deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'wdeg-misha' into wdeg

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-08-15 10:39:49 -07:00
commit 24c5ba3cd1
21 changed files with 979 additions and 438 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -10,17 +10,16 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
# Windows Defender Exploit Guard
# Reduce the attack surface with Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
- Windows 10 Insider Preview
**Audience**
@ -32,61 +31,68 @@ msft.author: iawilt
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center app
Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
You can use Windows Defender EG to:
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also [enable audit mode](audit-mode-exploit-guard.md) for Windows Defender EG, which provides with reporting and event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
Windows Defender EG is a component of the new Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. Other components of Windows Defender Advanced Threat Protection include:
- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
- [Windows Defender SmartScreen]
- [Windows Defender Device Guard]
- [Windows Defender Application Control]
## Requirements
Each of the features in Windows Defender EG have slightly different requirements:
The following requirements must be met before Attack Surface Reduction will work:
Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
-|-|-|-
Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack surface reduction | 16232 | Must be enabled | Required
Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.
The way in which the features can be managed, configured, and reported on also varies:
Feature | Configuration available with | Reporting available with
-|-|-
Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Windows 10 version | Windows Defender Antivirus
- | -
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## In this library
## Review Attack Surface Reduction events in Windows Event Viewer
You can review the Windows event log to see events there are created when an Attack Surface Reduction rule is triggered:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *asr-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
### Event fields
- **ID**: matches with the Rule-ID that triggered the block/audit.
- **Detection time**: Time of detection
- **Process Name**: The process that performed the “operation” that was blocked/audited
- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
## In this section
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as macro, script, PowerShell, USB, and Flash security policies and configuration.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.
[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network.
[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.

57
windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md Normal file
View File

@ -0,0 +1,57 @@
---
title:
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Use audit mode to evaluate Windows Defender Exploit Guard features
You can enable each of the features of Windows Defender Explot Guard in auditing mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
This topic lists the auditing functionality available for each feature, the management tools (Group Policy, Intune, MDM CSPs, System Center Configuration Manager, or PowerShell) that can be used to configure and deploy the setting to multiple machines in your network(s), and links to configuring each feature or setting.
## Audit/block modes
Controlled Folder Access has mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Controlled Folder Access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component.
| | | Allowed apps |Apps that are allowed to write into protected folders
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Attack Surface Reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content
| | | | Block obfuscated js/vbs/ps/macro code
| | | | Block office application from launching child processes
| | | | Block office application from injecting into other processes
| | | | Block Win32 imports from macro code in Office
| | | Rules to prevent script threats |Block js/vbs from executing payload downloaded from Internet
| | | | Block obfuscated js/vbs/ps/macro code
| | | Rules to prevent email threats |Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client).

