在封鎖模式中) 的端點偵測和回應 (EDREndpoint detection and response (EDR) in block mode

適用於:Applies to:

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

封鎖模式中的 EDR 為何?What is EDR in block mode?

端點偵測和回應 (EDR) 在封鎖模式中時,即使 Microsoft Defender 防毒軟體是以被動模式執行,也可以保護惡意的惡意資料。Endpoint detection and response (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. 開啟時,以封鎖模式 EDR 會封鎖在裝置上偵測到的惡意的偽像或行為。When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. block 模式中的 EDR 會在幕後運作,以修正偵測到破壞後偵測到的惡意作品。EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.

組塊模式中的 EDR 也會與威脅 & 弱點管理整合。EDR in block mode is also integrated with threat & vulnerability management. 組織的安全性小組會取得安全性建議,以在封鎖模式中開啟 EDR (如果尚未啟用)。Your organization's security team will get a security recommendation to turn EDR in block mode on if it isn't already enabled.

在封鎖模式中開啟 EDR 的建議

注意

若要取得最佳保護,請務必 部署 Microsoft Defender For Endpoint 基準To get the best protection, make sure to deploy Microsoft Defender for Endpoint baselines.

偵測到某項時會發生什麼情況?What happens when something is detected?

當以封鎖模式開啟 EDR,且偵測到惡意的專案時,Microsoft Defender 會封鎖和 remediates 該專案。When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. 您的安全性作業小組會在重要訊息 中心看到 偵測為已 完成的 動作的偵測 狀態。Your security operations team will see detection status as Blocked or Prevented in the Action center, listed as completed actions.

下圖顯示以封鎖模式 EDR 所偵測到並封鎖的未預期軟體實例:The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:

在封鎖模式中 EDR 偵測到某項

在封鎖模式中啟用 EDREnable EDR in block mode

重要

在封鎖模式中開啟 EDR 之前,請確定符合需求Make sure the requirements are met before turning on EDR in block mode.

  1. 移至Microsoft 365 Defender 入口網站並登入。Go to the Microsoft 365 Defender portal and sign in.

  2. 選擇 [設定 > 高級功能]。Choose Settings > Advanced features.

  3. 在塊狀模式中開啟 EDRTurn on EDR in block mode.

注意

在組塊模式中 EDR 只能在 Microsoft Defender 資訊安全中心中開啟。EDR in block mode can be turned on only in the Microsoft Defender Security Center. 您無法使用登錄機碼、Intune 或群組原則,在封鎖模式中啟用或停用 EDR。You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.

封鎖模式中 EDR 的需求Requirements for EDR in block mode

需求Requirement 詳細資料Details
權限Permissions Azure Active Directory中指派全域管理員或安全性管理員角色。Global Administrator or Security Administrator role assigned in Azure Active Directory. 請參閱 基本許可權See Basic permissions.
作業系統Operating system 下列其中一個版本:One of the following versions:
-Windows 10 (所有版本) - Windows 10 (all releases)
-Windows Server,版本1803或更新版本- Windows Server, version 1803 or newer
-Windows Server 2019- Windows Server 2019
-只有當 Microsoft Defender 防毒軟體處於主動模式時,才 Windows Server 2016 () - Windows Server 2016 (only when Microsoft Defender Antivirus is in active mode)
WindowsE5 登記Windows E5 enrollment WindowsE5 包含在下列訂閱中:Windows E5 is included in the following subscriptions:
-Microsoft 365 E5- Microsoft 365 E5
-Microsoft 365 E3 搭配身分識別 & 威脅防護服務- Microsoft 365 E3 together with the Identity & Threat Protection offering

