New Update Security Intelligence Updates in Microsoft Defender (Threat Detection Changelog)

  • Like
  • +Reputation
Reactions: Fel Grossi, simmerskool, ForgottenSeer 94738 and 2 others
learn.microsoft.com

Microsoft Defender Antivirus security intelligence and product updates - Microsoft Defender for Endpoint

Manage how Microsoft Defender Antivirus receives protection and product updates.
learn.microsoft.com

March-2025 (Platform: 4.18.25030.2 | Engine 1.1.25030.1)​

  • Security intelligence update version: 1.427.3.0
  • Release date: April 1, 2025 (Engine) / April 9, 2025 (Platform)
  • Platform: 4.18.25030.2
  • Engine: 1.1.25030.1
  • Support phase: Security and Critical Updates

What's new​

  • Improved caching of device control settings to improve reliability in occasionally connected environments.
  • Performance improvement in on-access scans of files in network locations.
  • Fixed the Defender service description to match the latest installed version.
  • Improved Defender engine update logic when the update is included in a custom image.
  • Fix in health reporting where signature update data might have been incorrect.
  • Fixed reporting issue with controlled folder access (CFA) protected folders using the PowerShell cmdlet Get-MpPreference when CFA is disabled.
  • Improved performance when scanning UPX-packed files (Ultimate Packer for eXecutables) and updated the validation process to verify the integrity of the packed file itself.
  • Added support for distinguishing regular cloud allow signatures from clean Indicators of Compromise (IoC) in attack surface reduction (ASR).
Click to expand...
 
  • +Reputation
  • Like
Reactions: simmerskool, SeriousHoax, harlan4096 and 2 others
  • Like
  • +Reputation
Reactions: Zero Knowledge, micasayyo and simmerskool
April-2025 (Platform: TBD | Engine: 1.1.25040.1)
  • Security intelligence update version: 1.429.3.0
  • Release date: May 14, 2025 (Engine) / (Platform pending)
  • Platform: (coming soon)
  • Engine: 1.1.25040.1
  • Support phase: Security and Critical Updates

What's new​

  • Fixed TVM Block where we failed to block a trusted file
  • Fixed Microsoft Defender platform update timestamp to reflect the actual update time.
  • The 1002 event (An anti-malware scan was stopped before it finished) now includes details of the stop reason.
  • Added more details to the 1000 event (Scan started), like scan trigger and scan on idle.
  • Improved ASR file processing to correctly handle "allow" Indicators of Compromise (IoCs).
  • Improvement in health reporting for machines that are rebooted or hibernated.
  • Improved performance for Smart App Control (SAC) trusted file handling.
  • Improved device control logic for offline printers.
Click to expand...
Microsoft Defender Antivirus security intelligence and product updates - Microsoft Defender for Endpoint
 
  • Like
  • +Reputation
Reactions: [correlate], SeriousHoax, Fel Grossi and 4 others
Parkinsond said:
In events log, I found SAC blocking some Windows dll files!
Click to expand...
Indeed, SAC will block some MS stuff, but they are usually (?) harmless. They're famous for using unsigned dlls. Hey, it's their OS, they can do what they want. ;)
 
  • HaHa
  • Like
Reactions: Jonny Quest, [correlate], piquiteco and 2 others
  • Like
  • +Reputation
Reactions: Shadowra, Zartarra, [correlate] and 3 others

May-2025 (Platform: 4.18.25050.5 | Engine: 1.1.25050.6)

  • Security intelligence update version: 1.431.19.0
  • Release date: June 13, 2025 (Engine) / June 13, 2025 (Platform)
  • Platform: 4.18.25050.5
  • Engine: 1.1.25050.6
  • Support phase: Security and Critical Updates

What's new​

  • Windows multisession SKUs are now properly classified as client SKUs for signature versioning
  • EnableDynamicSignatureDroppedEventReporting configuration is now available in Intune (see Event ID 2011)
  • The display name and description is now displayed correctly for the device control filter driver in Windows services
  • Improved performance for kernel driver
  • Improvements to network protection performance related to packet loss during high network utilization
  • Reliability improvements to network protection during service shutdown
  • Enriched Event ID 1000 to include ScanOnlyIfIdle and scan priority
  • Improved device control Windows Portal Device (WPD) device discovery in File explorer. (For more information about device control, see Device control policy samples and scenarios.)
  • Resolved discrepancy in device health reports between signature publish and signature install date and time
  • Performance improvements when scanning files/folders with extended attributes
  • Reliability improvement in the Defender kernel driver to avoid crashing when there's excessive disk input/output
  • Added exponential backoff support to Core Service 1DS manager telemetry module to address memory consumption and DNS flooding issues
Click to expand...
learn.microsoft.com

Microsoft Defender Antivirus security intelligence and product updates - Microsoft Defender for Endpoint

Manage how Microsoft Defender Antivirus receives protection and product updates.
learn.microsoft.com
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, Fel Grossi, simmerskool and 4 others

You may also like...