156
windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -19,7 +19,7 @@ msft.author: iawilt
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
- Windows 10 Insider Preview
**Audience**
@ -35,157 +35,55 @@ msft.author: iawilt
- Windows Defender Security Center app
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
All apps (any executable file, including .exe, .scr, .dll files and others )are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
A notification will appear on the machine where the app attempted to make changes to a protected folder.
Controlled folder access monitors the changes that apps make to files in certain protected folders.
Controlled Folder Access monitors the changes that apps make to files in certain protected folders.
If an app attempts to make a change to these files, and the app is blacklisted by the feature, youll get a notification about the attempt.
The protected folders include common system folders, and you can additional folders. You can also allow or whitelist apps to give them access to the protected folders.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled.
## Requirements
The following requirements must be met before controlled folder access will work:
The following requirements must be met before Controlled Folder Access will work:
Windows 10 version | Windows Defender Antivirus
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
**Use the Windows Defender Security app to enable controlled folder access:**
## Review Controlled Folder Access events in Windows Event Viewer
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
You can review the Windows event log to see events there are created when Controlled Folder Access blocks (or audits) an app:
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
1. Download the [Exploit Guard Evaluation Package](#) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Set the switch for the feature to **On**
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
![](images/cfa-on.png)
3. On the left panel, under **Actions**, click **Import custom view...**
**Use Group Policy to enable controlled folder access:**
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [download the XML directly](scripts/cfa-events.xml).
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
4. Click **OK**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
Event ID | Description
-|-
5007 | Event when settings are changed
1124 | Audited Controlled Folder Access event
1123 | Blocked Controlled Folder Access event
![](images/cfa-gp-enable.png)
## In this section
>[!IMPORTANT]
>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## Protect additional folders
Adding other folders to Controlled folder access can be handy, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults.
Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Click Protected folders in the Controlled folder access area and enter the full path of the folder you want to monitor.
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
**Use the Windows Defender Security app to protect additional folders:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
**Use Group Policy to protect additional folders:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name?
> [!IMPORTANT]
> Environment variables and wildcards are not supported.
## Allow specifc apps to make changes to controlled folders
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the controlled folder access feature.
**Use the Windows Defender Security app to whitelist specific apps:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
4. Click **Add an allowed app** and follow the prompts to add apps.
![](images/cfa-allow-app.png)
**Use Group Policy to whitelist specific apps:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
## Review event logs for controlled folder access
Component | Configuration available with | Event ID | Corresponds to…
-|-|-|-
Controlled Folder access | GP, MDM & UI | Provider: Windows Defender |
| | | Event when settings are changed | <Evt-ID: 5007>
| | | Event when CFA fires in Audit-mode | <Evt-ID: 1124>
| | | Event when CFA fires in Block-mode | <Evt-ID: 1123>
## MDM policy settings for Controlled Folder Access
./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders
## Audit/block modes
Controlled folder access has mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Controlled folder access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component.
| | | Allowed apps |Apps that are allowed to write into protected folders
Topic | Description
---|---
[Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled Folder Access works, and what events would typically be created.
[Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled Folder Access in your network
[Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.

68
windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Customize Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- Microsoft Intune
- Windows Defender Security Center app
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
## Exclude files and folders
You can exclude files and folders from being evaluated by Attack Surface Reduction rules. You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the files should be excluded from individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
## Customize the notification
Customizing the Windows Defender Security Center is a simple task that provides users with a clear way to contact support.
Simply navigate in Group Policy to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\Enterprise Customization**. From there, you will be able to enable your custom notification, set your organization name and contact information.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

146
windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md Normal file
View File

@ -0,0 +1,146 @@
---
title:
keywords: controlled folder access
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Protect important folders with Controlled Folder Access
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- Microsoft Intune
- Windows Defender Security Center app
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
- [Add additional folders to be protected](#protect-additional-folders)
- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
## Protect additional folders
Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Adding other folders to Controlled Folder Access can be useful, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
### Use the Windows Defender Security app to protect additional folders
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
### Use Group Policy to protect additional folders
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder as Value? Or Value Name?
> [!IMPORTANT]
> Environment variables and wildcards are not supported.
### Use PowerShell to protect additional folders
### Use MDM CSPs or Intune to protect additional folders
### Use System Center Configuration Manager to protect additional folders
## Allow specifc apps to make changes to controlled folders
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature.
You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
### Use the Windows Defender Security app to whitelist specific apps
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
4. Click **Add an allowed app** and follow the prompts to add apps.
![](images/cfa-allow-app.png)
### Use Group Policy to whitelist specific apps
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
### Use PowerShell to whitelist specific apps
### Use MDM CSPs or Intune to whitelist specific apps
./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders
### Use System Center Configuration Manager to whitelist specific apps
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

133
windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md Normal file
View File

