Update evaluate-exploit-protection.md

windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md

@@ -1,7 +1,7 @@
 ---
 title: See how exploit protection works in a demo
 description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
-keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
+keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -10,9 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-author: levinec
+author: denisebmsft
-ms.author: ellevin
+ms.author: deniseb
-ms.date: 04/02/2019
+ms.date: 10/21/2019
 ms.reviewer: 
 manager: dansimp
 ---
@@ -23,21 +23,16 @@ manager: dansimp
 
 * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices.
+[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection.
-It consists of a number of mitigations that can be applied to either the operating system or an individual app.
-Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
 
-This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
+This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.
-You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
-This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
-You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
 
 > [!TIP]
 > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
 
 ## Enable exploit protection in audit mode
 
-You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
+You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell.
 
 ### Windows Security app
 
@@ -45,12 +40,12 @@ You can set mitigations in audit mode for specific programs either by using the
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
 
-3. Go to **Program settings** and choose the app you want to apply mitigations to:
+3. Go to **Program settings** and choose the app you want to apply protection to:
 
     1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
-        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
@@ -76,14 +71,14 @@ Where:
 * \<Mitigation>:
   * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
 
- Mitigation | Audit mode cmdlet
+ |Mitigation | Audit mode cmdlet |
--|-
+|---|---|
- Arbitrary code guard (ACG) | AuditDynamicCode
+ |Arbitrary code guard (ACG) | AuditDynamicCode |
- Block low integrity images | AuditImageLoad
+ |Block low integrity images | AuditImageLoad
- Block untrusted fonts | AuditFont, FontAuditOnly
+ |Block untrusted fonts | AuditFont, FontAuditOnly |
- Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned
+ |Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
- Disable Win32k system calls | AuditSystemCall
+ |Disable Win32k system calls | AuditSystemCall |
- Do not allow child processes | AuditChildProcess
+ |Do not allow child processes | AuditChildProcess |
 
 For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
 
@@ -97,14 +92,14 @@ You can disable audit mode by replacing `-Enable` with `-Disable`.
 
 To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
 
-Feature | Provider/source | Event ID | Description
+|Feature | Provider/source | Event ID | Description |
--|-|-|-
+|---|---|--|---|
- Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
+ |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
- Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
+ |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
- Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
+ |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
- Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
+ |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
- Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
+ |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
- Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
+ |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
 
 ## Related topics