在阻止模式下, (EDR) 终结点检测和响应Endpoint detection and response (EDR) in block mode

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

什么是阻止模式下的 EDR?What is EDR in block mode?

在阻止模式下 (EDR) 终结点检测和响应功能可提供对恶意项目的保护,即使 Microsoft Defender 防病毒在被动模式下运行。Endpoint detection and response (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. 打开后,阻止模式下的 EDR 将阻止在设备上检测到的恶意项目或行为。When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. 阻止模式下的 EDR 在后台工作,可修正在泄露后检测到的恶意项目。EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.

阻止模式下的 EDR 也与威胁和漏洞& 集成EDR in block mode is also integrated with threat & vulnerability management. 如果尚未启用 EDR,组织的安全团队会获得一条安全建议,以在阻止模式下打开它。Your organization's security team will get a security recommendation to turn EDR in block mode on if it isn't already enabled.

建议在阻止模式下打开 EDR

备注

若要获取最佳保护,请确保为终结点基线 部署 Microsoft Defender。To get the best protection, make sure to deploy Microsoft Defender for Endpoint baselines.

检测到某些内容时会发生什么情况?What happens when something is detected?

当在阻止模式下打开 EDR 并检测到恶意项目时,适用于终结点的 Microsoft Defender 将阻止并修正这些项目。When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. 你将在操作中心看到检测状态为"已阻止"或 " 已阻止"为已完成 操作You'll see detection status as Blocked or Prevented as completed actions in the Action center.

下图显示了在阻止模式下通过 EDR 检测并阻止的不需要软件的实例:The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:

阻止模式下的 EDR 检测到某些内容

在阻止模式下启用 EDREnable EDR in block mode

重要

在阻止 模式下打开 EDR 之前,请确保满足要求。Make sure the requirements are met before turning on EDR in block mode.

  1. 转到 Microsoft Defender 安全中心 https://securitycenter.windows.com () 并登录。Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.

  2. 选择 "设置 > ""高级功能"。Choose Settings > Advanced features.

  3. 在阻止 模式下打开 EDR。Turn on EDR in block mode.

备注

阻止模式下的 EDR 只能在 Microsoft Defender 安全中心中打开。EDR in block mode can be turned on only in the Microsoft Defender Security Center. 不能使用注册表项、Intune 或组策略在阻止模式下启用或禁用 EDR。You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.

阻止模式下的 EDR 要求Requirements for EDR in block mode

要求Requirement 详细信息Details
权限Permissions 在 Azure Active Directory 中分配的全局管理员或 安全管理员角色Global Administrator or Security Administrator role assigned in Azure Active Directory. 请参阅 基本权限See Basic permissions.
操作系统Operating system 以下版本之一:One of the following versions:
- Windows 10 (所有版本) - Windows 10 (all releases)
- Windows Server 版本 1803 或更高版本- Windows Server, version 1803 or newer
- Windows Server 2019- Windows Server 2019
Windows E5 注册Windows E5 enrollment Windows E5 包含在以下订阅中:Windows E5 is included in the following subscriptions:
- Microsoft 365 E5- Microsoft 365 E5
- Microsoft 365 E3 以及 Identity &威胁防护产品- Microsoft 365 E3 together with the Identity & Threat Protection offering

请参阅每个计划的组件和功能See Components and features and capabilities for each plan.
Microsoft Defender 防病毒Microsoft Defender Antivirus 必须在主动模式或被动模式下安装并运行 Microsoft Defender 防病毒。Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (可以将 Microsoft Defender 防病毒与非 Microsoft 防病毒解决方案一同使用。) 确认 Microsoft Defender 防病毒 处于主动或被动模式(You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) Confirm Microsoft Defender Antivirus is in active or passive mode.
云保护Cloud-delivered protection 确保配置了 Microsoft Defender 防病毒,以启用 云保护Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.
Microsoft Defender 防病毒反恶意软件客户端Microsoft Defender Antivirus antimalware client 确保你的客户端是最新的。Make sure your client is up to date. 使用 PowerShell 以管理员角色运行 Get-MpComputerStatus cmdlet。Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. AMProductVersion 行中,应该会看到 4.18.2001.10 或更上方。In the AMProductVersion line, you should see 4.18.2001.10 or above.
Microsoft Defender 防病毒引擎Microsoft Defender Antivirus engine 确保你的引擎是最新的。Make sure your engine is up to date. 使用 PowerShell 以管理员角色运行 Get-MpComputerStatus cmdlet。Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. AMEngineVersion 行中,应该会看到 1.1.16700.2 或更上方。In the AMEngineVersion line, you should see 1.1.16700.2 or above.

