Merge branch 'main' into samanro-copilot-hub

Author: American-Dipper

microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules.md

@@ -19,15 +19,17 @@ ms.collection:
 - demo
 ms.topic: article
 ms.subservice: asr
-ms.date: 10/21/2022
+ms.date: 01/15/2024
 ---
 
 # Attack surface reduction rules demonstrations
 
 **Applies to:**
 
-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)
 
 Attack surface reduction rules target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
 
@@ -37,8 +39,8 @@ Attack surface reduction rules target specific behaviors that are typically used
 
 ## Scenario requirements and setup
 
-- Windows 10 1709 build 16273
-- Windows 10 1803 build (1803 rules)
+- Windows 11, Windows 10 1709 build 16273 or later
+- Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2 with the unified MDE client.
 - Microsoft Defender AV
 - Microsoft Office (required for Office rules and sample)
 - [Download attack surface reduction PowerShell scripts](https://demo.wd.microsoft.com/Content/WindowsDefender_ASR_scripts.zip)
@@ -132,7 +134,7 @@ You should immediately see an "Action blocked" notification.
 
 You should immediately see an "Action blocked" notification.
 
-### Scenario 3 (1803): ASR rule blocks unsigned USB content from executing
+### Scenario 3 (Windows 10 version 1803 or later): ASR rule blocks unsigned USB content from executing
 
 1. Configure the rule for USB protection (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4).
 
@@ -162,6 +164,7 @@ Download and run this [clean-up script](https://demo.wd.microsoft.com/Content/AS
 
 Alternately, you can perform these manual steps:
 
+
 ```powershell
 Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Disabled
 Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled
@@ -174,10 +177,15 @@ Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D
 Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Disabled
 Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
 Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Disabled
+Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Disabled
+Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Disabled
+Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Disabled
+Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Disabled
 Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions Disabled
 Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions Disabled
 ```
 
+  
 Cleanup **c:\demo** encryption by running the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)
 
 ## See also

microsoft-365/security/defender-endpoint/edr-detection.md

@@ -19,14 +19,70 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: mde
 search.appverid: met150
-ms.date: 11/17/2023
+ms.date: 01/15/2024
 ---
+
 # EDR detection test for verifying device's onboarding and reporting services
 
+#### Applies to:
+
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+
+## Scenario requirements and setup
+
+- Windows 11, Windows 10 version 1709 build 16273 or newer, Windows 8.1, or Windows 7 SP1.
+- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 SP1.
+- Linux
+- macOS
+- Microsoft Defender for Endpoint
+- Microsoft Defender for Endpoint on Linux
+- Microsoft Defender for Endpoint on macOS
+
 Endpoint detection and response for Endpoint provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
 
 Run an EDR detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
 
+### Windows
+
+1. Open a Command Prompt window
+
+2. At the prompt, copy and run the command below. The Command Prompt window will close automatically.
+
+
+```powershell
+powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
+```
+
+3. If successful, the detection test will be marked as completed and a new alert will appear in few minutes.
+
+### Linux
+
+1. Download [script file](https://aka.ms/LinuxDIY) to an onboarded Linux server 
+
+
+```bash
+curl -o ~/Downloads/MDE Linux DIY.zip https://aka.ms/LinuxDIY
+```
+
+1. Extract the zip 
+
+```bash
+unzip ~/Downloads/MDE Linux DIY.zip
+```
+
+1. And run the following command: 
+
+```bash
+./mde_linux_edr_diy.sh
+```
+
+After a few minutes, a detection should be raised in Microsoft Defender XDR.
+
+3. Look at the alert details, machine timeline, and perform your typical investigation steps.
+
+### macOS
+
 1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract.
 
       The following prompt appears:
@@ -45,7 +101,7 @@ Run an EDR detection test to verify that the device is properly onboarded and re
    >
    > > **"MDATP MacOS DIY" cannot be opened because the developer cannot be verifier.**<br/>
    > > macOS cannot verify that this app is free from malware.<br/>
-   > > **\[Move to Trash\]** **\[Cancel\]**
+   > > **[Move to Trash]** **[Cancel]**
 
 7. Click **Cancel**.
 

microsoft-365/security/defender-endpoint/validate-antimalware.md

@@ -19,29 +19,80 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: mde
 search.appverid: met150
-ms.date: 11/17/2023
+ms.date: 01/16/2024
 ---
 
 # AV detection test for verifying device's onboarding and reporting services
 
-Anti-malware tests are intended to measure how well the anti-malware software is able to detect, block and remove malware in a variety of scenarios. The test also measures the impact of the anti-malware device on the system's performance.
+**Applies to:**
 
-   Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
+
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)
+
+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
+
+Scenario requirements and setup
+
+- Windows 11, Windows 10, Windows 8.1, Windows 7 SP1
+
+- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2
+
+- Linux
+
+- macOS
+
+- Microsoft Defender Real-time protection is enabled
+
+## EICAR test file to simulate malware
+
+After you enable Microsoft Defender for Endpoint or Microsoft Defender for Business or Microsoft Defender Antivirus, you can test the service and run a proof of concept to familiarize yourself with its feature and validate the advanced security capabilities effectively protect your device by generating real security alerts.
+
+Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
+
+### Windows
+
+1. Prepare for the EICAR test file:
+
+   1. Use an EICAR test file instead of real malware to avoid causing damage. Microsoft Defender Antivirus treats EICAR test files as malware.
+
+1. Create the EICAR test file:
+
+   1. Copy the following string: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
+
+      1. Paste the string into a .TXT file and save it as EICAR.txt
+
+### Linux/macOS
 
 1. Ensure that real-time protection is enabled (denoted by a result of 1 from running the following command):
 
 ```bash
 mdatp health --field real_time_protection_enabled
 ```
 
-2. Open a Terminal window. Copy and execute the following command:
+1. Open a Terminal window. Copy and execute the following command:
+
+  
+Linux
+
+
+```bash
+curl -o ~/tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
+```
+
+macOS
+
 
 ```bash
-curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
+curl -o ~/Downloads/eicar.com.txt 
 ```
 
 3. The file has been quarantined by Defender for Endpoint on Mac. Use the following command to list all the detected threats:
 
 ```bash
 mdatp threat list
-```
+```