@ -0,0 +1,133 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Enable Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- Microsoft Intune
- Windows Defender Security Center app
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
## Individually enable Attack Surface Reduction rules
You can use Group Policy to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the Rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- Block mode = 1
- Disabled = 0
- Audit mode = 2
![](images/asr-rules-gp.png)
>[!NOTE]
>Rule IDs willl be populated on machines that are enrolled in an E5 license. These machines will also properly report their Attack Surface Reduction rule history in the Windows Defender Security Center web console.
>[!NOTE]
>The tool reveals the RuleIDs. How will the IDs be hidden/how will the experience differ without an E5?
## Policy settings for Windows Defender EG
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Attack Surface Reduction
- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
-- Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1
#### Rule-GUIDs for ASR
Rule description | GUIDs
-|-
Office rules |
Block office application from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84}
| OMA URI : “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules”
| Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1
| 1 = Block, 2 = Audit, 0 = Disabled.
Block office application/macros from creating executable content | {3b576869-a4ec-4529-8536-b80a7769e899}
| Replace the above GUID with the corresponding Rule GUID
Block office application from launching child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
| Replace the above GUID with the corresponding Rule GUID
Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}
| Replace the above GUID with the corresponding Rule GUID
Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
| Replace the above GUID with the corresponding Rule GUID
Script rules |
Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
| Replace the above GUID with the corresponding Rule GUID [Note: same rule as above, but also covers scripts hence written here]
Block js/vbs from executing payload downloaded from Internet. | {d3e037e1-3eb8-44c8-a917-57927947596d}
| Replace the above GUID with the corresponding Rule GUID
Email rule |
Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
| Replace the above GUID with the corresponding Rule GUID [Currently working for Mail-client (Outlook). Personal Webmail (Outlook.com, Gmail, Yahoo) work in progress]
### Manually enabling the Attack Surface Reduction rules
You can also manually use GP or MDM-URIs to enable the ASR rules:
From the rules tables above, choose the ASR rules that you want to enable and set the following policy. For each rule select the right GUID.
After youve chosen your rules, use one of the tools above to simulate a rule to fire.
- “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules”
- Value as String Data Type: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:2
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

96
windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md Normal file
View File

@ -0,0 +1,96 @@
---
title:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Enable Controlled Folder Access
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Windows Management Instrumentation (WMI)
- Microsoft Intune
- Windows Defender Security Center app
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
## Enable Controlled Folder Access
You can enable Controlled Folder Access with either the Windows Defender Security Center app or Group Policy. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see the section [Use auditing mode to measure impact](#use-auditing-mode-to-measure-impact).
### Use the Windows Defender Security app to enable Controlled Folder Access
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Set the switch for the feature to **On**
![](images/cfa-on.png)
### Use Group Policy to enable Controlled Folder Access
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Exploit Guard**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
### Use PowerShell to enable Controlled Folder Access
### Use MDM CSPs or Intune to enable Controlled Folder Access
### Use System Center Configuration Manager to enable Controlled Folder Access
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

165
windows/threat-protection/windows-defender-exploit-guard/evaluate-asr.md
View File

