From 617d5de8721a1770dc4f680f9a89a914c7086b51 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 28 Aug 2020 12:47:35 -0700 Subject: [PATCH] Update evaluate-exploit-protection.md --- .../evaluate-exploit-protection.md | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index dabee673ee..1946579864 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 10/21/2019 +ms.date: 08/28/2020 ms.reviewer: manager: dansimp --- @@ -22,7 +22,7 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection. +[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.) This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur. @@ -72,12 +72,12 @@ Where: |Mitigation | Audit mode cmdlet | |---|---| - |Arbitrary code guard (ACG) | AuditDynamicCode | - |Block low integrity images | AuditImageLoad - |Block untrusted fonts | AuditFont, FontAuditOnly | - |Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned | - |Disable Win32k system calls | AuditSystemCall | - |Do not allow child processes | AuditChildProcess | + |Arbitrary code guard (ACG) | `AuditDynamicCode` | + |Block low integrity images | `AuditImageLoad` + |Block untrusted fonts | `AuditFont`, `FontAuditOnly` | + |Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` | + |Disable Win32k system calls | `AuditSystemCall` | + |Do not allow child processes | `AuditChildProcess` | For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: @@ -100,13 +100,9 @@ To review which apps would have been blocked, open Event Viewer and filter for t |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit | |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit | -## Related topics +## See also -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) -* [Enable exploit protection](enable-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) -* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) -* [Enable network protection](enable-network-protection.md) -* [Enable controlled folder access](enable-controlled-folders.md) -* [Enable attack surface reduction](enable-attack-surface-reduction.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)