Windows-itpro-docs: Need clarification of "detection status"

Created on 15 Dec 2020  Â·  5Comments  Â·  Source: MicrosoftDocs/windows-itpro-docs

Regarding Detection Status messages:
Using the word "Blocked" is misleading as it seems to by itself indicate we kept the malware from running. But that is until you learn about "Prevented". I think this article needs a chart that breaks these out like this (better wording of course):

Blocked - Process was running, we stopped it and blocked it from running again.
Prevented - File wasn't able to run because we prevented it.

Detected - We detected the process it could still be running (EDR in non-block mode)

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Microsoft submitter defender for endpoint
Source
picture jmmowrer
👍1

Most helpful comment

Phrasing suggestion:

  • Blocked: A running process has been detected. This process has now been stopped and also blocked from running again.
  • Prevented: A detected file has been prevented from running.
  • Detected: A process has been detected as a security threat. The process might still be running (EDR in non-block mode).

(Alternate phrasing may be just as useful, feel free to pick and choose.)

picture illfated on 18 Dec 2020
👍2

All 5 comments

Thank you @jmmowrer for the feedback! We'll look into this.

denisebmsft picture denisebmsft on 17 Dec 2020

Phrasing suggestion:

  • Blocked: A running process has been detected. This process has now been stopped and also blocked from running again.
  • Prevented: A detected file has been prevented from running.
  • Detected: A process has been detected as a security threat. The process might still be running (EDR in non-block mode).

(Alternate phrasing may be just as useful, feel free to pick and choose.)

illfated picture illfated on 18 Dec 2020
👍2

@jmmowrer @illfated In my opinion, these 3 options "Blocked, prevented, detected" do not cover the full spectrum of actions that Defender for Endpoint does.

An automated EDR investigation can yield 3 verdicts: Malicious, Suspicious, or No threats found
and can results in one or more of the following remediation actions:

  • Quarantine a file
  • Remove a registry key
  • Kill a process
  • Stop a service
  • Disable a driver
  • Remove a scheduled task

More details here.

In my opinion, it's a matter of semantics in which of the 3 categories (Blocked,Prevented,Detected) you wish to put the above remediation actions (one or more of them).

@e0i Could we ask the author to check if an article update is needed in this case?

VLG17 picture VLG17 on 4 Feb 2021
👍1

Good & fair point. Thank you for weighing in with your views. I agree. There are several important semantic choices to make.

illfated picture illfated on 4 Feb 2021

@e0i : Did you close this ticket based on any recent changes or other work being pushed recently by any of the MS Docs team members?

illfated picture illfated on 8 Feb 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thohun picture thohun  Â·  3Comments
iadgovuser1 picture iadgovuser1  Â·  3Comments
michalzobec picture michalzobec  Â·  3Comments
zjalexander picture zjalexander  Â·  3Comments
illfated picture illfated  Â·  3Comments