@ -1,165 +0,0 @@
---
title:
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
---
# Attack surface reduction
## Attack surface reduction rules
Component | Configuration available with | Event ID | Corresponds to…
-|-|-|-
Attack Surface Reduction (ASR) | GP & MDM | Provider: Windows Defender |
| | | Event when settings are changed | <Evt-ID: 5007>
| | | Event when rule fires in Audit-mode | <Evt-ID: 1122>
| | | Event when rule fires in Block-mode | <Evt-ID: 1121>
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Attack surface reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content
| | | | Block obfuscated js/vbs/ps/macro code
| | | | Block office application from launching child processes
| | | | Block office application from injecting into other processes
| | | | Block Win32 imports from macro code in Office
| | | Rules to prevent script threats |Block js/vbs from executing payload downloaded from Internet
| | | | Block obfuscated js/vbs/ps/macro code
| | | Rules to prevent email threats |Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client).
## Policy settings for Windows Defender EG
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Attack Surface Reduction
- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
-- Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1
#### Rule-GUIDs for ASR
Rule description | GUIDs
-|-
Office rules |
Block office application from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84}
| OMA URI : “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules”
| Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1
| 1 = Block, 2 = Audit, 0 = Disabled.
Block office application/macros from creating executable content | {3b576869-a4ec-4529-8536-b80a7769e899}
| Replace the above GUID with the corresponding Rule GUID
Block office application from launching child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
| Replace the above GUID with the corresponding Rule GUID
Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}
| Replace the above GUID with the corresponding Rule GUID
Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
| Replace the above GUID with the corresponding Rule GUID
Script rules |
Block obfuscated js/vbs/ps/macro code | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
| Replace the above GUID with the corresponding Rule GUID [Note: same rule as above, but also covers scripts hence written here]
Block js/vbs from executing payload downloaded from Internet. | {d3e037e1-3eb8-44c8-a917-57927947596d}
| Replace the above GUID with the corresponding Rule GUID
Email rule |
Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
| Replace the above GUID with the corresponding Rule GUID [Currently working for Mail-client (Outlook). Personal Webmail (Outlook.com, Gmail, Yahoo) work in progress]
## Evaluate
### Using the standalone configuration tool
Weve provided an easy-to-use configuration tool for testing purposes, called TestHIPS. The tool can be used to:
1. Enable the chosen ASR rule in either block or audit mode by creating a local GPO and running a test file that triggers the rule.
2. Enable the chosen ASR rule in either block or audit mode by creating a local GPO.
The result of the activity can be viewed in the event log and corresponding notification (if the rule was triggered in block mode).
You can find the tool in the evaluation package alongside this guide:
- ExploitGuardCustomerFiles/AntiMalware.Tools.TestHIPS.exe
-
Note: You may need to change the extension in the filename from **AntiMalware.Tools.TestHIPS.rename** to **AntiMalware.Tools.TestHIPS.exe**.
For additional help with the tool, use the “-?” parameter.
### Using the DemoExploitGuard tool to simulate WD-EG Rules with a GUI
You can use an additional tool, called DemoExploitGuard, to test various rules by simulating scenarios that would cause the rule to issue a block or audit event, depending on the mode. DemoExploitGuard uses the TestHIPS tool to enable and configure the rules.
You can find the tool in the evaluation package alongside this guide:
- ExploitGuardCustomerFiles\AntiMalware.Tools.DemoExploitGuard.exe
Note: You may need to change the extension in the filename from **AntiMalware.Tools.DemoExploitGuard.rename** to **AntiMalware.Tools.DemoExploitGuard.exe**
**Rules**: Select one of the seven attack surface reduction rules to run.
**Mode**: Sets the behavior of the Demo Tool.
Note: If the rule is applied by GP, this should not be an option
- **Disabled**: This scenario will execute normally and complete
- **Block**: This scenario should get blocked [ExploitGuard Block] and a notification will appear to indicate the block
- **Audit**: This scenario will not block, but will show up in the event log. Right-click the output area to go directly to the event logs for Windows Defender EG
### Manually enabling the attack surface reduction rules
You can also manually use GP or MDM-URIs to enable the ASR rules:
From the rules tables above, choose the ASR rules that you want to enable and set the following policy. For each rule select the right GUID.
After youve chosen your rules, use one of the tools above to simulate a rule to fire.
- “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules”
- Value as String Data Type: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:2
### View event logs
Note: event logs are not the primary mechanism for investigation. The Windows Defender ATP portal receives much richer information that allows for investigation. Information is also presented in an interactive machine-timeline view.
#### Event fields
- **ID**: matches with the Rule-ID that triggered the block/audit.
- **Detection time**: Time of detection
- **Process Name**: The process that performed the “operation” that was blocked/audited
- **Description**:
Windows Defender Antivirus has audited an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
-- ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-- Detection time: 2017-06-21T11:52:29.062Z
-- User: SYSTEM
-- Path: C:\Windows\System32\notepad.exe
-- Process Name: C:\Program Files\Microsoft Office\Office16\winword.exe
-- Signature Version: 1.245.730.0
-- Engine Version: 1.1.13902.0
-- Product Version: 4.12.16228.1000
### View the alert notification
If you configure the test to block, a notification will be displayed from the Action Center. This notification is customizable with your organization and contact information.
### Customizing Windows Defender
Customizing the Windows Defender Security Center is a simple task that provides users with a clear way to contact support.
Simply navigate in Group Policy to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\Enterprise Customization**. From there, you will be able to enable your custom notification, set your organization name and contact information.

