deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

All ASR rules honor exclusions.

Browse Source
This commit is contained in:
Andrea Bichsel (Aquent LLC)
2018-11-27 18:40:25 +00:00
parent 0bcab775c9
commit 2f1be5f0a0
1 changed files with 1 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/19/2018
ms.date: 11/27/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -64,9 +64,6 @@ This rule blocks the following file types from being run or launched from an ema
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block all Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
@ -88,18 +85,12 @@ Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block JavaScript or VBScript From launching downloaded executable content
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
@ -132,9 +123,6 @@ This rule provides an extra layer of protection against ransomware. Executable f
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
>[!NOTE]
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.