From 3cab9ab37870749de99deb0cf1d1c2bbc05d50f1 Mon Sep 17 00:00:00 2001 From: Mithun Rathinam Date: Tue, 7 Jan 2025 01:19:40 +0530 Subject: [PATCH 01/17] Update quarantine-about.md --- defender-office-365/quarantine-about.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/defender-office-365/quarantine-about.md b/defender-office-365/quarantine-about.md index d57fbc134b..6aeda0da14 100644 --- a/defender-office-365/quarantine-about.md +++ b/defender-office-365/quarantine-about.md @@ -35,6 +35,7 @@ In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E > [!NOTE] > In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). +> Microsoft 365 operated by 21Vianet is designed to meet the needs for secure, reliable, and scalable cloud services in China. This service is powered by technology that Microsoft has licensed to 21Vianet. Whether a detected message is quarantined by default depends on the following factors: @@ -99,6 +100,6 @@ How long quarantined messages or files are held in quarantine before they expire |Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files).|30 days|No|Files quarantined in SharePoint or OneDrive are removed from quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.| |Messages in chats and channels quarantined by zero-hour auto protection (ZAP) for Microsoft Teams in Defender for Office 365|30 days|No| -When a message expires from quarantine, you can't recover it. +When the messages expire from quarantine after the retention period, the messages are permanently deleted and cannot be recovered. For more information about quarantine, see [Quarantine FAQ](quarantine-faq.yml). From 0132163441245e2791cde994ed0caba32c5cd233 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 7 Jan 2025 11:00:07 -0800 Subject: [PATCH 02/17] Fix typo in quarantine expiration message --- defender-office-365/quarantine-about.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/quarantine-about.md b/defender-office-365/quarantine-about.md index 6aeda0da14..f9102426c8 100644 --- a/defender-office-365/quarantine-about.md +++ b/defender-office-365/quarantine-about.md @@ -100,6 +100,6 @@ How long quarantined messages or files are held in quarantine before they expire |Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files).|30 days|No|Files quarantined in SharePoint or OneDrive are removed from quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.| |Messages in chats and channels quarantined by zero-hour auto protection (ZAP) for Microsoft Teams in Defender for Office 365|30 days|No| -When the messages expire from quarantine after the retention period, the messages are permanently deleted and cannot be recovered. +When messages expire from quarantine after the retention period, the messages are permanently deleted and can't be recovered. For more information about quarantine, see [Quarantine FAQ](quarantine-faq.yml). From d21c1beab5ce65ee810d3c07ccd29741677ed7fd Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Fri, 10 Jan 2025 15:51:31 +0100 Subject: [PATCH 03/17] Learn Editor: Update microsoft-defender-antivirus-on-windows-server.md --- .../microsoft-defender-antivirus-on-windows-server.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md b/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md index bedb3fffe9..2929c08eaa 100644 --- a/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md +++ b/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md @@ -107,7 +107,7 @@ sc query state= all To get your regular security intelligence updates, the Windows Update service must be running. If you use an update management service, like Windows Server Update Services (WSUS), make sure Microsoft Defender Antivirus Security intelligence updates are approved for the computers you manage. -By default, Windows Update doesn't download and install updates automatically on Windows Server 2019 or Windows Server 2022, or Windows Server 2016. You can change this configuration by using one of the following methods: +By default, Windows Update doesn't download and install updates automatically on Windows Server 2016, Windows Server 2019 or Windows Server 2022. You can change this configuration by using one of the following methods: | Method | Description | |---|---| @@ -155,7 +155,7 @@ To enable automatic sample submission, start a Windows PowerShell console as an ## Configure automatic exclusions -To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019, or Windows Server 2022. +To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or Windows Server 2019, or Windows Server 2022. See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md). From 42e6b06cfe4542aed2e633f33b26e24b1b49c7ee Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Fri, 10 Jan 2025 15:51:39 +0100 Subject: [PATCH 04/17] Learn Editor: Update microsoft-defender-antivirus-on-windows-server.md From 1400f844b1446efcb151f640ad9b67f36577d62e Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Fri, 10 Jan 2025 07:10:19 -0800 Subject: [PATCH 05/17] Learn Editor: Update troubleshoot-performance-issues.md --- defender-endpoint/troubleshoot-performance-issues.