deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update enable-exploit-protection.md

Browse Source 
From issue ticket #8927 (**No such property as TerminateOnHeapError**):

> In the list of properties used for different security exploit settings for the cmdlets, the properties to be set for 'Validate heap integrity' is labeled wrong.
> 
> | Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available |
>
> **The property 'TerminateOnHeapError' doesn't exist for Heap. It should be TerminateOnError.**

Thanks to dennisl68-castra for noticing and reporting this incorrect term variant.

Changes proposed:
- Change "TerminateOnHeapError" to 'TerminateOnError'

Whitespace changes:
- Add recommended minimum cell divider spacing to the MarkDown table cells
- Align table dividing row cell dividers with the table title row cell dividers
- Add editorial line between footnote mark [2] and second last H2 (##) heading

Closes #8927

Ref. old PR #4351 from July 5, 2019 (before Windows Defender Exploit Guard was changed or retired)
This commit is contained in:
Trond B. Krokli
2021-01-08 01:27:31 +01:00
committed by GitHub
parent 0fdcad23cb
commit 6c9cf28542
1 changed files with 27 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
View File

@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
@ -114,7 +114,7 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.<br/>
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)<br/>
4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:<br/>![Enable network protection in Intune](../images/enable-ep-intune.png)<br/>
@ -209,29 +209,29 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
|:---|:---|:---|:---|
|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
|Block remote images | App-level only | BlockRemoteImages | Audit not available
|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
|Disable extension points | App-level only | ExtensionPoint | Audit not available
|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|Validate handle usage | App-level only | StrictHandle | Audit not available |
|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
| :--------- | :--------- | :----------------- | :---------------- |
| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available |
| Validate heap integrity | System and app-level | TerminateOnError | Audit not available |
| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode |
| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad |
| Block remote images | App-level only | BlockRemoteImages | Audit not available |
| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly |
| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned |
| Disable extension points | App-level only | ExtensionPoint | Audit not available |
| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall |
| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess |
| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a> |
| Validate handle usage | App-level only | StrictHandle | Audit not available |
| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a> |
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
@ -239,6 +239,7 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell cmdlets.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.