added new rules for 19H1

2025-06-18 03:43:39 +00:00 · 2019-05-07 15:35:12 -07:00
parent bebb07ae8c
commit 51f935f25e
3 changed files with 14 additions and 2 deletions
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/02/2019
+ms.date: 05/07/2019
 ---

 # Reduce attack surfaces with attack surface reduction rules 
@ -79,6 +79,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
 Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
+Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b | Supported

 Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.

@ -264,6 +265,15 @@ SCCM name: Not applicable

 GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

+### Block persistence through WMI event subscription
+
+Windows Defender Advanced Threat Protection prevented an attempt to establish entity persistence in the WMI repo through a WMI event subscription.
+
+Intune name: Block persistence through WMI event subscription
+
+SCCM name: Not applicable
+
+GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b

 ## Related topics

--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@ -59,6 +59,7 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+Process creation from Adobe Reader | e6db77e5-3df2-4cf1-b95a-636979351e5b 

 See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@ -11,6 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
+ms.date: 05/07/2019
 ---

 # Customize controlled folder access
@ -24,7 +25,7 @@ Controlled folder access helps you protect valuable data from malicious apps and
 This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):

 - [Add additional folders to be protected](#protect-additional-folders)
- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
+- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)

 >[!WARNING]
 >Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.