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/defender-endpoint/troubleshoot-performance-issues.md b/defender-endpoint/troubleshoot-performance-issues.md index 36aff9dd3c..87318cbe32 100644 --- a/defender-endpoint/troubleshoot-performance-issues.md +++ b/defender-endpoint/troubleshoot-performance-issues.md @@ -68,7 +68,7 @@ Now, if you have gone through the proactive steps, next is to find what's trigge |1 |[Collect Microsoft Defender Antivirus diagnostic data](/defender-endpoint/collect-diagnostic-data)|Microsoft Defender Antivirus diagnostic data that you want to include whenever troubleshooting an issue with Microsoft Defender Antivirus.| |2|[Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus)|For performance-specific issues related to Microsoft Defender Antivirus, see Performance analyzer for Microsoft Defender Antivirus. This allows you to run the data collection and parse the data, where it's easy to understand. Note: Make sure that the issue is reproducing when you collect this data.| |3|[Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)|If for some reason that the Microsoft Defender Antivirus performance analyzer doesn't provide with the details that you need to narrow down on what's triggering the high CPU utilization, you can use Process Monitor (ProcMon). Tip: You can collect for 5-10 minutes. Note: Make sure that the issue is reproducing when you collect this data.| -|4|[Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI)|In cases of a more advanced troubleshooting needed, you can use the Windows Performance Recorder UI (WPRUI) or Windows Performance Recorder (WPR). Tip: Due to the verbosity of this trace, keep it to 3 to 5 minute max. Note: Make sure that the issue is reproducing when you collect this data.| +|4|[Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](/defender-endpoint/troubleshoot-av-performance-issues-with-wprui)|In cases of a more advanced troubleshooting needed, you can use the Windows Performance Recorder UI (WPRUI) or Windows Performance Recorder (WPR). Tip: Due to the verbosity of this trace, keep it to 3 to 5 minute max. Note: Make sure that the issue is reproducing when you collect this data.| ## Check with the vendor for known issues with antivirus products @@ -76,15 +76,11 @@ If you can readily identify the software affecting system performance, go to the We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor can submit their software through the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper). -**Q**: Should I use the "EstimatedImpact" in the Microsoft Protection Log C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-xxxxxxxx-xxxxxx.log? - -**A**: No, we don't support looking anything in the MPLog.log. Use the tools mentioned in the section, [What's triggering and causing higher CPU utilization in Microsoft Defender Antivirus](#whats-triggering-and-causing-higher-cpu-utilization-in-microsoft-defender-antivirus)? - ## What if I still have an issue? You can submit a ticket to [Microsoft support](/defender-endpoint/contact-support). -Follow the steps in [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md). Follow the steps in [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md). +Follow the steps in [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md). ## See also From 66f51d74b053f6c1f7fc22314437259ab198af20 Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Fri, 10 Jan 2025 07:22:28 -0800 Subject: [PATCH 06/17] Learn Editor: Update troubleshoot-performance-issues.md --- defender-endpoint/troubleshoot-performance-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/troubleshoot-performance-issues.md b/defender-endpoint/troubleshoot-performance-issues.md index 87318cbe32..1a8474782e 100644 --- a/defender-endpoint/troubleshoot-performance-issues.md +++ b/defender-endpoint/troubleshoot-performance-issues.md @@ -53,7 +53,7 @@ First, you might want to check if other software is causing the issue. Read [Che |Component| Solution| | -------- | -------- | | Real-time protection (RTP) scanning | You can use [Troubleshooting mode](/defender-endpoint/enable-troubleshooting-mode) to turn off [Tamper Protection](/defender-endpoint/troubleshoot-problems-with-tamper-protection). Once Tamper Protection is turned off, you could turn off the "Real-time protection" temporarily, in order to rule it out.

