11 +209,11 @@ unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary
sudo ./MDESupportTool -d --mdatp-log debug
```
-4. Follow the on-screen instructions and then follow up with at the end of the log collection, the logs will be located in the /tmp directory
+4. Follow the on-screen instructions and then follow up with at the end of the log collection, the logs will be located in the `/tmp` directory.
-5. The log set will be owned by root user so you may need root privileges to remove the log set
+5. The log set will be owned by root user so you may need root privileges to remove the log set.
-6. Upload the file for the support engineer
+6. Upload the file for the support engineer.
#### Details:
From 73aaadfb400ee70d32187740ddc9104be50b15a1 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 1 Nov 2024 07:47:13 -0700
Subject: [PATCH 11/13] Update run-analyzer-linux.md
---
defender-endpoint/run-analyzer-linux.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
index a9e3c63fc5..aee3c25de1 100644
--- a/defender-endpoint/run-analyzer-linux.md
+++ b/defender-endpoint/run-analyzer-linux.md
@@ -9,7 +9,7 @@ ms.service: defender-endpoint
ms.subservice: linux
ms.localizationpriority: medium
ms.topic: troubleshooting-general
-ms.date: 10/31/2024
+ms.date: 11/01/2024
ms.custom: partner-contribution
ms.collection:
- m365-security
From 5b028db47f206347b0d9708afc7e7625ea281906 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 1 Nov 2024 07:48:46 -0700
Subject: [PATCH 12/13] Update run-analyzer-macos.md
---
defender-endpoint/run-analyzer-macos.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/defender-endpoint/run-analyzer-macos.md b/defender-endpoint/run-analyzer-macos.md
index 3c570d70c2..cf838d0e34 100644
--- a/defender-endpoint/run-analyzer-macos.md
+++ b/defender-endpoint/run-analyzer-macos.md
@@ -9,7 +9,7 @@ ms.service: defender-endpoint
ms.subservice: macos
ms.localizationpriority: medium
ms.topic: troubleshooting-general
-ms.date: 10/31/2024
+ms.date: 11/01/2024
ms.custom: partner-contribution
ms.collection:
- m365-security
@@ -197,7 +197,7 @@ Usage example `./mde_support_tool.sh trace --length 5`
| File | Description |
|---|---|
| `report.html` | The main HTML output file that contains the findings and guidance from running the client analyzer tool on the device. This file is only generated when running the Python-based version of the client analyzer tool. |
-| `mde_diagnostic.zip` | Same diagnostic output that gets generated when running `mdatp diagnostic create` on either [macOS](mac-resources.md#collecting-diagnostic-information). |
+| `mde_diagnostic.zip` | Same diagnostic output that gets generated when running `mdatp diagnostic create` on [macOS](mac-resources.md#collecting-diagnostic-information). |
| `mde.xml` | XML output that is generated while running and is used to build the html report file. |
| `Processes_information.txt` | Contains the details of the running Microsoft Defender for Endpoint related processes on the system. |
| `Log.txt` | Contains the same log messages written on screen during the data collection. |
From 7d3f9b177558bec221f345cb3d9655b1653c9f53 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 1 Nov 2024 07:51:42 -0700
Subject: [PATCH 13/13] Update
configure-advanced-scan-types-microsoft-defender-antivirus.md
---
...ced-scan-types-microsoft-defender-antivirus.md | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md b/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
index b2aeb18bc3..2779ea02bd 100644
--- a/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -9,7 +9,7 @@ ms.custom: nextgen
ms.reviewer: pahuijbr
manager: deniseb
ms.subservice: ngp
-ms.date: 07/10/2024
+ms.date: 11/01/2024
ms.collection:
- m365-security
- tier2
@@ -39,10 +39,7 @@ For details on configuring Microsoft Configuration Manager (current branch), see
## Use Group Policy to configure scanning options
> [!TIP]
-> Download the Group Policy Reference Spreadsheet, which lists the policy settings for computer and user configurations that are included in the Administrative template files delivered with for Windows. You can configure refer to the spreadsheet when you edit Group Policy Objects.
->
-> Here are the most recent versions:
->
+> Download the Group Policy Reference Spreadsheet, which lists the policy settings for computer and user configurations that are included in the Administrative template files delivered with for Windows. You can configure refer to the spreadsheet when you edit Group Policy Objects. Here are the most recent versions:
> - [Group Policy Settings Reference Spreadsheet for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/details.aspx?id=101451)
> - [Group Policy Settings Reference Spreadsheet for Windows 11 October 2021 Update (21H2)](https://www.microsoft.com/download/details.aspx?id=103506)
@@ -93,11 +90,11 @@ See [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/wi
Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within email (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
-- DBX
-- MBX
-- MIME
+- `DBX`
+- `MBX`
+- `MIME`
-PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) are also scanned, but Microsoft Defender Antivirus cannot remediate threats that are detected inside PST files.
+`PST` files used by Outlook 2003 or older (where the archive type is set to non-unicode) are also scanned, but Microsoft Defender Antivirus cannot remediate threats that are detected inside `PST` files.
If Microsoft Defender Antivirus detects a threat inside an email message, the following information is displayed to assist you in identifying the compromised email so you can remediate the threat manually: