Microsoft Defender Core service configurations and experimentation
This article describes the interaction between Microsoft Defender Core Service and the Experimentation and Configuration Service (ECS). Microsoft Defender Core Service is a part of Microsoft Defender Antivirus and communicates with ECS to request and receive different kinds of payloads. These payloads include configurations, feature rollouts, and experiments.
Important
Make sure clients can access the following URLs so payloads can be received:
Enterprise customers should allow the following URLs:
*.events.data.microsoft.com*.endpoint.security.microsoft.com*.ecs.office.com
Enterprise U.S. Government customers should allow the following URLs:
*.events.data.microsoft.com*.endpoint.security.microsoft.us (GCC-H & DoD)*.gccmod.ecs.office.com (GCC-M) *.config.ecs.gov.teams.microsoft.us (GCC-H)*.config.ecs.dod.teams.microsoft.us (DoD)
Note
This applies to Microsoft Defender Antivirus platform update version 4.18.24030 or later.
Configurations
Configurations are the payload meant to ensure product health, security, and privacy compliance, and are intended to have the same value for all the users (based on platforms and channels.) This could be to enable a feature flag for a domain action, and can also be used to disable a feature flag in the event of a bug.
Controlled Feature Rollout
Controlled Feature Rollout (CFR) is a procedure for slowly increasing the size of the user group that receives a feature. By distributing a new feature to a randomly selected subset of the user population, it's possible to compare user feedback to an equally sized control group without the feature to measure the impact of the feature.
Experiments
Microsoft Defender Core Service builds have features and functionality that are still in development or are experimental. Experiments are like CFR, but the size of the user group is much smaller for testing the new concept. These features are hidden by default until the feature's rolled out or the experiment's finished. Experiment flags are used to enable and disable these features.
Caution
If you disable communications with the service, this will affect Microsoft's ability to respond to a severe bug in a timely manner.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for