diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 8446553143..70cba0bcec 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -54,7 +54,7 @@ Windows 10 quality update downloads can be large because every package contains >Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express -- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update. +- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index ed91c63c54..20620f9410 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -75,7 +75,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. ### Section Review ### @@ -84,7 +84,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > * Minimum Windows Server 2012 Certificate Authority. > * Enterprise Certificate Authority. > * Functioning public key infrastructure. -> * Root certifcate authority certificate (Azure AD Joined devices). +> * Root certificate authority certificate (Azure AD Joined devices). > * Highly available certificate revocation list (Azure AD Joined devices). ## Azure Active Directory ## @@ -131,7 +131,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multufactor Authentiation features and settings. +> * Configure Azure Multifactor Authentiation features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 621818ce66..70dd6093e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -19,7 +19,7 @@ ms.date: 08/19/2018 - Key trust -## Directory Syncrhonization +## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 360b2a59c8..b14135494f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/15/2018 +ms.date: 11/16/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -56,15 +56,6 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -The rules apply to the following Office apps: - -- Microsoft Word -- Microsoft Excel -- Microsoft PowerPoint -- Microsoft OneNote - -The rules do not apply to any other Office apps. - ### Rule: Block executable content from email client and webmail This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): @@ -90,7 +81,7 @@ Extensions will be blocked from being used by Office apps. Typically these exten ### Rule: Block Office applications from injecting code into other processes -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. +Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. @@ -116,7 +107,7 @@ This rule prevents scripts that appear to be obfuscated from running. Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. -This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. +This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. ### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index a143ed81a3..290fbdaae4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/16/2018 --- # Evaluate attack surface reduction rules @@ -22,164 +22,14 @@ ms.date: 10/02/2018 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. -This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. - ->[!NOTE] ->This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Use the demo tool to see how attack surface reduction rules work - -Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines. - -The tool is part of the Windows Defender Exploit Guard evaluation package: -- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) - -This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule. - -When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken. - -![Screenshot of the Exploit guard demo tool](images/asr-test-tool.png) - -Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running. - ->[!IMPORTANT] ->The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). - -**Run a rule using the demo tool:** - -1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). - -2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. - - - >[!IMPORTANT] - >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10. - -3. Select the rule from the drop-down menu. - -4. Select the mode, **Disabled**, **Block**, or **Audit**. - 1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**. - -5. Click **RunScenario**. - -The scenario will run, and an output will appear describing the steps taken. - -You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer. - ->[!TIP] ->You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules. - - -Choosing the **Mode** will change how the rule functions: - -Mode option | Description --|- -Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all. -Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules. -Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer. - -Block mode will cause a notification to appear on the user's desktop: - -![Example notification that says Action blocked: Your IT administrator caused Windows Defender Antivirus to block this action. Contact your IT desk.](images/asr-notif.png) - -You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk. - -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). - -The following sections describe what each rule does and what the scenarios entail for each rule. - -### Rule: Block executable content from email client and webmail - -This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail. - -The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule: - -Scenario name | File type | Program -- | - | - -Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail -Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook -Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook -Mail Client Script Archive | Script archive files | Microsoft Outlook -WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail -WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail -WebMail Script Archive | Script archive files | Web mail - - -### Rule: Block Office applications from creating child processes - ->[!NOTE] ->There is only one scenario to test for this rule. - -Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. - -### Rule: Block Office applications from creating executable content - -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique. - -The following scenarios can be individually chosen: - -- Random - - A scenario will be randomly chosen from this list -- Extension Block - - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - -### Rule: Block Office applications from injecting into other processes - ->[!NOTE] ->There is only one scenario to test for this rule. - -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - -### Rule: Impede JavaScript and VBScript to launch executables - -JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - -- Random - - A scenario will be randomly chosen from this list -- JScript - - JavaScript will not be allowed to launch executable files -- VBScript - - VBScript will not be allowed to launch executable files - -### Rule: Block execution of potentially obfuscated scripts - -Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. - -- Random - - A scenario will be randomly chosen from this list -- AntiMalwareScanInterface - - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script -- OnAccess - - Potentially obfuscated scripts will be blocked when an attempt is made to access them - - -## Review Attack surface reduction events in Windows Event Viewer - -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Attack surface reduction: - -Event ID | Description --|- -5007 | Event when settings are changed -1122 | Event when rule fires in Audit-mode -1121 | Event when rule fires in Block-mode - ## Use audit mode to measure impact -You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature. +You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. @@ -189,17 +39,17 @@ To enable audit mode, use the following PowerShell cmdlet: Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` -This enables all Attack surface reduction rules in audit mode. +This enables all attack surface reduction rules in audit mode. >[!TIP] ->If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +>If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md). ## Customize attack surface reduction rules During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. -See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. +See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. ## Related topics - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index f30804cbd0..3357f3a4fc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 11/16/2018 --- # Evaluate controlled folder access @@ -24,70 +24,11 @@ ms.date: 10/02/2018 It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. -This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. - ->[!NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md). +This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Use the demo tool to see how controlled folder access works - -Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders. - -The tool is part of the Windows Defender Exploit Guard evaluation package: -- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) - -This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. - -You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. - -1. Type **powershell** in the Start menu. - -2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. - -3. Enter the following in the PowerShell window to enable Controlled folder access: - ```PowerShell - Set-MpPreference -EnableControlledFolderAccess Enabled - ``` - -4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop). - -5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. - -6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test. - - ![Screenshot of the exploit guard demo tool](images/cfa-filecreator.png) - -7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example: - - ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png) - -## Review controlled folder access events in Windows Event Viewer - -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Controlled folder access: - -Event ID | Description --|- -5007 | Event when settings are changed -1124 | Audited controlled folder access event -1123 | Blocked controlled folder access event -1127 | Blocked controlled folder access sector write block event -1128 | Audited controlled folder access sector write block event - - ## Use audit mode to measure impact You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 1d7efe7b59..ec8690b50d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 11/16/2018 --- # Evaluate exploit protection @@ -26,75 +26,9 @@ Many of the features that are part of the [Enhanced Mitigation Experience Toolki This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md). ->[!NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md). - >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Enable and validate an exploit protection mitigation - -For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app. - -First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app: - -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** - -2. Enter the following cmdlet: - - ```PowerShell - Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation - ``` - -3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. - -4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. - -5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. - -6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**. - -Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user: - -1. Type **run** in the Start menu and press **Enter** to open the run dialog box. - -2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer. - -3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process). - -Lastly, we can disable the mitigation so that Internet Explorer works properly again: - -1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. - -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. - -3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. - -4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply** - -5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected. - -## Review exploit protection events in Windows Event Viewer - -You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. - -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...** - -4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the events related to exploit protection. - -6. The specific event to look for in this demo is event ID 4, which should have the following or similar information: - - Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. - ## Use audit mode to measure impact You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 995cbaeb50..9c5516c1de 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 11/16/2018 --- # Evaluate network protection @@ -39,7 +39,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui Set-MpPreference -EnableNetworkProtection Enabled ``` -You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`. +You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled". ### Visit a (fake) malicious domain