請參閱每個計畫的元件和功能。See Components and features and capabilities for each plan.
Microsoft Defender 防毒軟體Microsoft Defender Antivirus 必須以主動模式或被動模式安裝和執行 Microsoft Defender 防毒軟體。Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (您可以在非 Microsoft 防病毒方案旁使用 Microsoft Defender 防毒軟體。 ) 確認 Microsoft Defender 防毒軟體為主動或被動模式(You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) Confirm Microsoft Defender Antivirus is in active or passive mode.
雲端提供的保護Cloud-delivered protection 請確定已設定 Microsoft Defender 防毒軟體,讓已啟用雲端傳遞的保護Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.
Microsoft Defender 防毒軟體反惡意程式碼用戶端Microsoft Defender Antivirus antimalware client 請確定您的用戶端是最新版本。Make sure your client is up to date. 使用 PowerShell,以系統管理員身分執行 MpComputerStatus Cmdlet。Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. AMProductVersion 行中,您應該會看到 4.18.2001.10 或更新版本。In the AMProductVersion line, you should see 4.18.2001.10 or above.
Microsoft Defender 防毒軟體引擎Microsoft Defender Antivirus engine 請確定您的引擎是最新版本。Make sure your engine is up to date. 使用 PowerShell,以系統管理員身分執行 MpComputerStatus Cmdlet。Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. AMEngineVersion 行中,您應該會看到 1.1.16700.2 或更新版本。In the AMEngineVersion line, you should see 1.1.16700.2 or above.

重要

若要取得最佳保護值,請確定您的防病毒方案已設定為接收定期更新和基本功能,以及您的 排除已設定To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are configured. 在封鎖模式中 EDR 會考慮針對 Microsoft Defender 防毒軟體所定義的排除專案。EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.

常見問題集Frequently asked questions

即使在裝置上執行 Microsoft Defender 防毒軟體,我是否需要在封鎖模式中開啟 EDR?Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?

建議您將 EDR 置於封鎖模式,不論 Microsoft Defender 防毒軟體是以被動模式還是以主動模式執行。We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. 在封鎖模式中 EDR 會提供另一個與 Microsoft Defender for Endpoint 的防禦層。EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. 它可讓 Defender for Endpoint 根據破壞後的行為 EDR 偵測採取動作。It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.

會在封鎖模式中 EDR 是否會影響使用者的病毒防護?Will EDR in block mode have any impact on a user's antivirus protection?

在封鎖模式中 EDR 不會影響使用者裝置上執行的協力廠商防防毒保護。EDR in block mode does not affect third-party antivirus protection running on users' devices. 如果主要防病毒解決方案未接任何問題,或發生破壞後的情況,則 EDR 以封鎖模式運作。EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. 在封鎖模式中 EDR 的運作方式與被動模式 Microsoft Defender 防毒軟體相同,但也會封鎖和 remediates 偵測到的惡意專案或行為。EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except it also blocks and remediates malicious artifacts or behaviors that are detected.

為什麼我需要讓 Microsoft Defender 防毒軟體保持最新狀態?Why do I need to keep Microsoft Defender Antivirus up to date?

由於 Microsoft Defender 防毒軟體偵測和 remediates 惡意專案,因此務必將其保持在最新狀態。Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. 為使封鎖模式中的 EDR 生效,它會使用最新的裝置學習模型、行為偵測和試探法。For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. 功能 終結點 堆疊功能的運作方式是以整合方式運作。The Defender for Endpoint stack of capabilities works in an integrated manner. 若要取得最佳防護值,您應該將 Microsoft Defender 防毒軟體保持最新狀態。To get best protection value, you should keep Microsoft Defender Antivirus up to date. 請參閱管理 Microsoft Defender 防毒軟體更新及套用基準See Manage Microsoft Defender Antivirus updates and apply baselines.

我們為何需要雲端保護開啟?Why do we need cloud protection on?

需要 Cloud protection 才能開啟裝置上的功能。Cloud protection is needed to turn on the feature on the device. 雲端防護功能可讓 Defender For Endpoint ,根據我們的廣泛和深度安全性情報,以及行為和裝置教學模型,提供最新和最佳的保護。Cloud protection allows Defender for Endpoint to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.

如何將 Microsoft Defender 防毒軟體設定為被動模式?How do I set Microsoft Defender Antivirus to passive mode?