257
windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md Normal file
View File

@ -0,0 +1,257 @@
---
title:
description:
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Evaluate Attack Surface Reduction rules
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
>[!NOTE]
>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
## Use the demo tool to see how Attack Surface Reduction works
Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](#)
This tool has a simple user interface that lets you choose a rule, configure it in blocking, auditing, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
You can also set advanced options, including setting a delay, choosing a specific scenario, and how to view a record of the events.
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
![](images/asr-test-tool.png)
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
>[!IMPORTANT]
>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [auditing mode to measure impact](#use-auditing-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
**Run a rule using the demo tool:**
1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop).
2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
>[!IMPORTANT]
>Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10.
3. Select the rule from the drop-down menu.
4. Select the mode, **Disabled**, **Block**, or **Audit**.
1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**.
5. Click **RunScenario**.
The scenario will run, and an output will appear describing the steps taken.
You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer.
>[!TIP]
>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
>[!NOTE]
>What does leave dirty do? Does delay work?
Choosing the **Mode** will change how the rule functions:
Mode option | Description
-|-
Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack Surface Reduction at all.
Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack Surface Reduction.
Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack Surface Reduction will work but without impacting how you use the machine.
Block mode will cause a notification to appear on the user's desktop:
![](images/asr-notif.png)
You can [modify the notification to display your company name and links](attack-surface-reduction-exploit-guard.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
The following sections describe what each rule does and what the scenarios entail for each rule.
### Rule: Block executable content from email client and webmail
This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
Scenario name | File type | Program
- | - | -
Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
Mail Client Script Archive | Script archive files (such as .????) | Microsoft Outlook
WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as ??? (only outlook/hotmail? Or anything? Any browser or only Edge/IE?)
WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail
WebMail Script Archive | Script archive files (such as .????) | Web mail
>[!NOTE]
>What is a script archive file?
### Rule: Block Office applications from creating child processes
>[!NOTE]
>There is only one scenario to test for this rule.
Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
>[!NOTE]
>Note sure if this accurate
### Rule: Block Office applications from creating executable content
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware spreading and infection technique.
The following scenarios can be individually chosen:
- Random
- A scenario will be randomly chosen from this list
- Extension Block
- Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
- MZ Block
- ???
>[!NOTE]
>Note sure if this accurate
### Rule: Block Office applications from injecting into other processes
>[!NOTE]
>There is only one scenario to test for this rule.
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
### Rule: Impede JavaScript and VBScript to launch executables
JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
- Random
- A scenario will be randomly chosen from this list
- JScript
- JavaScript will not be allowed to launch executable files
- VBScript
- VBScript will not be allowed to launch executable files
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
- Random
- A scenario will be randomly chosen from this list
- AntiMalwareScanInterface
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- OnAccess
- Potentially obfuscated scripts will be blocked when an attempt is made to run them
>[!NOTE]
>Note sure if this accurate
## Review Attack Surface Reduction events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [download the XML directly](scripts/asr-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
## Use auditing mode to measure impact
You can also enable the Attack Surface Reduction feature in auditing mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
This enables all Attack Surface Reduction rules in audit mode.
>[!TIP]
>If you want to fully audit how Attack Surface Reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
## Customize Attack Surface Reduction
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
See the following topics for configuring the feature with management tools, including Group Policy and MDM CSP policies:
- [Exclude files and folders](customize-attack-surface-reduction.md#exclude-files-and-folders)
- [Configure rules individually](enable-attack-surface-reduction.md#individually-enable-attack-surface-reduction-rules)
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

