deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Add EAF docs

Browse Source 
Added docs on EAF
This commit is contained in:
Chris Jackson
2020-08-05 23:22:21 -05:00
parent 099b7a2631
commit 0336c89b30
1 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
View File

@ -361,8 +361,47 @@ If your application launches child applications for any reason, such as supporti
## Export address filtering ## Export address filtering
### Description
Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects 3 commonly attacked modules:
- ntdll.dll
- kernelbase.dll
- kernel32.dll
The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#export-address-table). This memory page will have the PAGE_GUARD protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.
### Compatibility considerations
This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technolgy.
### Configuration options
**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules:
- mshtml.dll
- flash*.ocx
- jscript*.ocx
- vbscript.dll
- vgx.dll
- mozjs.dll
- xul.dll
- acrord32.dll
- acrofx32.dll
- acroform.api
Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.
**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview).
## Force randomization for images (Mandatory ASLR) ## Force randomization for images (Mandatory ASLR)
### Description
### Compatibility considerations
### Configuration options
## Import address filtering ## Import address filtering
## Randomize memory allocations (Bottom-up ASLR) ## Randomize memory allocations (Bottom-up ASLR)