deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 18:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 12889: Clarified Office apps in asr rules.

Browse Source 
Clarified Office apps in asr rules.
This commit is contained in:
Andrea Bichsel (Aquent LLC) 2018-11-16 17:26:38 +00:00
commit 31bb5b884c
1 changed files with 3 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 10/15/2018 ms.date: 11/16/2018
--- ---
# Reduce attack surfaces with attack surface reduction rules # Reduce attack surfaces with attack surface reduction rules
@ -56,15 +56,6 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft OneNote
The rules do not apply to any other Office apps.
### Rule: Block executable content from email client and webmail ### Rule: Block executable content from email client and webmail
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
@ -90,7 +81,7 @@ Extensions will be blocked from being used by Office apps. Typically these exten
### Rule: Block Office applications from injecting code into other processes ### Rule: Block Office applications from injecting code into other processes
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes.
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
@ -116,7 +107,7 @@ This rule prevents scripts that appear to be obfuscated from running.
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria ### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria