deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add asr eval

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-08-11 19:19:25 -07:00
parent 846d7f630f
commit 1d526e25f9
4 changed files with 185 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
windows/threat-protection/windows-defender-exploit-guard/evaluate-asr.md → windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -13,16 +13,131 @@ author: iaanw
ms.author: iawilt
---
# Attack Surface Reduction
# Evaluate Attack Surface Reduction rules
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
>[NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
## Use the demo tool to see how Attack Surface Reduction works
Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](#)
This tool has a simple user interface that lets you choose a rule, configure it in blocking, auditing, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
You can also set advanced options, including setting a delay, choosing a specific scenario, and how to view a record of the events.
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
![](images/asr-test-tool.png)
### Rule 1
### Rule 2
### Rule 3
### Rule 4
### Rule 5
### Rule 6
## Review Attack Surface Reduction events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
## Use auditing mode to measure impact
You can also enable the Attack Surface Reduction feature in auditing mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
>[!TIP]
>If you want to fully audit how Attack Surface Redurction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
## Customize Attack Surface Reduction
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
See the following sections in the main [Use Attack Surface Reduction rules](controlled-folders-exploit-guard.md) topic for configuring the feature with MDM policies, PowerShell, the Windows Defender Security Center, Group Policy, Intune, or System Center Configuration Manager:
- [Exclude files and folders](attack-surface-reduction-exploit-guard.md#exclude-files-and-folders)
- [Configure rules individually](attack-surface-reduction-exploit-guard.md#configure-rules-individually)
## Attack Surface Reduction rules
Component | Configuration available with | Event ID | Corresponds to…
-|-|-|-
Attack Surface Reduction (ASR) | GP & MDM | Provider: Windows Defender |
| | | Event when settings are changed | <Evt-ID: 5007>
| | | Event when rule fires in Audit-mode | <Evt-ID: 1122>
| | | Event when rule fires in Block-mode | <Evt-ID: 1121>
### Audit/block modes

70
windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -21,10 +21,14 @@ Controlled Folder Access is a feature that is part of Windows Defender Exploit G
This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
>[NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
## Use the File Creator tool to demo Controlled Folder Access
Use the File Creator tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders.
## Use the demo tool to see how Controlled Folder Access works
Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](#)
@ -33,25 +37,22 @@ This tool can be run locally on an individual machine to see the typical behavio
You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
1. Open the Exploit Guard Evaluation Package and copy the file *Filecreator* to a location on your PC that is easy to access (such as your desktop).
>[!TIP]
>You may need to change the extension in the filename from *Filecreator.rename* to *Filecreator.exe*
2. Open the **Local Group Policy Editor** by typing **Edit group policy** in the Start menu.
1. Type **powershell** in the Start menu.
3. Under **Local Computer Policy**, expand **Computer configuration** > **Administrative templates** > **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled Folder Access**.
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
4. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the **Options** section select **Enable**.
3. Enter the following in the PowerShell window to enable Controlled Folder Access:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop).
![](images/cfa-gp-enable.png)
5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
4. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
5. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
![](images/cfa-filecreator.png)
@ -59,18 +60,26 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
![](images/cfa-notif.png)
8. You can also review the Windows Event log to see the events there were created:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
## Review Controlled Folder Access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
Event ID | Description
-|-
5007 | Event when settings are changed
1124 | Audited Controlled Folder Access event
1123 | Blocked Controlled Folder Access event
Event ID | Description
-|-
Event when settings are changed | 5007
Audited Controlled Folder Access event | 1124
Blocked Controlled Folder Access event | 1123
## Use auditing mode to measure impact
@ -78,18 +87,23 @@ As with other Windows Defender EG features, you can enable the Controlled Folder
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
To enable audit mode, see the GP option to **Audit Mode**.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess AuditMode
```
![](images/cfa-audit-gp.png)
>[!TIP]
>You will need to use a GP management tool, such as the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), to deploy this policy change to see how Controlled Folder Access would work in your network.
>If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
## Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with the Windows Defender Security Center, Group Policy, or mobile device management (MDM) policies:
See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with MDM policies, PowerShell, the Windows Defender Security Center, Group Policy, Intune, or System Center Configuration Manager:
- [Protect additional folders](controlled-folders-exploit-guard.md#protect-additional-folders)
- [Allow specifc apps to make changes to controlled folders](controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders)

BIN
windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

21
windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml Normal file
View File

@ -0,0 +1,21 @@
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1121,1122,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Attack Surface Reduction view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>