根據作業系統,當執行非 Microsoft 防毒軟體/反惡意程式碼的裝置架至 Defender for Endpoint 時,Microsoft Defender 防毒軟體可以自動進入被動模式。Depending on operating systems, when devices that are running a non-Microsoft antivirus/antimalware solution are onboarded to Defender for Endpoint, Microsoft Defender Antivirus can go into passive mode automatically. 如需詳細資訊,請參閱 how Microsoft Defender 防毒軟體如何影響 Defender for Endpoint 功能For more information, see How Microsoft Defender Antivirus affects Defender for Endpoint functionality.

如何確認 Microsoft Defender 防毒軟體處於主動或被動模式?How do I confirm Microsoft Defender Antivirus is in active or passive mode?

若要確認 Microsoft Defender 防毒軟體是否以主動或被動模式執行,您可以在執行 Windows 的裝置上使用命令提示字元或 PowerShell。To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.

方法Method 程序Procedure
PowerShellPowerShell 1. 選取 [開始] 功能表,開始輸入 PowerShell ,然後在結果中開啟 Windows PowerShell。1. Select the Start menu, begin typing PowerShell, and then open Windows PowerShell in the results.

2. 輸入 Get-MpComputerStatus2. Type Get-MpComputerStatus.

3. 在結果清單中的 [ AMRunningMode ] 列中,尋找下列其中一個值:3. In the list of results, in the AMRunningMode row, look for one of the following values:
- Normal
- Passive Mode
- SxS Passive Mode

若要深入瞭解,請參閱 MpComputerStatusTo learn more, see Get-MpComputerStatus.

命令提示字元Command Prompt 1. 選取 [開始] 功能表,開始輸入 Command Prompt ,然後在結果中開啟 Windows 命令提示字元。1. Select the Start menu, begin typing Command Prompt, and then open Windows Command Prompt in the results.

2. 輸入 sc query windefend2. Type sc query windefend.

3. 在結果清單中的 [ 狀態 ] 列中,確認服務正在執行中。3. In the list of results, in the STATE row, confirm that the service is running.

停用封鎖模式中的 EDR 需要多少時間?How much time does it take for EDR in block mode to be disabled?

如果您選擇以封鎖模式停用 EDR,最多可能需要30分鐘的時間,系統才會停用此功能。If you chose to disable EDR in block mode, it can take up to 30 minutes for the system to disable this capability.

在 Windows Server 2016 上支援的封鎖模式中 EDR 嗎?Is EDR in block mode supported on Windows Server 2016?

如果 Microsoft Defender 防毒軟體以主動模式或被動模式執行,則下列 Windows 版本都支援 EDR in 封鎖模式:If Microsoft Defender Antivirus is running in active mode or passive mode, EDR in block mode is supported of the following versions of Windows:

  • 所有版本 Windows 10 () Windows 10 (all releases)
  • Windows伺服器、版本1803或更新版本Windows Server, version 1803 or newer
  • Windows Server 2019Windows Server 2019

如果 Windows Server 2016 以主動模式執行 Microsoft Defender 防毒軟體,且端點架至 Defender for endpoint,則會以技術支援的封鎖模式 EDR。If Windows Server 2016 has Microsoft Defender Antivirus running in active mode, and the endpoint is onboarded to Defender for Endpoint, then EDR in block mode is technically supported. 不過,當 Microsoft Defender 防毒軟體不是端點上的主要防病毒方案時,在封鎖模式中 EDR 應是額外的保護。However, EDR in block mode is intended to be extra protection when Microsoft Defender Antivirus is not the primary antivirus solution on an endpoint. 在這種情況下,Microsoft Defender 防毒軟體會以被動模式執行。In those cases, Microsoft Defender Antivirus runs in passive mode. 目前,Windows Server 2016 上不支援以被動模式執行 Microsoft Defender 防毒軟體。Currently, running Microsoft Defender Antivirus in passive mode is not supported on Windows Server 2016. 若要深入瞭解,請參閱Microsoft Defender 防毒軟體和非 Microsoft 防毒軟體/反惡意程式碼解決方案To learn more, see Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions.

另請參閱See also