fixed applies to in exploit guard topics

This commit is contained in:
Justin Hall 2018-08-11 17:36:25 -07:00
parent d69115100d
commit 6e36dde10e
27 changed files with 150 additions and 224 deletions

View File

@ -11,24 +11,17 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 07/30/2018
ms.date: 08/08/2018
---
# Reduce attack surfaces with Windows Defender Exploit Guard
# Reduce attack surfaces
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Microsoft Office 365
- Microsoft Office 2016
- Microsoft Office 2013
- Microsoft Office 2010
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -43,9 +36,7 @@ ms.date: 07/30/2018
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@ -66,32 +57,16 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
## Requirements
Attack surface reduction requires Windows 10 Enterprise E5 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Antivirus
- | -
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
Attack surface reduction requires Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
## Attack surface reduction rules
Windows 10, version 1803 has five new Attack surface reduction rules:
- Block executable files from running unless they meet a prevalence, age, or trusted list criteria
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
In addition, the following rule is available for beta testing:
- Block Office communication applications from creating child processes
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
Rule name | GUID
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
@ -102,12 +77,11 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
The rules apply to the following Office apps:
Supported Office apps:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
@ -127,7 +101,7 @@ This rule blocks the following file types from being run or launched from an ema
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block Office applications from creating child processes
### Rule: Block all Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
@ -215,7 +189,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block Office communication applications from creating child processes (available for beta testing)
### Rule: Block only Office communication applications from creating child processes (available for beta testing)
Office communication apps will not be allowed to create child processes. This includes Outlook.

View File

@ -1,6 +1,6 @@
---
title: Test how Windows Defender EG features work
description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
title: Test how Windows Defender ATP features work
description: Audit mode lets you use the event log to see how Windows Defender ATP would protect your devices if it were enabled
keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -11,35 +11,32 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# Use audit mode to evaluate Windows Defender Exploit Guard features
# Use audit mode
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You can enable attack surface reduction, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
@ -76,10 +73,10 @@ You can also use the a custom PowerShell script that enables the features in aud
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with](attack-surface-reduction-exploit-guard.md)
- [Protect your network](network-protection-exploit-guard.md)
- [Protect important folders](controlled-folders-exploit-guard.md)

View File

@ -1,5 +1,5 @@
---
title: Submit cab files related to Windows Defender EG problems
title: Submit cab files related to problems
description: Use the command-line tool to obtain .cab file that can be used to investigate ASR rule issues.
keywords: troubleshoot, error, fix, asr, windows defender eg, exploit guard, attack surface reduction
search.product: eADQiWindows 10XVcnh
@ -11,15 +11,14 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# Collect diagnostic data for Windows Defender Exploit Guard file submissions
# Collect diagnostic data for file submissions
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -64,7 +63,7 @@ Before attempting this process, ensure you have met all required pre-requisites
## Related topics
- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md)
- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md)
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
- [Troubleshoot ASR rules](troubleshoot-asr.md)
- [Troubleshoot Network protection](troubleshoot-np.md)

View File

@ -1,6 +1,6 @@
---
title: Help prevent ransomware and threats from encrypting and changing files
description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files.
description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -21,8 +21,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -40,8 +39,6 @@ ms.date: 05/30/2018
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
@ -58,12 +55,9 @@ The protected folders include common system folders, and you can [add additional
As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled.
## Requirements
Windows 10 version | Windows Defender Antivirus
-|-
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
Controlled folder access requires enabling [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
## Review Controlled folder access events in Windows Event Viewer

View File

@ -11,16 +11,14 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 07/30/2018
ms.date: 08/08/2018
---
# Customize Attack surface reduction
**Applies to:**
- Windows 10 Enterprise edition, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -35,7 +33,7 @@ ms.date: 07/30/2018
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
@ -54,7 +52,7 @@ This could potentially allow unsafe files to run and infect your devices.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
@ -64,7 +62,7 @@ Exclusions will only be applied to certain rules. Some rules will not honor the
Rule description | Rule honors exclusions | GUID
-|:-:|-
Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
@ -76,7 +74,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block only Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
@ -110,7 +108,7 @@ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add
### Use MDM CSPs to exclude files and folders
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
@ -122,7 +120,7 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md)
- [Enable Attack surface reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)