88
windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -21,37 +21,38 @@ Controlled Folder Access is a feature that is part of Windows Defender Exploit G
This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
>[NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
## Use the File Creator tool to demo Controlled Folder Access
Use the File Creator tool to test controlled folder access. The tool is part of the Windows Defender Exploit Guard evaluation package:
## Use the demo tool to see how Controlled Folder Access works
Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](#)
This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from making changes to files in any of your protected folders.
This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
1. Open the Exploit Guard Evaluation Package and copy the file *Filecreator* to a location on your PC that is easy to access (such as your desktop).
1. Type **powershell** in the Start menu.
>[!TIP]
>You may need to change the extension in the filename from *Filecreator.rename* to *Filecreator.exe*
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
2. Open the **Local Group Policy Editor** by typing **Edit group policy** in the Start menu.
3. Enter the following in the PowerShell window to enable Controlled Folder Access:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
3. Under **Local Computer Policy**, expand **Computer configuration** > **Administrative templates** > **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled Folder Access**.
4. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the **Options** section select **Enable**.
>[!IMPORTANT]
>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
![](images/cfa-gp-enable.png)
4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop).
4. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
5. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
![](images/cfa-filecreator.png)
@ -59,18 +60,26 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
![](images/cfa-notif.png)
8. You can also review the Windows Event log to see the events there were created:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*.
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
## Review Controlled Folder Access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [download the XML directly](scripts/cfa-events.xml).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
Event ID | Description
-|-
5007 | Event when settings are changed
1124 | Audited Controlled Folder Access event
1123 | Blocked Controlled Folder Access event
Event ID | Description
-|-
Event when settings are changed | 5007
Audited Controlled Folder Access event | 1124
Blocked Controlled Folder Access event | 1123
## Use auditing mode to measure impact
@ -78,18 +87,33 @@ As with other Windows Defender EG features, you can enable the Controlled Folder
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
To enable audit mode, see the GP option to **Audit Mode**.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess AuditMode
```
![](images/cfa-audit-gp.png)
>[!TIP]
>You will need to use a GP management tool, such as the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), to deploy this policy change to see how Controlled Folder Access would work in your network.
>If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see the [auditing Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
## Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with the Windows Defender Security Center, Group Policy, or mobile device management (MDM) policies:
See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy and MDM CSPs:
- [Protect additional folders](controlled-folders-exploit-guard.md#protect-additional-folders)
- [Allow specifc apps to make changes to controlled folders](controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders)
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

18
windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -10,12 +10,12 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
## Exploit protection
## Exploit Protection
@ -56,13 +56,13 @@ Exploit Protection | GP, MDM, PS & UI | Provider: Win32K |
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Exploit protection |Provides memory, control flow and policy restrictions that can be used to protect an application from exploits. - Each mitigation can be enabled in audit/block mode |Memory exploit mitigation | DEP
Exploit Protection |Provides memory, control flow and policy restrictions that can be used to protect an application from exploits. - Each mitigation can be enabled in audit/block mode |Memory exploit mitigation | DEP
| | | | ForceASLR
| | | | BottomUpASLR
| | | | HeapTermination
@ -84,8 +84,8 @@ Exploit protection |Provides memory, control flow and policy restrictions that c
## Policy settings for Windows Defender EG
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Exploit protection
Exploit protection has an improved manageability experience over EMET, including support for SCCM, Intune, Powershell, and Group Policy management.
### Exploit Protection
Exploit Protection has an improved manageability experience over EMET, including support for SCCM, Intune, Powershell, and Group Policy management.
>
> Note: SCCM and Intune will be supported in furture releases.
You can specify a common set of WD Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured.
