deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Incorp tech review.

Browse Source
This commit is contained in:
Andrea Bichsel 2019-01-28 15:03:58 -08:00
parent ad1d83f77c
commit 2035115353
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -121,6 +121,9 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
>[!IMPORTANT]
>File and folder exclusions do not apply to this ASR rule.
Intune name: js/vbs executing payload downloaded from Internet (no exceptions) Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
SCCM name: Block JavaScript or VBScript from launching downloaded executable content SCCM name: Block JavaScript or VBScript from launching downloaded executable content

11
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -29,9 +29,12 @@ You can exclude files and folders from being evaluated by most attack surface re
>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). >If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
>[!IMPORTANT] >[!IMPORTANT]
>File and folder exclusions do not apply to the **Block process creations originating from PSExec and WMI commands** ASR rule. >File and folder exclusions do not apply to the following ASR rules:
>
>- Block process creations originating from PSExec and WMI commands
>- Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. Exclusions apply to all ASR rules that are enabled or are set to audit mode, except for the **Block process creations originating from PSExec and WMI commands**. You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
@ -60,7 +63,9 @@ For further details on how audit mode works and when to use it, see [Audit Windo
2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule. 2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule.
3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. 3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one. 4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one.