deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

naming changes

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-08-11 18:04:17 -07:00
parent a2dcf99d30
commit 593fa6e258
11 changed files with 108 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -41,10 +41,10 @@ Windows Defender Exploit Guard is a new collection of tools and features that he
You can use Windows Defender EG to:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [Attack Surface Reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
@ -62,10 +62,10 @@ Windows Defender EG is a component of the new Windows Defender Advanced Threat P
Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
-|-|-|-
Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack surface reduction | 16232 | Must be enabled | Required
Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
Exploit Protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | 16232 | Must be enabled | Required
Network Protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.
@ -74,17 +74,17 @@ Windows Defender EG is a component of the new Windows Defender Advanced Threat P
Feature | Configuration available with | Reporting available with
-|-|-
Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Exploit Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack Surface Reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Network Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Controlled Folder Access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
## In this library
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as macro, script, PowerShell, USB, and Flash security policies and configuration.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.

30
windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -35,27 +35,27 @@ msft.author: iawilt
- Windows Defender Security Center app
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
All apps (any executable file, including .exe, .scr, .dll files and others )are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
A notification will appear on the machine where the app attempted to make changes to a protected folder.
Controlled folder access monitors the changes that apps make to files in certain protected folders.
Controlled Folder Access monitors the changes that apps make to files in certain protected folders.
If an app attempts to make a change to these files, and the app is blacklisted by the feature, youll get a notification about the attempt.
The protected folders include common system folders, and you can additional folders. You can also allow or whitelist apps to give them access to the protected folders.
## Requirements
The following requirements must be met before controlled folder access will work:
The following requirements must be met before Controlled Folder Access will work:
Windows 10 version | Windows Defender Antivirus
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
**Use the Windows Defender Security app to enable controlled folder access:**
**Use the Windows Defender Security app to enable Controlled Folder Access:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -67,7 +67,7 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De
![](images/cfa-on.png)
**Use Group Policy to enable controlled folder access:**
**Use Group Policy to enable Controlled Folder Access:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -79,28 +79,28 @@ Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows De
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## Protect additional folders
Adding other folders to Controlled folder access can be handy, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults.
Adding other folders to Controlled Folder Access can be handy, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults.
Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Click Protected folders in the Controlled folder access area and enter the full path of the folder you want to monitor.
Click Protected folders in the Controlled Folder Access area and enter the full path of the folder you want to monitor.
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
@ -137,7 +137,7 @@ You can also enter network shares and mapped drives, but environment variables a
## Allow specifc apps to make changes to controlled folders
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the controlled folder access feature.
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature.
**Use the Windows Defender Security app to whitelist specific apps:**
@ -167,7 +167,7 @@ You can specify if certain apps should always be considered safe and given write
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
## Review event logs for controlled folder access
## Review event logs for Controlled Folder Access
Component | Configuration available with | Event ID | Corresponds to…
-|-|-|-
@ -183,9 +183,9 @@ Controlled Folder access | GP, MDM & UI | Provider: Windows Defender |
## Audit/block modes
Controlled folder access has mitigations that can be individually enabled in audit or blocking mode.
Controlled Folder Access has mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Controlled folder access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component.
Controlled Folder Access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component.
| | | Allowed apps |Apps that are allowed to write into protected folders

14
windows/threat-protection/windows-defender-exploit-guard/evaluate-asr.md
View File