See the previous section, [Common reasons for higher CPU utilization by Microsoft Defender Antivirus](#common-reasons-for-higher-cpu-utilization-by-microsoft-defender-antivirus). | -| Scheduled scanning |Check your default scheduled scan settings

**General scheduled scan settings**.

- Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans).
The thread priority in Windows for normal scans has two values: `8` (lower) and `9` (higher). By setting this to `enabled`, you're lowering the scheduled scan thread priority from `9` to `8`, which enables other application threads to run with a higher priority, thus getting more CPU time than Microsoft Defender Antivirus.

- Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan). `50` is the default setting; you can lower it to `20` or `30`.
If you have a change control window, by modifying the amount of CPU that can be used causes the scan to take longer.

- Start the scheduled scan only when computer is on but not in use by setting `ScanOnlyIfIdle` to `Not configured` (it's enabled by default).
It requires the machine to be idle, meaning the CPU usage overall of the device has to be lower than 80%.

**Daily quick scan settings**

- Set `Specify the interval to run quick scans per day` to `Not configured` (How many hours have elapsed, before the next quick scan runs - 0 to 24 hours)

- Set `Specify the time for a daily quick scan (Run daily quick scan at)` to `12 PM`.

**Run a weekly scheduled scan (quick or full) settings**

- Specify the scan type to use for a scheduled scan (Set `Scan type` to `Not configured`).

- Specify the time of day to run a scheduled scan (Set `Day of week to run scheduled scan` to `Not configured`).

- Specify the day of the week to run a scheduled scan (Set `Time of day to run a scheduled scan` to `Not configured`). | +| Scheduled scanning |Check your default scheduled scan settings

**General scheduled scan settings**.

- Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans).
The thread priority in Windows for normal scans has two values: `8` (lower) and `9` (higher). By setting this to `enabled`, you're lowering the scheduled scan thread priority from `9` to `8`, which enables other application threads to run with a higher priority, thus getting more CPU time than Microsoft Defender Antivirus.

- Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan). `50` is the default setting; you can lower it to `20` or `30`.
If you have a change control window, by modifying the amount of CPU that can be used, causes the scan to take longer.

- Start the scheduled scan only when computer is on but not in use by setting `ScanOnlyIfIdle` to `Not configured` (it's enabled by default).
It requires the machine to be idle, meaning the CPU usage overall of the device has to be lower than 80%.

**Daily quick scan settings**

- Set `Specify the interval to run quick scans per day` to `Not configured` (How many hours have elapsed, before the next quick scan runs - 0 to 24 hours)

- Set `Specify the time for a daily quick scan (Run daily quick scan at)` to `12 PM`.

**Run a weekly scheduled scan (quick or full) settings**

- Specify the scan type to use for a scheduled scan (Set `Scan type` to `Not configured`).

- Specify the time of day to run a scheduled scan (Set `Day of week to run scheduled scan` to `Not configured`).

- Specify the day of the week to run a scheduled scan (Set `Time of day to run a scheduled scan` to `Not configured`). | | Scan after a security intelligence update.|By default, Microsoft Defender Antivirus scans after a security intelligence update for optimal protection purposes. If scheduled scans are enabled, you might think that there are scans that are run outside of the schedule. This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization.

As a workaround, in Group Policy (or another management tool, such as MDM), go to **Computer Configuration** > **Administrative Templates** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**, and set **Turn on scan after security intelligence update** to `Disabled`. | | Conflicts with other security software | If you have non-Microsoft security software, such as antivirus, EDR, DLP, endpoint privilege management, VPN, and so on, add the that software to the Microsoft Defender Antivirus exclusions (path + processes), and vice-versa.

To get the list of the Microsoft Defender Antivirus binaries, see [Configure your network environment to ensure connectivity with Defender for Endpoint service](/defender-endpoint/configure-environment). | | Scanning a large number of files or folders | If you have a big file such as an .iso, .vhdx, and so on, sitting in your user profile (desktop, downloads, documents, and so on) and that profile is being redirected to network shares, such as Offline Files (CSC) or OneDrive (or similar products), scans can take longer to run. This is because you're scanning a network, where there's more latency compared to files stored locally on a device.

