deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Corrected capitalization, changed ASR to ASR rules

Browse Source
This commit is contained in:
Andrea Bichsel
2018-09-18 11:53:06 -07:00
parent fc41f21c1c
commit 630a97cbbc
28 changed files with 274 additions and 633 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -14,31 +14,17 @@ ms.author: v-anbic
ms.date: 08/08/2018
---
# Customize Exploit protection
# Customize exploit protection
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
This topic lists each of the mitigations available in Exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
@ -49,10 +35,8 @@ It also describes how to enable or configure the mitigations using Windows Defen
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
![Screenshot showing the drop down menu for DEP which shows the default for DEP as On](images/ep-default.png)
@ -118,8 +102,6 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
>CFG will be enabled for *miles.exe*.
### Configure system-level mitigations with the Windows Defender Security Center app
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -144,7 +126,6 @@ You can now [export these settings as an XML file](import-export-exploit-protect
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
### Configure app-specific mitigations with the Windows Defender Security Center app
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -160,7 +141,6 @@ Exporting the configuration as an XML file allows you to copy the configuration
![Screenshot showing the add file or folder button](images/wdsc-exp-prot-app-settings.png)
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
@ -171,8 +151,7 @@ You can now [export these settings as an XML file](import-export-exploit-protect
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
## PowerShell reference
## PowerShell reference
You can use the Windows Defender Security Center app to configure Exploit protection, or you can use PowerShell cmdlets.
@ -181,7 +160,6 @@ Exporting the configuration as an XML file allows you to copy the configuration
>[!IMPORTANT]
>Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
@ -202,8 +180,6 @@ Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
```
Where:
- \<Scope>:
@ -215,7 +191,6 @@ Where:
- \<Mitigation>:
- The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
```PowerShell
@ -298,6 +273,6 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable exploit protection](enable-exploit-protection.md)
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)