@ -10,12 +10,12 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
# Attack surface reduction
# Attack Surface Reduction
## Attack surface reduction rules
## Attack Surface Reduction rules
Component | Configuration available with | Event ID | Corresponds to…
-|-|-|-
@ -29,11 +29,11 @@ Attack Surface Reduction (ASR) | GP & MDM | Provider: Windows Defender |
Each of these components can individually be enabled in audit or blocking mode.
Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Attack surface reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content
Attack Surface Reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content
| | | | Block obfuscated js/vbs/ps/macro code
| | | | Block office application from launching child processes
| | | | Block office application from injecting into other processes
@ -111,7 +111,7 @@ You can find the tool in the evaluation package alongside this guide:
- ExploitGuardCustomerFiles\AntiMalware.Tools.DemoExploitGuard.exe
Note: You may need to change the extension in the filename from **AntiMalware.Tools.DemoExploitGuard.rename** to **AntiMalware.Tools.DemoExploitGuard.exe**
**Rules**: Select one of the seven attack surface reduction rules to run.
**Rules**: Select one of the seven Attack Surface Reduction rules to run.
**Mode**: Sets the behavior of the Demo Tool.
Note: If the rule is applied by GP, this should not be an option
- **Disabled**: This scenario will execute normally and complete
@ -119,7 +119,7 @@ Note: If the rule is applied by GP, this should not be an option
- **Audit**: This scenario will not block, but will show up in the event log. Right-click the output area to go directly to the event logs for Windows Defender EG
### Manually enabling the attack surface reduction rules
### Manually enabling the Attack Surface Reduction rules
You can also manually use GP or MDM-URIs to enable the ASR rules:

12
windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -24,15 +24,15 @@ This topic helps you evaluate Controlled Folder Access. It explains how to demo
## Use the File Creator tool to demo Controlled Folder Access
Use the File Creator tool to test controlled folder access. The tool is part of the Windows Defender Exploit Guard evaluation package:
Use the File Creator tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](#)
This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from making changes to files in any of your protected folders.
This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
1. Open the Exploit Guard Evaluation Package and copy the file *Filecreator* to a location on your PC that is easy to access (such as your desktop).
>[!TIP]
@ -45,7 +45,7 @@ You can enable Controlled Folder Access, run the tool, and see what the experien
4. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the **Options** section select **Enable**.
>[!IMPORTANT]
>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
![](images/cfa-gp-enable.png)

18
windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -10,12 +10,12 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
## Exploit protection
## Exploit Protection
@ -56,13 +56,13 @@ Exploit Protection | GP, MDM, PS & UI | Provider: Win32K |
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
Component |Description |Rule/mitigation description |
-|-|-|-
Exploit protection |Provides memory, control flow and policy restrictions that can be used to protect an application from exploits. - Each mitigation can be enabled in audit/block mode |Memory exploit mitigation | DEP
Exploit Protection |Provides memory, control flow and policy restrictions that can be used to protect an application from exploits. - Each mitigation can be enabled in audit/block mode |Memory exploit mitigation | DEP
| | | | ForceASLR
| | | | BottomUpASLR
| | | | HeapTermination
@ -84,8 +84,8 @@ Exploit protection |Provides memory, control flow and policy restrictions that c
## Policy settings for Windows Defender EG
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Exploit protection
Exploit protection has an improved manageability experience over EMET, including support for SCCM, Intune, Powershell, and Group Policy management.
### Exploit Protection
Exploit Protection has an improved manageability experience over EMET, including support for SCCM, Intune, Powershell, and Group Policy management.
>
> Note: SCCM and Intune will be supported in furture releases.
You can specify a common set of WD Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured.
@ -98,9 +98,9 @@ Note, however, that there are some prerequisites before you can enable this sett
#### Group policy
The exploit protection feature can be configured with the following Group Policy details:
The Exploit Protection feature can be configured with the following Group Policy details:
- Location: \Microsoft\Windows Defender Exploit Guard\Exploit Protection
- Name: Use a common set of exploit protection settings
- Name: Use a common set of Exploit Protection settings
- Values: **Enabled**: Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
-- C:\MitigationSettings\Config.XML
-- \\Server\Share\Config.xml
@ -190,7 +190,7 @@ b. IE should open as expected
5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively.
### Managing exploit protection through Group Policy
### Managing Exploit Protection through Group Policy
1. Launch Group Policy Management Console (gpmc.msc) and from within and existing or new GPO navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection** and open the policy named *Use a common set of exploit protection settings*.
2. Enable the setting as seen below and point to an accessible location for the client machines to the recently created XML.
3. Apply the new GP to targeted machines by direction OU membership, Security Group or WMI filter.

