Merged PR 13018: Changed to indicate all ASR rules honor exclusions.

Changed to indicate all ASR rules honor exclusions.
2025-05-21 17:57:22 +00:00 · 2018-11-27 18:53:25 +00:00 · 2018-11-27 18:53:25 +00:00 · 2b2280cd74
commit 2b2280cd74
parent da6eb6704e 2f1be5f0a0
2 changed files with 19 additions and 35 deletions
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 11/19/2018
+ms.date: 11/27/2018
 ---

 # Reduce attack surfaces with attack surface reduction rules 
@ -64,9 +64,6 @@ This rule blocks the following file types from being run or launched from an ema
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 - Script archive files

->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block all Office applications from creating child processes

 Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
@ -88,18 +85,12 @@ Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to

 This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.

->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block JavaScript or VBScript From launching downloaded executable content

 JavaScript and VBScript scripts can be used by malware to launch other malicious apps. 

 This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.

->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block execution of potentially obfuscated scripts

 Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. 
@ -132,9 +123,6 @@ This rule provides an extra layer of protection against ransomware. Executable f
 
 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.

->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
- 
 >[!NOTE]
 >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.

--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/17/2018
+ms.date: 11/27/2018
 ---

 # Customize attack surface reduction rules
@ -28,7 +28,7 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.

 ## Exclude files and folders

-You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 
+You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 

 This could potentially allow unsafe files to run and infect your devices.

@ -41,28 +41,24 @@ You can specify individual files or folders (using folder paths or fully qualifi

 Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 

-Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
+Exclusions apply to all attack surface reduction rules.

->[!IMPORTANT] 
->Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). 
-
-
-Rule description | Rule honors exclusions | GUID 
+Rule description | GUID 
 -|:-:|-
-Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
-Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
+Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

 See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.