View File

@ -1,5 +1,5 @@
---
title: Add additional folders and apps to be protected by Windows 10
title: Add additional folders and apps to be protected
description: Add additional folders that should be protected by Controlled folder access, or whitelist apps that are incorrectly blocking changes to important files.
keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
search.product: eADQiWindows 10XVcnh
@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -21,8 +21,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -38,7 +37,7 @@ ms.date: 05/30/2018
- Configuration service providers for mobile device management
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
@ -59,7 +58,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives. Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
@ -70,26 +69,22 @@ You can use the Windows Defender Security Center app or Group Policy to add and
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
3. Under the **Controlled folder access** section, click **Protected folders**
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png)
![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png)
### Use Group Policy to protect additional folders
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
> [!NOTE]
> Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
6. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
### Use PowerShell to protect additional folders
@ -112,7 +107,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to ad
### Use MDM CSPs to protect additional folders
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
@ -147,7 +142,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
@ -162,7 +157,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>"
```
For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows:
For example, to add the executable *test.exe* located in the folder *C:\apps*, the cmdlet would be as follows:
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
@ -181,7 +176,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to
### Use MDM CSPs to allow specific apps
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Customize the notification
@ -190,4 +185,4 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Evaluate attack surface reduction](evaluate-windows-defender-exploit-guard.md)

View File

@ -11,16 +11,14 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# Customize Exploit protection
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -37,7 +35,6 @@ ms.date: 05/30/2018
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
@ -299,7 +296,7 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 08/08/2018
---
@ -21,9 +21,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Enhanced Mitigation Experience Toolkit version 5.5 (latest version)
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -32,24 +30,21 @@ ms.date: 04/30/2018
>[!IMPORTANT]
>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10.
>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP.
>
>You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and its replacement in Windows 10: Windows Defender Exploit Guard.
In Windows 10, version 1709 (also known as the Fall Creators Update) we released [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits.
This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP.
Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
EMET is a stand-alone product that is available on earlier versions of Windows and provides some mitigation against older, known exploit techniques.
EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it.
After July 31, 2018, it will not be supported.
For more information about the individual features and mitigations available in Windows Defender Exploit Guard, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 07/30/2018
ms.date: 08/08/2018
---
@ -20,8 +20,7 @@ ms.date: 07/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -36,7 +35,7 @@ ms.date: 07/30/2018
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
@ -53,7 +52,7 @@ You can manually add the rules by using the GUIDs in the following table:
Rule description | GUID
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
@ -64,7 +63,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
@ -76,7 +75,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
@ -134,6 +133,6 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md)
- [Customize Attack surface reduction](customize-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -21,8 +21,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -58,7 +57,7 @@ For further details on how audit mode works, and when you might want to use it,
>Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include:
>- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
>- System Center Endpoint Protection **Allow users to add exclusions and overrides**
>For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
>For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
### Use the Windows Defender Security app to enable Controlled folder access
@ -102,11 +101,11 @@ Use `Disabled` to turn the feature off.
### Use MDM CSPs to enable Controlled folder access
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -21,8 +21,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -40,7 +39,7 @@ ms.date: 05/30/2018
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in Exploit protection.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).

View File

@ -20,8 +20,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -36,7 +35,7 @@ ms.date: 05/30/2018
- Configuration service providers for mobile device management
Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Network protection is a feature that helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
@ -55,9 +54,9 @@ For background information on how audit mode works, and when you might want to u
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection**.
5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following:
6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- **Block** - Users will not be able to access malicious IP addresses and domains
- **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
@ -89,10 +88,10 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
### Use MDM CSPs to enable or audit Network protection
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection.
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection.
## Related topics
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect your network](network-protection-exploit-guard.md)
- [Evaluate Network protection](evaluate-network-protection.md)

View File

@ -6,15 +6,14 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: justinha
author: brianlic-msft
ms.date: 04/19/2018
ms.date: 08/08/2018
---
# Enable virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.
@ -56,7 +55,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computers hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.<br>
