deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update enable-exploit-protection.md

Browse Source 
Audit of mitigations is not always available via PS but is with other management options
This commit is contained in:
Kurt Sarens
2020-11-06 15:18:45 +01:00
committed by GitHub
parent 89f1e46fef
commit 0e4ce05d01
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
View File

@ -210,7 +210,7 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | -
-|-|-|-
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
@ -225,20 +225,20 @@ Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreS
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available
Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a>
Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a>
Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a>
Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a>
Validate handle usage | App-level only | StrictHandle | Audit not available
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a>
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell CmdLet.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.