diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 17f8c23087..75e3768ee9 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -1,7 +1,7 @@ --- -title: Configure how ASR works so you can finetune the protection in your network -description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR -keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude +title: +keywords: +description: search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -32,54 +32,27 @@ ms.author: iawilt - Configuration service providers for mobile device management -Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. - -This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. - -You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. - -## Exclude files and folders - -You can exclude files and folders from being evaluated by Attack Surface Reduction rules. - -You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode). - -### Use Group Policy to exclude files and folders - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**. - -6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. - -### Use PowerShell to exclude files and folderss - -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** -2. Enter the following cmdlet: - - ```PowerShell - Add-MpPreference -AttackSurfaceReductionOnlyExclusions "" - ``` - -Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. +> [!div class="checklist"] +> * Log in to Azure +> * Create a resource group +> * Prepare the configuration +> * Create a virtual machine +> * Configure the firewall +> * Snapshot the virtual machine +> * Run management tasks ->[!IMPORTANT] ->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. - -### Use MDM CSPs to exclude files and folders - -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. +head | text +-|- +text | > [!div class="checklist"] > * Log in to Azure - -## Customize the notification - -See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +> * Create a resource group +> * Prepare the configuration +> * Create a virtual machine +> * Configure the firewall +> * Snapshot the virtual machine +> * Run management tasks diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index e900fe8bec..988cc27d0f 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -40,30 +40,17 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection). - You configure these settings using the Windows Defender Security Center app on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. + You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. - Exploit Protection consists of a number of mitigations that are designed to protect against typical malware infection behavior - especially for malware that attempts to exploit software vulnerabilities to spread and infect machines. + You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled. Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection. - You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled. + >[!IMPORTANT] + >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. - - ############### - What is Exploit Protection?[edit | edit source] -The Exploit Protection feature set, a subset of the all-up Windows Defender Exploit Guard effort, enables pro users and IT admins/SecOps personnel to view, audit, and configure system and application security mitigations—in turn allowing them to raise the cost of exploitation and reduce attack surface in their environments. -Exploit Protection is rapidly shaping up to be the new and improved in-box EMET replacement for Windows 10. This has been well-received by our customers, who were formerly concerned about EMET’s upcoming EOL and the disparity between EMET and Windows 10, but are now happy to see that their feedback has been internalized and is being acted upon. -Exploit Protection is comprised mainly of 3 pillars: -Security mitigations built-in to the OS, now also including legacy app protection for apps that are not yet re-compiled to take advantage of CFG -Improved manageability experience, including support for SCCM, Intune, and Group Policy management -Reporting and auditing capabilities, including a better-together story with Windows Defender ATP -####################### - - - - ## Requirements The following requirements must be met before Exploit Protection will work: @@ -116,7 +103,7 @@ Security-Mitigations | 22 | ROP CallerCheck enforce Security-Mitigations | 23 | ROP SimExec audit Security-Mitigations | 24 | ROP SimExec enforce WER-Diagnostics | 5 | CFG Block -Provider: Win32K | 260 | Untrusted Font +Win32K | 260 | Untrusted Font ## In this section diff --git a/windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml b/windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml index 7077dde1b9..24e207a21d 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml +++ b/windows/threat-protection/windows-defender-exploit-guard/scripts/ep-events.xml @@ -2,20 +2,54 @@ - Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC - 1125,1126,5007 + Microsoft-Windows-Security-Mitigations/KernelMode,Microsoft-Windows-Win32k/Concurrency,Microsoft-Windows-Win32k/Contention,Microsoft-Windows-Win32k/Messages,Microsoft-Windows-Win32k/Operational,Microsoft-Windows-Win32k/Power,Microsoft-Windows-Win32k/Render,Microsoft-Windows-Win32k/Tracing,Microsoft-Windows-Win32k/UIPI,System,Microsoft-Windows-Security-Mitigations/UserMode + 1-24, 5, 260 + Microsoft-Windows-Security-Mitigations,Microsoft-Windows-WER-Diag,Microsoft-Windows-Win32k,Win32k 0 - False + True - Network Protection view + Exploit protection view - - - + + + + + + + + + + + + + + + 255 + 70 + 305 + 215 + 215 + 215 + 50 + 110 + 80 + 170 + 70 + 70 + 90 + 70 + 80 + 70 + 100 + 85 + 140 + 140 + + \ No newline at end of file