elastic
diff --git a/‎docs/edr-install-config/configure-endpoint-integration-policy.mdx
Lines changed: 7 additions & 5 deletions b/‎docs/edr-install-config/configure-endpoint-integration-policy.mdx
Lines changed: 7 additions & 5 deletions
diff --git a/‎docs/images/configure-endpoint-integration-policy/-getting-started-install-endpoint-malware-protection.png
-16.1 KB b/‎docs/images/configure-endpoint-integration-policy/-getting-started-install-endpoint-malware-protection.png
-16.1 KB
@@ -71,7 +71,7 @@ To configure an integration policy:
 that looks for static attributes to determine if a file is malicious or benign.
 
 By default, malware protection is enabled on Windows, macOS, and Linux hosts.
-To disable malware protection, switch the **Malware protections enabled** toggle off.
+To disable malware protection, turn off the **Malware protections** toggle.
 
 <DocCallOut title="Requirements">
 
@@ -86,16 +86,18 @@ Malware protection levels are:
 
 * **Prevent** (Default): Detects malware on the host, blocks it from executing, and generates an alert.
 
+These additional options are available for malware protection:
+
+* **Blocklist**: Enable or disable the <DocLink id="serverlessSecurityBlocklist">blocklist</DocLink> for all hosts associated with this ((elastic-defend)) policy. The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious.
+
+* **Scan files upon modification**: By default, ((elastic-defend)) scans files every time they're modified, which can be resource-intensive on hosts where files are frequently modified, such as servers and developer machines. Turn off this option to only scan files when they're executed. ((elastic-defend)) will continue to identify malware as it attempts to run, providing a robust level of protection while improving endpoint performance.
+
 Select **Notify user** to send a push notification in the host operating system when activity is detected or prevented. Notifications are enabled by default for the **Prevent** option.
 
 <DocCallOut title="Tip">
 Endpoint Protection Complete customers can customize these notifications using the `Elastic Security {action} {filename}` syntax.
 </DocCallOut>
 
-Malware protection also allows you to manage a blocklist to prevent specified applications from running on hosts,
-extending the list of processes that ((elastic-defend)) considers malicious. Use the **Blocklist enabled** toggle
-to enable or disable this feature for all hosts associated with the integration policy. To configure the blocklist, refer to <DocLink id="serverlessSecurityBlocklist">Blocklist</DocLink>.
-
 ![Detail of malware protection section.](../images/configure-endpoint-integration-policy/-getting-started-install-endpoint-malware-protection.png)
 
 <div id="manage-quarantined-files"></div>