If you don't need the .iso/.vhd/.vhdx, etc… sitting on your profile, move it to a different folder where it's not sitting on a network share (mapped drive, unc share, smb share). | From 0314ff3d7d19b1b2733826946a023644035c9e8d Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Mon, 13 Jan 2025 11:39:59 +0100 Subject: [PATCH 07/17] Learn Editor: Update enable-attack-surface-reduction.md --- .../enable-attack-surface-reduction.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/defender-endpoint/enable-attack-surface-reduction.md b/defender-endpoint/enable-attack-surface-reduction.md index cd2301d1a9..207b65cf85 100644 --- a/defender-endpoint/enable-attack-surface-reduction.md +++ b/defender-endpoint/enable-attack-surface-reduction.md @@ -76,10 +76,10 @@ You can enable attack surface reduction rules by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) - [Microsoft Configuration Manager](#microsoft-configuration-manager) -- [Group Policy](#group-policy) +- [Group policy (GP)](#group-policy) - [PowerShell](#powershell) -Enterprise-level management such as Intune or Microsoft Configuration Manager is recommended. Enterprise-level management overwrites any conflicting Group Policy or PowerShell settings on startup. +Enterprise-level management such as Intune or Microsoft Configuration Manager is recommended. Enterprise-level management overwrites any conflicting group policy or PowerShell settings on startup. ## Exclude files and folders from attack surface reduction rules @@ -93,7 +93,8 @@ When adding exclusions, keep these points in mind: * Exclusions are typically based on individual files or folders (using folder paths or the full path of the file to be excluded). * Exclusion paths can use environment variables and wildcards. See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) -* When deployed through Group Policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it is possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions) +* When deployed through group policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it is possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions) + * Exclusions can be added based on certificate and file hashes, by allowing specified Defender for Endpoint file and certificate indicators. See [Overview of indicators](indicators-overview.md). ## Policy Conflict @@ -117,7 +118,7 @@ This section provides configuration details for the following configuration meth - [Custom profile in Intune](#custom-profile-in-intune) - [MDM](#mdm) - [Microsoft Configuration Manager](#microsoft-configuration-manager) -- [Group Policy](#group-policy) +- [Group policy](#group-policy) - [PowerShell](#powershell) The following procedures for enabling attack surface reduction rules include instructions for how to exclude files and folders. @@ -267,12 +268,12 @@ Example: 6. After the policy is created, select **Close**. > [!WARNING] -> There is a known issue with the applicability of Attack Surface Reduction on Server OS versions which is marked as compliant without any actual enforcement. Currently, there is no ETA for when this will be fixed. +> There is a known issue with the applicability of attack surface reduction on Server OS versions which is marked as compliant without any actual enforcement. Currently, there is no defined release date for when this will be fixed. -### Group Policy +### Group policy > [!WARNING] -> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup. +> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting group policy settings on startup. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. From 2c5b26825760cf8263c40af333eb60d8c8d02410 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Mon, 13 Jan 2025 11:40:08 +0100 Subject: [PATCH 08/17] Learn Editor: Update enable-attack-surface-reduction.md From a31842caef2d2b6801045b141d56c7da6cde8e45 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 13 Jan 2025 07:59:11 -0800 Subject: [PATCH 09/17] Update author, manager, and date fields --- defender-endpoint/troubleshoot-performance-issues.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/defender-endpoint/troubleshoot-performance-issues.md b/defender-endpoint/troubleshoot-performance-issues.md index 1a8474782e..3777cd7945 100644 --- a/defender-endpoint/troubleshoot-performance-issues.md +++ b/defender-endpoint/troubleshoot-performance-issues.md @@ -3,11 +3,11 @@ title: Troubleshoot performance issues description: Troubleshoot high CPU usage related to the real-time protection service in Microsoft Defender for Endpoint. search.appverid: met150 ms.service: defender-endpoint -ms.author: maccruz -author: schmurky +ms.author: ewalsh +author: emwalshh ms.localizationpriority: medium -manager: dolmont -ms.date: 01/09/2025 +manager: deniseb +ms.date: 01/13/2025 audience: ITPro ms.topic: troubleshooting ms.subservice: ngp From 53f2e4dc46eb672b9b70d11060310a3d5b353966 Mon Sep 17 00:00:00 2001 From: rlitinsky Date: Tue, 14 Jan 2025 11:45:40 +0200 Subject: [PATCH 10/17] Update investigate-alerts.md --- defender-xdr/investigate-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-xdr/investigate-alerts.md b/defender-xdr/investigate-alerts.md index 6704c2980f..5f8bde7a1c 100644 --- a/defender-xdr/investigate-alerts.md +++ b/defender-xdr/investigate-alerts.md @@ -126,7 +126,7 @@ Microsoft Defender XDR alerts come from solutions like Microsoft Defender for En | Microsoft Defender XDR | `ra{GUID}`
`ta{GUID}` for alerts from ThreatExperts
`ea{GUID}` for alerts from custom detections | | Microsoft Defender for Office 365 | `fa{GUID}`
Example: `fa123a456b-c789-1d2e-12f1g33h445h6i` | | Microsoft Defender for Endpoint | `da{GUID}`
`ed{GUID}` for alerts from custom detections | -| Microsoft Defender for Identity | `aa{GUID}`
Example: `aa123a456b-c789-1d2e-12f1g33h445h6i` | +| Microsoft Defender for Identity | `aa{GUID}`
`ri{GUID}`
Example: `aa123a456b-c789-1d2e-12f1g33h445h6i`, `ri638724443630474445_-1629192583` | | Microsoft Defender for Cloud Apps |`ca{GUID}`
Example: `ca123a456b-c789-1d2e-12f1g33h445h6i` | | Microsoft Entra ID Protection | `ad{GUID}` | | App Governance | `ma{GUID}` | From 5b5f73d5b398a5ca4914777c50ed3d62473fd25e Mon Sep 17 00:00:00 2001 From: Emm Walsh Date: Tue, 14 Jan 2025 12:15:19 +0000 Subject: [PATCH 11/17] edits --- defender-endpoint/troubleshoot-performance-issues.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defender-endpoint/troubleshoot-performance-issues.md b/defender-endpoint/troubleshoot-performance-issues.md index 3777cd7945..685981c046 100644 --- a/defender-endpoint/troubleshoot-performance-issues.md +++ b/defender-endpoint/troubleshoot-performance-issues.md @@ -4,7 +4,7 @@ description: Troubleshoot high CPU usage related to the real-time protection ser search.appverid: met150 ms.service: defender-endpoint ms.author: ewalsh -author: emwalshh +author: emmwalshh ms.localizationpriority: medium manager: deniseb ms.date: 01/13/2025 @@ -40,7 +40,7 @@ First, you might want to check if other software is causing the issue. Read [Che | Reason | Solution | | -------- | -------- | -|1: **Binaries not signed** (`.exe`, `.dll`, `.ps1`, and so on)
Anytime that a binary ( such as `.exe`, `.dll`, `.ps1`, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan, scheduled scan, and/or on-demand scan. | You all should consider signing (Extended code validation (EV) code signing or using internal PKI) the binaries. And/or reaching out to the vendor so they could sign the binary (EV code signing).

We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/en-us/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor or software developer can submit the application, service, or script in the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper).

As a work-around, you can follow these steps:
1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates)
2. (Alternative) Add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). | +|1: **Binaries not signed** (`.exe`, `.dll`, `.ps1`, and so on)
Anytime that a binary (such as `.exe`, `.dll`, `.ps1`, and so on) is launched/started, if it's not digitally signed, Microsoft Defender Antivirus starts a real-time protection scan, scheduled scan, and/or on-demand scan. | You all should consider signing (Extended code validation (EV) code signing or using internal PKI) the binaries. And/or reaching out to the vendor so they could sign the binary (EV code signing).

We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/en-us/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor or software developer can submit the application, service, or script in the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper).

As a work-around, you can follow these steps:
1. (Preferred) For .exe's and dll's use [Indicators – File hash - allow](/defender-endpoint/indicator-file) or [Indicators – Certificate - allow](/defender-endpoint/indicator-certificates)
2. (Alternative) Add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). | |2. **Using HTA's, CHM's and different files as databases**.
Anytime that Microsoft Defender Antivirus must extract and/or scan complex file formats, higher CPU utilization can occur. | Consider switching to using actual databases if you need to save info and query it.

As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). | |3. **Using obfuscations on scripts**.
If you obfuscate scripts, Microsoft Defender Antivirus in order to check if the script contains malicious payloads, it can use more CPU utilization while scanning. | Use script obfuscation only when necessary.