26
windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -18,14 +18,14 @@ msft.author: iawilt
The MDM policy settings for Windows Defender EG are listed in this section, along with example settings.
### Network Filter
In Windows 10, Version 1709, you can enable Windows Defender EG network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
In Windows 10, Version 1709, you can enable Windows Defender EG Network Protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can enable network protection in either block or audit mode (non-blocking, ATP events only) with Group Policy, WMI/PowerShell, or MDM settings with CSP.
You can enable Network Protection in either block or audit mode (non-blocking, ATP events only) with Group Policy, WMI/PowerShell, or MDM settings with CSP.
#### Group Policy
The network filter feature can be configured with the following Group Policy details:
The Network Protection feature can be configured with the following Group Policy details:
- Location: \Microsoft\Windows Defender Exploit Guard
- Name: Prevent users and apps from accessing dangerous websites
- Values: **Enabled**: Specify the mode in the **Options** section:
@ -38,17 +38,17 @@ The settings in the XML file will be applied to the endpoint
**Not configured**: Same as **Disabled**.
To enable network protection in block mode, select the **Enabled** value and specify **Enabled** in the drop-down sub-option menu.
To enable Network Protection in block mode, select the **Enabled** value and specify **Enabled** in the drop-down sub-option menu.
#### Windows Management Instrumentation/PowerShell
Use the following cmdlet to configure network protection:
Use the following cmdlet to configure Network Protection:
```
Set-MpPreference -EnableNetworkProtection [Disabled|Enabled|AuditMode]
```
To enable network protection in Block mode, use:
To enable Network Protection in Block mode, use:
```
Set-MpPreference -EnableNetworkProtection Enabled
```
@ -56,7 +56,7 @@ Set-MpPreference -EnableNetworkProtection Enabled
#### Mobile device management/Configuration service provider
Use this CSP to configure network protection:
Use this CSP to configure Network Protection:
- Policy area: Defender
- Name: Defender\EnableNetworkProtection
- Supported Values:
@ -64,7 +64,7 @@ Use this CSP to configure network protection:
-- 1: Enabled (Block Mode)
-- 2: Audit Mode
To enable network protection in block mode, set **Defender\EnableNetworkProtection** to integer 1.
To enable Network Protection in block mode, set **Defender\EnableNetworkProtection** to integer 1.
@ -84,7 +84,7 @@ Network Filter | GP, MDM | Provider: Windows Defender |
### Audit/block modes
Each of these components can individually be enabled in audit or blocking mode.
Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode.
Attack Surface Reduction and Controlled Folder Access also have mitigations that can be individually enabled in audit or blocking mode.
@ -93,21 +93,21 @@ Component |Description |Rule/mitigation description |
Network Filter |Blocks outbound connection from any app to low rep IP/domain - This can be enabled in audit/block mode |Enable/disable/audit |Puts the feature in enable/disable or audit mode.
### Visit a malicious domain in block mode using Internet Explorer or Google Chrome
1. Enable network protection in block mode.
1. Enable Network Protection in block mode.
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
You will get a 403 Forbidden response in the browser, and you will see an Action Center message saying that Windows Defender EG blocked a connection to a malicious site.
### Visit a malicious domain in audit mode using Internet Explorer or Google Chrome
1. Enable network protection in audit mode.
1. Enable Network Protection in audit mode.
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
You will be able to navigate successfully to the site. However, you can see an audit event in Windows Defender ATP or in the Windows Event Log (under Windows Defender > Operational).
### Visit a malicious domain in Microsoft Edge
1. Enable network protection in bmode.
1. Enable Network Protection in bmode.
1. Ensure that SmartScreen is enabled. (Start -> Windows Defender Security Center -> App & browser -> SmartScreen in Microsoft Edge -> Block or Warn)
1. Open Microsoft Edge.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)

10
windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -30,10 +30,10 @@ Windows Defender Exploit Guard is a new collection of tools and features that he
You can use Windows Defender EG to:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [Attack Surface Reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
There are a few ways you can get started evaluating Windows Defender EG to see how it works and how it could help protect your network. This topic brings together the evaluation topics for each of the four features in Windows Defender EG.

