diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5bfe2c6ba4..a735cde5c8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/02/2019 +ms.date: 05/07/2019 --- # Reduce attack surfaces with attack surface reduction rules @@ -79,6 +79,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported +Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Supported Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps. @@ -264,6 +265,15 @@ SCCM name: Not applicable GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +### Block persistence through WMI event subscription + +Windows Defender Advanced Threat Protection prevented an attempt to establish entity persistence in the WMI repo through a WMI event subscription. + +Intune name: Block persistence through WMI event subscription + +SCCM name: Not applicable + +GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 204fad8ca0..08be26c51b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -59,6 +59,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Process creation from Adobe Reader | e6db77e5-3df2-4cf1-b95a-636979351e5b See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 05037553e3..d4617d6e3c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -11,6 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic +ms.date: 05/07/2019 --- # Customize controlled folder access @@ -24,7 +25,7 @@ Controlled folder access helps you protect valuable data from malicious apps and This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): - [Add additional folders to be protected](#protect-additional-folders) -- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders) +- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) >[!WARNING] >Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.