As a workaround, add [Antivirus exclusions (process+path)](/defender-endpoint/configure-exclusions-microsoft-defender-antivirus). | |4. **Not letting the Microsoft Defender Antivirus cache finish before sealing the image**.| If you're creating a VDI image such as for a non-persistent image, make sure that cache maintenance completes before the image is sealed.
For more information, see [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/defender-endpoint/deployment-vdi-microsoft-defender-antivirus). | @@ -56,11 +56,11 @@ First, you might want to check if other software is causing the issue. Read [Che | Scheduled scanning |Check your default scheduled scan settings

**General scheduled scan settings**.

- Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans).
The thread priority in Windows for normal scans has two values: `8` (lower) and `9` (higher). By setting this to `enabled`, you're lowering the scheduled scan thread priority from `9` to `8`, which enables other application threads to run with a higher priority, thus getting more CPU time than Microsoft Defender Antivirus.

- Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan). `50` is the default setting; you can lower it to `20` or `30`.
If you have a change control window, by modifying the amount of CPU that can be used, causes the scan to take longer.

- Start the scheduled scan only when computer is on but not in use by setting `ScanOnlyIfIdle` to `Not configured` (it's enabled by default).
It requires the machine to be idle, meaning the CPU usage overall of the device has to be lower than 80%.

**Daily quick scan settings**

- Set `Specify the interval to run quick scans per day` to `Not configured` (How many hours have elapsed, before the next quick scan runs - 0 to 24 hours)

- Set `Specify the time for a daily quick scan (Run daily quick scan at)` to `12 PM`.

**Run a weekly scheduled scan (quick or full) settings**

- Specify the scan type to use for a scheduled scan (Set `Scan type` to `Not configured`).

- Specify the time of day to run a scheduled scan (Set `Day of week to run scheduled scan` to `Not configured`).

- Specify the day of the week to run a scheduled scan (Set `Time of day to run a scheduled scan` to `Not configured`). | | Scan after a security intelligence update.|By default, Microsoft Defender Antivirus scans after a security intelligence update for optimal protection purposes. If scheduled scans are enabled, you might think that there are scans that are run outside of the schedule. This is where you, and your leadership team will have to make a decision, of having more security or less CPU utilization.

As a workaround, in Group Policy (or another management tool, such as MDM), go to **Computer Configuration** > **Administrative Templates** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**, and set **Turn on scan after security intelligence update** to `Disabled`. | | Conflicts with other security software | If you have non-Microsoft security software, such as antivirus, EDR, DLP, endpoint privilege management, VPN, and so on, add the that software to the Microsoft Defender Antivirus exclusions (path + processes), and vice-versa.

To get the list of the Microsoft Defender Antivirus binaries, see [Configure your network environment to ensure connectivity with Defender for Endpoint service](/defender-endpoint/configure-environment). | -| Scanning a large number of files or folders | If you have a big file such as an .iso, .vhdx, and so on, sitting in your user profile (desktop, downloads, documents, and so on) and that profile is being redirected to network shares, such as Offline Files (CSC) or OneDrive (or similar products), scans can take longer to run. This is because you're scanning a network, where there's more latency compared to files stored locally on a device.

If you don't need the .iso/.vhd/.vhdx, etc… sitting on your profile, move it to a different folder where it's not sitting on a network share (mapped drive, unc share, smb share). | +| Scanning a large number of files or folders | If you have a large file such as an .iso, .vhdx, and so on, sitting in your user profile (desktop, downloads, documents, and so on) and that profile is being redirected to network shares, such as Offline Files (CSC) or OneDrive (or similar products), scans can take longer to run. This is because you're scanning a network, where there's more latency compared to files stored locally on a device.