重要

若要获取最佳保护值,请确保防病毒解决方案配置为接收定期更新和基本功能,并且已配置排除 To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are configured. 阻止模式下的 EDR 遵守为 Microsoft Defender 防病毒定义的排除项。EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.

常见问题解答Frequently asked questions

我是否需要在阻止模式下打开 EDR,即使我在设备上运行 Microsoft Defender 防病毒?Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?

我们建议在阻止模式下保持 EDR 处于打开状态,无论 Microsoft Defender 防病毒是在被动模式下运行还是处于活动模式。We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. 块模式下的 EDR 通过 Microsoft Defender for Endpoint 提供另一层防御。EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. 它允许 Defender for Endpoint 根据攻破后的行为 EDR 检测采取操作。It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.

阻止模式下的 EDR 是否将影响用户的防病毒保护?Will EDR in block mode have any impact on a user's antivirus protection?

阻止模式下的 EDR 不会影响在用户设备上运行的第三方防病毒保护。EDR in block mode does not affect third-party antivirus protection running on users' devices. 如果主防病毒解决方案遗漏了某些内容,或者存在泄露后检测,则阻止模式下的 EDR 可以正常工作。EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. 阻止模式下的 EDR 的工作方式与被动模式下 的 Microsoft Defender 防病毒的工作方式类似,但它也会阻止和修正检测到的恶意项目或行为。EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except it also blocks and remediates malicious artifacts or behaviors that are detected.

为什么需要使 Microsoft Defender 防病毒保持最新状态?Why do I need to keep Microsoft Defender Antivirus up to date?

由于 Microsoft Defender 防病毒会检测并修正恶意项目,因此保持其最新状态非常重要。Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. 为了在块模式中实现 EDR 有效,它使用最新的设备学习模型、行为检测和启发。For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. Defender for Endpoint功能堆栈以集成方式工作。The Defender for Endpoint stack of capabilities works in an integrated manner. 若要获得最佳保护价值,应使 Microsoft Defender 防病毒保持最新。To get best protection value, you should keep Microsoft Defender Antivirus up to date.

为什么需要云保护?Why do we need cloud protection on?

需要云保护才能在设备上启用该功能。Cloud protection is needed to turn on the feature on the device. 云保护 允许 Defender for Endpoint 基于安全智能的广度和深度以及行为和设备学习模型提供最新且最丰富的保护。Cloud protection allows Defender for Endpoint to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.

如何将 Microsoft Defender 防病毒设置为被动模式?How do I set Microsoft Defender Antivirus to passive mode?

请参阅 启用 Microsoft Defender 防病毒并确认它处于被动模式See Enable Microsoft Defender Antivirus and confirm it's in passive mode.

如何确认 Microsoft Defender 防病毒处于主动或被动模式?How do I confirm Microsoft Defender Antivirus is in active or passive mode?

若要确认 Microsoft Defender 防病毒是在主动模式还是被动模式下运行,可以在运行 Windows 的设备上使用命令提示符或 PowerShell。To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.

使用 PowerShellUse PowerShell

  1. 选择"开始"菜单,开始键入 PowerShell ,然后Windows PowerShell结果中的"开始"菜单。Select the Start menu, begin typing PowerShell, and then open Windows PowerShell in the results.

  2. 类型 Get-MpComputerStatusType Get-MpComputerStatus.

  3. 在结果列表中,在 AMRunningMode 行中查找下列值之一:In the list of results, in the AMRunningMode row, look for one of the following values:

    • Normal
    • Passive Mode
    • SxS Passive Mode

若要了解更多信息,请参阅 Get-MpComputerStatusTo learn more, see Get-MpComputerStatus.

使用命令提示符Use Command Prompt

  1. 选择"开始"菜单,开始键入 Command Prompt ,然后在结果中打开 Windows 命令提示符。Select the Start menu, begin typing Command Prompt, and then open Windows Command Prompt in the results.

  2. 类型 sc query windefendType sc query windefend.

  3. 在结果列表中的 "状态 "行中,确认服务正在运行。In the list of results, in the STATE row, confirm that the service is running.

在阻止模式下禁用 EDR 需要的时间?How much time does it take for EDR in block mode to be disabled?

如果选择在阻止模式下禁用 EDR,则系统最多可能需要 30 分钟才能禁用此功能。If you chose to disable EDR in block mode it can take up to 30 minutes for the system to disable this capability.

另请参阅See also