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 1607 and above
#### For Windows 10 version 1607 and later
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
@ -110,7 +109,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
#### For Windows 1511 and below
#### For Windows 10 version 1511 and earlier
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
@ -177,8 +176,6 @@ This field helps to enumerate and report state on the relevant security properti
| **5.** | If present, NX protections are available. |
| **6.** | If present, SMM mitigations are available. |
> [!NOTE]
> 4, 5, and 6 were added as of Windows 10, version 1607.
#### InstanceIdentifier
@ -198,9 +195,6 @@ This field describes the required security properties to enable virtualization-b
| **5.** | If present, NX protections are needed. |
| **6.** | If present, SMM mitigations are needed. |
> [!NOTE]
> 4, 5, and 6 were added as of Windows 10, version 1607.
#### SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -19,8 +19,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -37,7 +36,7 @@ ms.date: 05/30/2018
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
@ -179,14 +178,14 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
- Random
- A scenario will be randomly chosen from this list
- AntiMalwareScanInterface
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- OnAccess
- Potentially obfuscated scripts will be blocked when an attempt is made to access them
## Review Attack surface reduction events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -19,9 +19,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -34,9 +32,9 @@ ms.date: 05/30/2018
- Group Policy
- PowerShell
Controlled folder access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md).
[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
@ -54,7 +52,7 @@ Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder acce
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
@ -83,7 +81,7 @@ You can enable Controlled folder access, run the tool, and see what the experien
## Review Controlled folder access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
@ -133,5 +131,5 @@ See the main [Protect important folders with Controlled folder access](controlle
## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode](audit-windows-defender-exploit-guard.md)

View File

@ -20,8 +20,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -94,7 +93,7 @@ Lastly, we can disable the mitigation so that Internet Explorer works properly a
## Review Exploit protection events in Windows Event Viewer
You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/09/2018
---
# Evaluate Network protection
@ -20,8 +20,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10 Enterprise edition, version 1709 or later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -72,7 +71,7 @@ You will get a 403 Forbidden response in the browser, and you will see a notific
## Review Network protection events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.

View File

@ -1,5 +1,5 @@
---
title: Import custom views to see Windows Defender Exploit Guard events
title: Import custom views to see attack surface reduction events
description: Use Windows Event Viewer to import individual views for each of the features.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
@ -12,38 +12,37 @@ ms.date: 04/16/2018
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
# View Windows Defender Exploit Guard events
# View attack surface reduction events
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
- Enterprise security administrators
Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windows Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
You can also get detailed reporting into events and blocks as part of Windows Defender Security Center, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
## Use custom views to review Windows Defender Exploit Guard features
## Use custom views to review attack surface reduction capabilities
You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details.
You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
### Import an existing XML custom view
@ -143,10 +142,10 @@ You can also manually navigate to the event area that corresponds to the Windows
## List of all Windows Defender Exploit Guard events
## List of attack surface reduction events
All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/09/2018
---
@ -21,8 +21,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**

View File

@ -21,7 +21,8 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -166,7 +167,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**.
5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png)
@ -182,7 +183,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 02/20/2018
ms.date: 08/09/2018
---
@ -21,8 +21,9 @@ ms.date: 02/20/2018
**Applies to:**
- Windows 10, version 1709
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016.

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/09/2018
---
@ -20,8 +20,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**

View File

@ -12,8 +12,8 @@ ms.date: 10/20/2017
# Requirements and deployment planning guidelines for virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in Windows Defender Device Guard. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.

View File

@ -18,8 +18,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/09/2018
---
@ -21,8 +21,7 @@ ms.date: 05/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -205,7 +204,7 @@ You can manually remove unwanted mitigations in Windows Defender Security Center
</root>
```
If you havent already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) to complete your Exploit protection customization.
If you havent already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) to complete your Exploit protection customization.
## Related topics

View File

@ -11,14 +11,14 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 08/09/2018
---
# Troubleshoot Network protection
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 08/09/2018
---
@ -21,8 +21,7 @@ ms.date: 08/08/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
**Audience**
@ -52,13 +51,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work.
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
- [Windows Defender Security Center](../windows-defender-atp/windows-defender-security-center-atp.md)
- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md)
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
You can use the Windows Defender Security Center to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
## Requirements
@ -91,9 +86,9 @@ The following table lists which features in Windows Defender EG require enabling
Topic | Description
---|---
[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
[Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
[Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.