If you don't need the .iso/.vhd/.vhdx, etc… sitting on your profile, move it to a different folder where it's not sitting on a network share (mapped drive, unc share, smb share). | ## What's triggering and causing higher CPU utilization in Microsoft Defender Antivirus -Now, if you have gone through the proactive steps, next is to find what's triggering and causing the higher CPU utilization: +After the proa\ctive steps are complete, you can identify what is triggering and causing the higher CPU utilization: | #|Tools to help narrow down what's triggering the high CPU utilization|Comments| @@ -68,7 +68,7 @@ Now, if you have gone through the proactive steps, next is to find what's trigge |1 |[Collect Microsoft Defender Antivirus diagnostic data](/defender-endpoint/collect-diagnostic-data)|Microsoft Defender Antivirus diagnostic data that you want to include whenever troubleshooting an issue with Microsoft Defender Antivirus.| |2|[Performance analyzer for Microsoft Defender Antivirus](/defender-endpoint/tune-performance-defender-antivirus)|For performance-specific issues related to Microsoft Defender Antivirus, see Performance analyzer for Microsoft Defender Antivirus. This allows you to run the data collection and parse the data, where it's easy to understand. Note: Make sure that the issue is reproducing when you collect this data.| |3|[Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)|If for some reason that the Microsoft Defender Antivirus performance analyzer doesn't provide with the details that you need to narrow down on what's triggering the high CPU utilization, you can use Process Monitor (ProcMon). Tip: You can collect for 5-10 minutes. Note: Make sure that the issue is reproducing when you collect this data.| -|4|[Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](/defender-endpoint/troubleshoot-av-performance-issues-with-wprui)|In cases of a more advanced troubleshooting needed, you can use the Windows Performance Recorder UI (WPRUI) or Windows Performance Recorder (WPR). Tip: Due to the verbosity of this trace, keep it to 3 to 5 minute max. Note: Make sure that the issue is reproducing when you collect this data.| +|4|[Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](/defender-endpoint/troubleshoot-av-performance-issues-with-wprui)|For more advanced troubleshooting, you can utilize the Windows Performance Recorder UI (WPRUI) or Windows Performance Recorder (WPR). Keep in mind that due to the verbosity of this trace, it should be limited to a maximum of 3 to 5 minutes. Ensure that the issue is actively occurring when you collect this data. ## Check with the vendor for known issues with antivirus products From 47da50f27288f388aed9feada8421ef49c3cec07 Mon Sep 17 00:00:00 2001 From: Bahman Sabetghadam Date: Tue, 14 Jan 2025 09:12:46 -0500 Subject: [PATCH 12/17] Learn Editor: Update command-line-arguments-microsoft-defender-antivirus.md --- .../command-line-arguments-microsoft-defender-antivirus.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md b/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md index af975189c0..76b5066e8a 100644 --- a/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md +++ b/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md @@ -71,6 +71,12 @@ In our example, the MpCmdRun utility starts a full antivirus scan on the device. |`-ResetPlatform`| Reset platform binaries back to `%ProgramFiles%\Windows Defender`.| |`-RevertPlatform`| Revert platform binaries back to the previously installed version of the Defender platform.| +> [!NOTE] +> For the "Scan" command, the following are the default timeout values for Quick or Full scans where the scan will stop at that time by default. +> - Portal initiated scans (Quick or Full) or Windows Security app (Quick or Full): No time limit +> - Scheduled Full Scans or MpCmdRun -scan: 7 day limit +> - Scheduled Quick Scans or MpCmdRun -scan: 1 day limit + ## Common errors in running commands via mpcmdrun.exe The following table lists common errors that can occur while using the MpCmdRun tool. From ac0ef7a9aff6f173ae0d00f43658f85eef1ca546 Mon Sep 17 00:00:00 2001 From: Bahman Sabetghadam Date: Tue, 14 Jan 2025 09:13:14 -0500 Subject: [PATCH 13/17] Learn Editor: Update command-line-arguments-microsoft-defender-antivirus.md From ed07b326e1d3cd1940b2e733b0e26c54d73ba2d8 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com> Date: Tue, 14 Jan 2025 08:31:48 -0800 Subject: [PATCH 14/17] add missing period --- defender-endpoint/enable-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/enable-attack-surface-reduction.md b/defender-endpoint/enable-attack-surface-reduction.md index 207b65cf85..ddf7bc484a 100644 --- a/defender-endpoint/enable-attack-surface-reduction.md +++ b/defender-endpoint/enable-attack-surface-reduction.md @@ -93,7 +93,7 @@ When adding exclusions, keep these points in mind: * Exclusions are typically based on individual files or folders (using folder paths or the full path of the file to be excluded). * Exclusion paths can use environment variables and wildcards. See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) -* When deployed through group policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it is possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions) +* When deployed through group policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it is possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions). * Exclusions can be added based on certificate and file hashes, by allowing specified Defender for Endpoint file and certificate indicators. See [Overview of indicators](indicators-overview.md). From 59f9253eb26dd8895e632d6e752b88424b4857b7 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 14 Jan 2025 08:56:46 -0800 Subject: [PATCH 15/17] Update quarantine availability note for 21Vianet --- defender-office-365/quarantine-about.