14
windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -36,7 +36,7 @@ msft.author: iawilt
- Windows Defender Security Center app
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of Windows Defender Exploit Guard, which is itself a component in the new Windows Defender Advanced Threat Protection offering of security and threat prevention products.
@ -44,7 +44,7 @@ Exploit protection automatically applies a number of exploit mitigation techniqu
## Requirements
The following requirements must be met before exploit protection will work:
The following requirements must be met before Exploit Protection will work:
Windows 10 version | Windows Defender Advanced Threat Protection
Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
@ -160,14 +160,14 @@ You can import the XML file to other machines in your organization. You can do t
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## App-specific mitigations
@ -245,11 +245,11 @@ You can import the XML file to other machines in your organization. You can do t
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## Review event logs for exploit protection
## Review event logs for Exploit Protection
How do you see these event logs? Are they under specific codes/areas?

30
windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -41,10 +41,10 @@ Windows Defender Exploit Guard is a new collection of tools and features that he
You can use Windows Defender EG to:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [Attack Surface Reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
@ -62,10 +62,10 @@ Windows Defender EG is a component of the new Windows Defender Advanced Threat P
Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
-|-|-|-
Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack surface reduction | 16232 | Must be enabled | Required
Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
Exploit Protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | 16232 | Must be enabled | Required
Network Protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.
@ -74,17 +74,17 @@ Windows Defender EG is a component of the new Windows Defender Advanced Threat P
Feature | Configuration available with | Reporting available with
-|-|-
Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Exploit Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack Surface Reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Network Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
Controlled Folder Access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center | x
## In this library
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as macro, script, PowerShell, USB, and Flash security policies and configuration.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.

2
windows/threat-protection/windows-defender-exploit-guard/scripts/cfa-events.xml
View File

@ -1 +1 @@
<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled folder access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>
<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled Folder Access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>

30
windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -1,7 +1,7 @@
---
title: Use Windows Defender Exploit Guard to protect your corporate network
description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection. It replaces EMET.
keywords: emet, exploit guard, controlled folder access, network protection, exploit protection, attack surface reduction, hips, host intrusion prevention system
keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
msft.author: iawilt
ms.author: iawilt
---
@ -30,10 +30,10 @@ Windows Defender Exploit Guard is a new collection of tools and features that he
You can use Windows Defender EG to:
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [Exploit Protection](exploit-protection-exploit-guard.md)
- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [Attack Surface Reduction rules](attack-surface-reduction-exploit.guard.md)
- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [Network Protection](network-protection-exploit-guard.md)
- Protect files in key system folders from changes made by malicious and suspicious apps with [Controlled Folder Access](controlled-folders-exploit-guard.md)
Evaluate Windows Defender EG with our evaluation and set-up guide, which provides a pre-built PowerShell script and testing tool so you can see the new features in action:
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
@ -51,10 +51,10 @@ Each of the features in Windows Defender EG have slightly different requirements
Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license
-|-|-|-
Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack surface reduction | 16232 | Must be enabled | Required
Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
Exploit Protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
Attack Surface Reduction | 16232 | Must be enabled | Required
Network Protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
Controlled Folder Access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.
@ -63,17 +63,17 @@ The way in which the features can be managed, configured, and reported on also v
Feature | Configuration available with | Reporting available with
-|-|-
Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Exploit Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center | Windows Event logs
Attack Surface Reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Network Protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
Controlled Folder Access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center |
## In this library
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit.guard.m) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as macro, script, PowerShell, USB, and Flash security policies and configuration.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors, and set up reporting for suspicious activity.
[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (such as ransomware malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.