@ -98,9 +98,9 @@ Note, however, that there are some prerequisites before you can enable this sett
#### Group policy
The exploit protection feature can be configured with the following Group Policy details:
The Exploit Protection feature can be configured with the following Group Policy details:
- Location: \Microsoft\Windows Defender Exploit Guard\Exploit Protection
- Name: Use a common set of exploit protection settings
- Name: Use a common set of Exploit Protection settings
- Values: **Enabled**: Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
-- C:\MitigationSettings\Config.XML
-- \\Server\Share\Config.xml
@ -190,7 +190,7 @@ b. IE should open as expected
5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively.
### Managing exploit protection through Group Policy
### Managing Exploit Protection through Group Policy
1. Launch Group Policy Management Console (gpmc.msc) and from within and existing or new GPO navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection** and open the policy named *Use a common set of exploit protection settings*.
2. Enable the setting as seen below and point to an accessible location for the client machines to the recently created XML.
3. Apply the new GP to targeted machines by direction OU membership, Security Group or WMI filter.

26
windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -18,14 +18,14 @@ msft.author: iawilt
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Network Filter
In Windows 10, Version 1709, you can enable Windows Defender EG network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
In Windows 10, Version 1709, you can enable Windows Defender EG Network Protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can enable network protection in either block or audit mode (non-blocking, ATP events only) with Group Policy, WMI/PowerShell, or MDM settings with CSP.
You can enable Network Protection in either block or audit mode (non-blocking, ATP events only) with Group Policy, WMI/PowerShell, or MDM settings with CSP.
#### Group Policy
The network filter feature can be configured with the following Group Policy details:
The Network Protection feature can be configured with the following Group Policy details:
- Location: \Microsoft\Windows Defender Exploit Guard
- Name: Prevent users and apps from accessing dangerous websites
- Values: **Enabled**: Specify the mode in the **Options** section:
@ -38,17 +38,17 @@ The settings in the XML file will be applied to the endpoint
**Not configured**: Same as **Disabled**.
To enable network protection in block mode, select the **Enabled** value and specify **Enabled** in the drop-down sub-option menu.
To enable Network Protection in block mode, select the **Enabled** value and specify **Enabled** in the drop-down sub-option menu.
#### Windows Management Instrumentation/PowerShell
Use the following cmdlet to configure network protection:
Use the following cmdlet to configure Network Protection:
```
Set-MpPreference -EnableNetworkProtection [Disabled|Enabled|AuditMode]
```
To enable network protection in Block mode, use:
To enable Network Protection in Block mode, use:
```
Set-MpPreference -EnableNetworkProtection Enabled
```
@ -56,7 +56,7 @@ Set-MpPreference -EnableNetworkProtection Enabled
#### Mobile device management/Configuration service provider
Use this CSP to configure network protection:
Use this CSP to configure Network Protection:
- Policy area: Defender
- Name: Defender\EnableNetworkProtection
- Supported Values:
@ -64,7 +64,7 @@ Use this CSP to configure network protection:
-- 1: Enabled (Block Mode)
-- 2: Audit Mode
To enable network protection in block mode, set **Defender\EnableNetworkProtection** to integer 1.
To enable Network Protection in block mode, set **Defender\EnableNetworkProtection** to integer 1.
@ -84,7 +84,7 @@ Network Filter | GP, MDM | Provider: Windows Defender |
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
@ -93,21 +93,21 @@ Component |Description |Rule/mitigation description |
Network Filter |Blocks outbound connection from any app to low rep IP/domain - This can be enabled in audit/block mode |Enable/disable/audit |Puts the feature in enable/disable or audit mode.
### Visit a malicious domain in block mode using Internet Explorer or Google Chrome
1. Enable network protection in block mode.
1. Enable Network Protection in block mode.
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
You will get a 403 Forbidden response in the browser, and you will see an Action Center message saying that Windows Defender EG blocked a connection to a malicious site.
### Visit a malicious domain in audit mode using Internet Explorer or Google Chrome
1. Enable network protection in audit mode.
1. Enable Network Protection in audit mode.
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
You will be able to navigate successfully to the site. However, you can see an audit event in Windows Defender ATP or in the Windows Event Log (under Windows Defender > Operational).
### Visit a malicious domain in Microsoft Edge
1. Enable network protection in bmode.
1. Enable Network Protection in bmode.
1. Ensure that SmartScreen is enabled. (Start -> Windows Defender Security Center -> App & browser -> SmartScreen in Microsoft Edge -> Block or Warn)
1. Open Microsoft Edge.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)

10
windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -30,10 +30,10 @@ Windows Defender Exploit Guard is a new collection of tools and features that he