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/defender-office-365/quarantine-about.md b/defender-office-365/quarantine-about.md index f9102426c8..244ba2e0e6 100644 --- a/defender-office-365/quarantine-about.md +++ b/defender-office-365/quarantine-about.md @@ -34,8 +34,7 @@ appliesto: In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine is available to hold potentially dangerous or unwanted messages. > [!NOTE] -> In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). -> Microsoft 365 operated by 21Vianet is designed to meet the needs for secure, reliable, and scalable cloud services in China. This service is powered by technology that Microsoft has licensed to 21Vianet. +> In Microsoft 365 operated by 21Vianet in China, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). Whether a detected message is quarantined by default depends on the following factors: From 565dad073003531380e20a8ada8bdced3f51c196 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 14 Jan 2025 09:08:22 -0800 Subject: [PATCH 16/17] Update quarantine-quarantine-notifications.md --- defender-office-365/quarantine-quarantine-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/quarantine-quarantine-notifications.md b/defender-office-365/quarantine-quarantine-notifications.md index f98c94a13d..7f2c985447 100644 --- a/defender-office-365/quarantine-quarantine-notifications.md +++ b/defender-office-365/quarantine-quarantine-notifications.md @@ -34,7 +34,7 @@ appliesto: In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see [Quarantined messages in EOP](quarantine-about.md). > [!NOTE] -> In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). +> In Microsoft 365 operated by 21Vianet in China, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). For [supported protection features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), _quarantine policies_ define what users are allowed to do to quarantined messages based on why the message was quarantined. Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). From ce03d17b358590a45a5bd705c605d0115bf7ab28 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Tue, 14 Jan 2025 09:38:04 -0800 Subject: [PATCH 17/17] Added "in China" to 21Vianet references --- defender-office-365/quarantine-faq.yml | 2 +- defender-office-365/quarantine-policies.md | 2 +- defender-office-365/quarantine-shared-mailbox-messages.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-office-365/quarantine-faq.yml b/defender-office-365/quarantine-faq.yml index 32f68f19b2..cc30288bf0 100644 --- a/defender-office-365/quarantine-faq.yml +++ b/defender-office-365/quarantine-faq.yml @@ -34,7 +34,7 @@ summary: | This article provides frequently asked questions and answers about quarantined email messages for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes. > [!NOTE] - > In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). + > In Microsoft 365 operated by 21Vianet in China, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). For questions and answers about anti-spam protection, see [Anti-spam protection FAQ](anti-spam-protection-faq.yml). diff --git a/defender-office-365/quarantine-policies.md b/defender-office-365/quarantine-policies.md index facddd242a..41e1ec5823 100644 --- a/defender-office-365/quarantine-policies.md +++ b/defender-office-365/quarantine-policies.md @@ -44,7 +44,7 @@ You create and assign quarantine policies in the Microsoft Defender portal or in ## What do you need to know before you begin? -- In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). +- In Microsoft 365 operated by 21Vianet in China, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). - You open the Microsoft Defender portal at . To go directly to the **Quarantine policies** page, use . diff --git a/defender-office-365/quarantine-shared-mailbox-messages.md b/defender-office-365/quarantine-shared-mailbox-messages.md index 5188258ea8..c62ebb240a 100644 --- a/defender-office-365/quarantine-shared-mailbox-messages.md +++ b/defender-office-365/quarantine-shared-mailbox-messages.md @@ -43,7 +43,7 @@ Now, automapping is no longer required for users to manage quarantined messages ## Things to keep in mind -- In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). +- In Microsoft 365 operated by 21Vianet in China, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC). - _Quarantine policies_ define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for [supported features](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table [here](quarantine-end-user.md). Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal).