- Microsoft Defender for Endpoint Plan 2
- Microsoft Edge
- Microsoft Defender Antivirus
- Home windows
Probably undesirable purposes (PUA) are a class of software program that may trigger your machine to run slowly, show sudden advertisements, or at worst, set up different software program that could be sudden or undesirable. PUA shouldn't be thought-about a virus, malware, or different kind of menace, however it would possibly carry out actions on endpoints that adversely have an effect on endpoint efficiency or use. The time period PUA may also check with an software that has a poor status, as assessed by Microsoft Defender for Endpoint, resulting from sure sorts of undesirable habits.
Listed here are some examples:
- Promoting software program that shows commercials or promotions, together with software program that inserts commercials to webpages.
- Bundling software program that gives to put in different software program that's not digitally signed by the identical entity. Additionally, software program that gives to put in different software program that qualifies as PUA.
- Evasion software program that actively tries to evade detection by safety merchandise, together with software program that behaves in another way within the presence of safety merchandise.
Probably undesirable purposes can improve the chance of your community being contaminated with precise malware, make malware infections tougher to determine, or value your IT and safety groups effort and time to scrub them up. PUA safety is supported on Home windows 11, Home windows 10, Home windows Server 2022, Home windows Server 2019, and Home windows Server 2016. In case your group's subscription contains Microsoft Defender for Endpoint, Microsoft Defender Antivirus blocks apps which can be thought-about to be PUA by default on Home windows gadgets.
Be taught extra about Home windows Enterprise subscriptions.
The brand new Microsoft Edge, which is Chromium-based, blocks probably undesirable software downloads and related useful resource URLs. This characteristic is supplied through Microsoft Defender SmartScreen.
Allow PUA safety in Chromium-based Microsoft Edge
Though probably undesirable software safety in Microsoft Edge (Chromium-based, model 80.0.361.50) is turned off by default, it may well simply be turned on from inside the browser.
In your Edge browser, choose the ellipses, after which select Settings.
Choose Privateness, search, and companies.
Underneath the Safety part, activate Block probably undesirable apps.
Block URLs with Microsoft Defender SmartScreen
In Chromium-based Edge with PUA safety turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.
Safety admins can configure how Microsoft Edge and Microsoft Defender SmartScreen work collectively to guard teams of customers from PUA-associated URLs. There are a number of group coverage settings explicitly for Microsoft Defender SmartScreen out there, together with one for blocking PUA. As well as, admins can configure Microsoft Defender SmartScreen as an entire, utilizing group coverage settings to show Microsoft Defender SmartScreen on or off.
Though Microsoft Defender for Endpoint has its personal blocklist based mostly upon an information set managed by Microsoft, you may customise this record based mostly by yourself menace intelligence. For those who create and handle indicators within the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the brand new settings.
Microsoft Defender Antivirus and PUA safety
The doubtless undesirable software (PUA) safety characteristic in Microsoft Defender Antivirus can detect and block PUA on endpoints in your community.
Microsoft Defender Antivirus blocks detected PUA recordsdata and any makes an attempt to obtain, transfer, run, or set up them. Blocked PUA recordsdata are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the person (except notifications have been disabled in the identical format as different menace detections. The notification is prefaced with
PUA: to point its content material.
The notification seems within the ordinary quarantine record inside the Home windows Safety app.
Configure PUA safety in Microsoft Defender Antivirus
You possibly can allow PUA safety with Microsoft Intune, Microsoft Endpoint Configuration Supervisor, Group Coverage, or through PowerShell cmdlets.
You can even use PUA safety in audit mode to detect probably undesirable purposes with out blocking them. The detections are captured within the Home windows occasion log. PUA safety in audit mode is helpful if your organization is conducting an inside software program safety compliance verify and also you'd wish to keep away from any false positives.
Use Intune to configure PUA safety
See Configure machine restriction settings in Microsoft Intune and Microsoft Defender Antivirus machine restriction settings for Home windows 10 in Intune for extra particulars.
Use Configuration Supervisor to configure PUA safety
PUA safety is enabled by default within the Microsoft Endpoint Supervisor (Present Department).
See Tips on how to create and deploy antimalware insurance policies: Scheduled scans settings for particulars on configuring Microsoft Endpoint Supervisor (Present Department).
For System Middle 2012 Configuration Supervisor, see Tips on how to Deploy Probably Undesirable Software Safety Coverage for Endpoint Safety in Configuration Supervisor.
Use Group Coverage to configure PUA safety
Obtain and set up Administrative Templates (.admx) for Home windows 11 October 2021 Replace (21H2)
In your Group Coverage administration pc, open the Group Coverage Administration Console.
Choose the Group Coverage Object you wish to configure, after which select Edit.
Within the Group Coverage Administration Editor, go to Pc configuration and choose Administrative templates.
Double-click Configure detection for probably undesirable purposes.
Choose Enabled to allow PUA safety.
In Choices, choose Block to dam probably undesirable purposes, or choose Audit Mode to check how the setting works in your setting. Choose OK.
Deploy your Group Coverage object as you normally do.
Use PowerShell cmdlets to configure PUA safety
To allow PUA safety
Set-MpPreference -PUAProtection Enabled
Setting the worth for this cmdlet to
Enabled activates the characteristic if it has been disabled.
To set PUA safety to audit mode
Set-MpPreference -PUAProtection AuditMode
AuditMode detects PUAs with out blocking them.
To disable PUA safety
We suggest conserving PUA safety turned on. Nevertheless, you may flip it off by utilizing the next cmdlet:
Set-MpPreference -PUAProtection Disabled
Setting the worth for this cmdlet to
Disabled turns off the characteristic if it has been enabled.
For extra info, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
View PUA occasions utilizing PowerShell
PUA occasions are reported within the Home windows Occasion Viewer, however not in Microsoft Endpoint Supervisor or in Intune. You can even use the
Get-MpThreat cmdlet to view threats that Microsoft Defender Antivirus dealt with. Here is an instance:
CategoryID : 27 DidThreatExecute : False IsActive : False Assets : http://d18yzm5yb8map8.cloudfront.web/ [email protected]/Dalton_Download_Manager.exe RollupStatus : 33 SchemaVersion : 1.0.0.Zero SeverityID : 1 ThreatID : 213927 ThreatName : PUA:Win32/InstallCore TypeID : Zero PSComputerName :
Get e-mail notifications about PUA detections
You possibly can activate e-mail notifications to obtain mail about PUA detections.
See Troubleshoot occasion IDs for particulars on viewing Microsoft Defender Antivirus occasions. PUA occasions are recorded beneath occasion ID 1160.
View PUA occasions utilizing superior looking
For those who're utilizing Microsoft Defender for Endpoint, you should use a sophisticated looking question to view PUA occasions. Here is an instance question:
DeviceEvents | the place ActionType == "AntivirusDetection" | prolong x = parse_json(AdditionalFields) | undertaking Timestamp, DeviceName, FolderPath, FileName, SHA256, ThreatName = tostring(x.ThreatName), WasExecutingWhileDetected = tostring(x.WasExecutingWhileDetected), WasRemediated = tostring(x.WasRemediated) | the place ThreatName startswith_cs 'PUA:'
To be taught extra about superior looking, see Proactively hunt for threats with superior looking.
Exclude recordsdata from PUA safety
Generally a file is erroneously blocked by PUA safety, or a characteristic of a PUA is required to finish a process. In these circumstances, a file may be added to an exclusion record.
For extra info, see Configure and validate exclusions based mostly on file extension and folder location.
- Subsequent-generation safety
- Configure behavioral, heuristic, and real-time safety