You can use Windows Defender EG to:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [Attack Surface Reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
There are a few ways you can get started evaluating Windows Defender EG to see how it works and how it could help protect your network. This topic brings together the evaluation topics for each of the four features in Windows Defender EG.

14
windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -36,7 +36,7 @@ msft.author: iawilt
- Windows Defender Security Center app
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
@ -44,7 +44,7 @@ Exploit protection automatically applies a number of exploit mitigation techniqu
## Requirements
The following requirements must be met before exploit protection will work:
The following requirements must be met before Exploit Protection will work:
Windows 10 version | Windows Defender Advanced Threat Protection
Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
@ -160,14 +160,14 @@ You can import the XML file to other machines in your organization. You can do t
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## App-specific mitigations
@ -245,11 +245,11 @@ You can import the XML file to other machines in your organization. You can do t
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## Review event logs for exploit protection
## Review event logs for Exploit Protection
How do you see these event logs? Are they under specific codes/areas?

BIN
windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

30
windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -41,10 +41,10 @@ Windows Defender Exploit Guard is a new collection of tools and features that he
You can use Windows Defender EG to:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [Attack Surface Reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
@ -62,10 +62,10 @@ Windows Defender EG is a component of the new Windows Defender Advanced Threat P
Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
-|-|-|-
Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack surface reduction | 16232 | Must be enabled | Required
Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
Exploit Protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | 16232 | Must be enabled | Required
Network Protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.
@ -74,17 +74,17 @@ Windows Defender EG is a component of the new Windows Defender Advanced Threat P
Feature | Configuration available with | Reporting available with
-|-|-
Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Exploit Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack Surface Reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Network Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Controlled Folder Access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
## In this library
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as macro, script, PowerShell, USB, and Flash security policies and configuration.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.

21
windows/threat-protection/windows-defender-exploit-guard/scripts/asr-events.xml Normal file
View File

@ -0,0 +1,21 @@
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1121,1122,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Attack Surface Reduction view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>

2
windows/threat-protection/windows-defender-exploit-guard/scripts/cfa-events.xml
View File

@ -1 +1 @@
<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled folder access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>
<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled Folder Access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>

32
windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -20,7 +20,7 @@ msft.author: iawilt
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
- Windows 10 Insider Preview, build 16242 and later
**Audience**
@ -30,10 +30,10 @@ Windows Defender Exploit Guard is a new collection of tools and features that he
You can use Windows Defender EG to:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [Attack Surface Reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
@ -51,10 +51,10 @@ Each of the features in Windows Defender EG have slightly different requirements
Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
-|-|-|-
Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack surface reduction | 16232 | Must be enabled | Required
Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
Exploit Protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | 16232 | Must be enabled | Required
Network Protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.
@ -63,17 +63,17 @@ The way in which the features can be managed, configured, and reported on also v
Feature | Configuration available with | Reporting available with
-|-|-
Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Exploit Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack Surface Reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Network Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Controlled Folder Access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
## In this library
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as macro, script, PowerShell, USB, and Flash security policies and configuration.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.