Review detected threats

As soon as a malicious file or software is detected, Microsoft Defender blocks it and prevents it from running. And with cloud-delivered protection turned on, newly detected threats are added to the antivirus and antimalware engine so that your other devices and users are protected, as well.

Microsoft Defender Antivirus detects and protects against the following kinds of threats:

  • Viruses, malware, and web-based threats on devices
  • Phishing attempts
  • Data theft attempts

As an IT professional/admin, you can view information about threat detections across Windows devices that are enrolled in Intune in the Microsoft 365 admin center. You'll see summary information, such as:

  • How many devices need antivirus protection
  • How many devices aren't in compliance with security policies
  • How many threats are currently active, mitigated, or resolved

Actions you can take

When you view details about specific threats or devices, you'll see recommendations and one or more actions you can take. The following table describes actions that you might see.

Action Description
Configure protection Your threat protection policies need to be configured. Select the link to go to your policy configuration page.

Need help? See Manage device security with endpoint security policies in Microsoft Intune.
Update policy Your antivirus and real-time protection policies need to be updated or configured. Select the link to go to the policy configuration page.

Need help? See Manage device security with endpoint security policies in Microsoft Intune.
Run quick scan Starts a quick antivirus scan on the device, focusing on common locations where malware might be registered, such as registry keys and known Windows startup folders.
Run full scan Starts a full antivirus scan on the device, focusing on common locations where malware might be registered, and including every file and folder on the device. Results are sent to Microsoft Endpoint Manager.
Update antivirus Requires the device to get security intelligence updates for antivirus and antimalware protection.
Restart device Forces a Windows device to restart within five minutes.

IMPORTANT: The device owner or user isn't automatically notified of the restart and could lose unsaved work.

View and manage threat detections in the Microsoft 365 Defender portal

  1. Go to the (Microsoft 365 Defender portal) and sign in.

  2. In the navigation pane, choose Threat Analytics to see all the current threats. They are categorized by threat severity and type.

  3. Click on a threat to see more details about the threat.

  4. In the table, you can filter the alerts according to a number of criteria.

Manage threat detections in Microsoft InTune

You can use Microsoft Endpoint Manager to manage threat detections as well. First, all devices whether Windows, iOS or Android, must be enrolled in Intune (part of Microsoft Endpoint Manager).

  1. Go to the Microsoft Endpoint Manager admin center at https://endpoint.microsoft.com and sign in.

  2. In the navigation pane, select Endpoint security.

  3. Under Manage, select Antivirus. You'll see tabs for Summary, Unhealthy endpoints, and Active malware.

  4. Review the information on the available tabs, and then take any needed action.

For example, suppose that devices are listed on the Active malware tab. When you select a device, you'll have certain actions available, such as Restart, Quick Scan, Full Scan, Sync, or Update signatures. Select an action for that device.

The following table describes the actions you might see in Microsoft Endpoint Manager.

Action Description
Restart Forces a Windows device to restart within five minutes.

IMPORTANT: The device owner or user isn't automatically notified of the restart and could lose unsaved work.
Quick Scan Starts a quick antivirus scan on the device, focusing on common locations where malware might be registered, such as registry keys and known Windows startup folders. Results are sent to Microsoft Endpoint Manager.
Full Scan Starts a full antivirus scan on the device, focusing on common locations where malware might be registered, and including every file and folder on the device. Results are sent to Microsoft Endpoint Manager.
Sync Requires a device to check in with Intune (part of Microsoft Endpoint Manager). When the device checks in, the device receives any pending actions or policies assigned to the device.
Update signatures Requires the device to get security intelligence updates for antivirus and antimalware protection.

Tip

For more information, see Remote actions for devices.

How to submit a file for malware analysis

If you have a file that you think was missed or wrongly classified as malware, you can submit that file to Microsoft for malware analysis. Users and IT admins can submit a file for analysis. Visit https://www.microsoft.com/wdsi/filesubmission.

See also

Best practices for securing Microsoft 365 for business plans

Overview of Microsoft Defender for Business (Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022)