diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 9f78476437..1ace08ebe0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,24 +11,17 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/30/2018 +ms.date: 08/08/2018 --- -# Reduce attack surfaces with Windows Defender Exploit Guard +# Reduce attack surfaces **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 -- Microsoft Office 365 -- Microsoft Office 2016 -- Microsoft Office 2013 -- Microsoft Office 2010 - - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -43,9 +36,7 @@ ms.date: 07/30/2018 - Configuration service providers for mobile device management -Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. - -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -66,32 +57,16 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua ## Requirements -Attack surface reduction requires Windows 10 Enterprise E5 and Windows Defender AV real-time protection. - -Windows 10 version | Windows Defender Antivirus -- | - -Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled +Attack surface reduction requires Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). ## Attack surface reduction rules -Windows 10, version 1803 has five new Attack surface reduction rules: - -- Block executable files from running unless they meet a prevalence, age, or trusted list criteria -- Use advanced protection against ransomware -- Block credential stealing from the Windows local security authority subsystem (lsass.exe) -- Block process creations originating from PSExec and WMI commands -- Block untrusted and unsigned processes that run from USB - -In addition, the following rule is available for beta testing: - -- Block Office communication applications from creating child processes - The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: Rule name | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D @@ -102,12 +77,11 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. +The rules apply to the following Office apps: -Supported Office apps: - Microsoft Word - Microsoft Excel - Microsoft PowerPoint @@ -127,7 +101,7 @@ This rule blocks the following file types from being run or launched from an ema >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). -### Rule: Block Office applications from creating child processes +### Rule: Block all Office applications from creating child processes Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. @@ -215,7 +189,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block Office communication applications from creating child processes (available for beta testing) +### Rule: Block only Office communication applications from creating child processes (available for beta testing) Office communication apps will not be allowed to create child processes. This includes Outlook. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 989c432d1b..b565064810 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -1,6 +1,6 @@ --- -title: Test how Windows Defender EG features work -description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled +title: Test how Windows Defender ATP features work +description: Audit mode lets you use the event log to see how Windows Defender ATP would protect your devices if it were enabled keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,35 +11,32 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# Use audit mode to evaluate Windows Defender Exploit Guard features +# Use audit mode **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** - Enterprise security administrators -You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. +You can enable attack surface reduction, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. -You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. +You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. -You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode. +You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. @@ -76,10 +73,10 @@ You can also use the a custom PowerShell script that enables the features in aud ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) -- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) -- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) -- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) +- [Reduce attack surfaces with](attack-surface-reduction-exploit-guard.md) +- [Protect your network](network-protection-exploit-guard.md) +- [Protect important folders](controlled-folders-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 21cec1e41c..91080b88a9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -1,5 +1,5 @@ --- -title: Submit cab files related to Windows Defender EG problems +title: Submit cab files related to problems description: Use the command-line tool to obtain .cab file that can be used to investigate ASR rule issues. keywords: troubleshoot, error, fix, asr, windows defender eg, exploit guard, attack surface reduction search.product: eADQiWindows 10XVcnh @@ -11,15 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# Collect diagnostic data for Windows Defender Exploit Guard file submissions +# Collect diagnostic data for file submissions **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -64,7 +63,7 @@ Before attempting this process, ensure you have met all required pre-requisites ## Related topics -- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) -- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) -- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Troubleshoot ASR rules](troubleshoot-asr.md) +- [Troubleshoot Network protection](troubleshoot-np.md) + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 852398e010..992a6f082e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -1,6 +1,6 @@ --- title: Help prevent ransomware and threats from encrypting and changing files -description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files. +description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files. keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -21,8 +21,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -40,8 +39,6 @@ ms.date: 05/30/2018 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). - >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -58,12 +55,9 @@ The protected folders include common system folders, and you can [add additional As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled. - ## Requirements -Windows 10 version | Windows Defender Antivirus --|- -Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled +Controlled folder access requires enabling [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). ## Review Controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index d3fdfd801d..991b4caeb3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,16 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/30/2018 +ms.date: 08/08/2018 --- # Customize Attack surface reduction **Applies to:** -- Windows 10 Enterprise edition, version 1709 and later -- Windows Server 2016 - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -35,7 +33,7 @@ ms.date: 07/30/2018 - Configuration service providers for mobile device management -Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. @@ -54,7 +52,7 @@ This could potentially allow unsafe files to run and infect your devices. You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. -Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. @@ -64,7 +62,7 @@ Exclusions will only be applied to certain rules. Some rules will not honor the Rule description | Rule honors exclusions | GUID -|:-:|- -Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 @@ -76,7 +74,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block only Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c @@ -110,7 +108,7 @@ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add ### Use MDM CSPs to exclude files and folders -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. @@ -122,7 +120,7 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w ## Related topics -- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) - [Enable Attack surface reduction](enable-attack-surface-reduction.md) - [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 1c626d7c8f..a5f0af100b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -1,5 +1,5 @@ --- -title: Add additional folders and apps to be protected by Windows 10 +title: Add additional folders and apps to be protected description: Add additional folders that should be protected by Controlled folder access, or whitelist apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable search.product: eADQiWindows 10XVcnh @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -21,8 +21,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -38,7 +37,7 @@ ms.date: 05/30/2018 - Configuration service providers for mobile device management -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): @@ -59,7 +58,7 @@ You can add additional folders to be protected, but you cannot remove the defaul Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. -You can also enter network shares and mapped drives. Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders. @@ -70,26 +69,22 @@ You can use the Windows Defender Security Center app or Group Policy to add and 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**: -3. Under the **Controlled folder access** section, click **Protected folders** +3. Under the **Controlled folder access** section, click **Protected folders** 4. Click **Add a protected folder** and follow the prompts to add apps. - ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png) + ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png) ### Use Group Policy to protect additional folders 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. - -6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder. - -> [!NOTE] -> Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. +6. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder. ### Use PowerShell to protect additional folders @@ -112,7 +107,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to ad ### Use MDM CSPs to protect additional folders -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. @@ -147,7 +142,7 @@ When you add an app, you have to specify the app's location. Only the app in tha 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. 6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app. @@ -162,7 +157,7 @@ When you add an app, you have to specify the app's location. Only the app in tha Add-MpPreference -ControlledFolderAccessAllowedApplications "" ``` - For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows: + For example, to add the executable *test.exe* located in the folder *C:\apps*, the cmdlet would be as follows: ```PowerShell Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe" @@ -181,7 +176,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to ### Use MDM CSPs to allow specific apps -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Customize the notification @@ -190,4 +185,4 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w ## Related topics - [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) - [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) \ No newline at end of file +- [Evaluate attack surface reduction](evaluate-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index d26e9872e6..7f23aec34b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -11,16 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- # Customize Exploit protection **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -37,7 +35,6 @@ ms.date: 05/30/2018 Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. - It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. @@ -299,7 +296,7 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) - [Evaluate Exploit protection](evaluate-exploit-protection.md) - [Enable Exploit protection](enable-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index bb57a23872..a6bd774b6e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 08/08/2018 --- @@ -21,9 +21,7 @@ ms.date: 04/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Enhanced Mitigation Experience Toolkit version 5.5 (latest version) - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -32,24 +30,21 @@ ms.date: 04/30/2018 >[!IMPORTANT] ->If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP. > >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and its replacement in Windows 10: Windows Defender Exploit Guard. - - In Windows 10, version 1709 (also known as the Fall Creators Update) we released [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP. - Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. +Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. - EMET is a stand-alone product that is available on earlier versions of Windows and provides some mitigation against older, known exploit techniques. +EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. - After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it. +After July 31, 2018, it will not be supported. - For more information about the individual features and mitigations available in Windows Defender Exploit Guard, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: +For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: -- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 59f434e325..93230ddffe 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 07/30/2018 +ms.date: 08/08/2018 --- @@ -20,8 +20,7 @@ ms.date: 07/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -36,7 +35,7 @@ ms.date: 07/30/2018 - Configuration service providers for mobile device management -Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. +Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. @@ -53,7 +52,7 @@ You can manually add the rules by using the GUIDs in the following table: Rule description | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D @@ -64,7 +63,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. @@ -76,7 +75,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. 6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: @@ -134,6 +133,6 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https ## Related topics -- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) - [Customize Attack surface reduction](customize-attack-surface-reduction.md) - [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 67697f589e..840a147fa0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -21,8 +21,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -58,7 +57,7 @@ For further details on how audit mode works, and when you might want to use it, >Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include: >- Windows Defender Antivirus **Configure local administrator merge behavior for lists** >- System Center Endpoint Protection **Allow users to add exclusions and overrides** ->For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). +>For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). ### Use the Windows Defender Security app to enable Controlled folder access @@ -102,11 +101,11 @@ Use `Disabled` to turn the feature off. ### Use MDM CSPs to enable Controlled folder access -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Related topics - [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) - [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) +- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 584b3b2e8a..ccdc10cfd7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -21,8 +21,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -40,7 +39,7 @@ ms.date: 05/30/2018 Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in Exploit protection. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 2d33ef5980..c23d7ece9e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -20,8 +20,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -36,7 +35,7 @@ ms.date: 05/30/2018 - Configuration service providers for mobile device management -Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Network protection is a feature that helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). @@ -55,9 +54,9 @@ For background information on how audit mode works, and when you might want to u 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection**. +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. -6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following: +6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following: - **Block** - Users will not be able to access malicious IP addresses and domains - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. @@ -89,10 +88,10 @@ Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. ### Use MDM CSPs to enable or audit Network protection -Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection. +Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection. ## Related topics -- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) +- [Protect your network](network-protection-exploit-guard.md) - [Evaluate Network protection](evaluate-network-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 8f8c0175e4..07fb871b19 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -6,15 +6,14 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: justinha author: brianlic-msft -ms.date: 04/19/2018 +ms.date: 08/08/2018 --- # Enable virtualization-based protection of code integrity **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. @@ -56,7 +55,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s > - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. -#### For Windows 1607 and above +#### For Windows 10 version 1607 and later Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): @@ -110,7 +109,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE > To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**. -#### For Windows 1511 and below +#### For Windows 10 version 1511 and earlier Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): @@ -177,8 +176,6 @@ This field helps to enumerate and report state on the relevant security properti | **5.** | If present, NX protections are available. | | **6.** | If present, SMM mitigations are available. | -> [!NOTE] -> 4, 5, and 6 were added as of Windows 10, version 1607. #### InstanceIdentifier @@ -198,9 +195,6 @@ This field describes the required security properties to enable virtualization-b | **5.** | If present, NX protections are needed. | | **6.** | If present, SMM mitigations are needed. | -> [!NOTE] -> 4, 5, and 6 were added as of Windows 10, version 1607. - #### SecurityServicesConfigured This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 3785af890d..fe8303ae20 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -19,8 +19,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -37,7 +36,7 @@ ms.date: 05/30/2018 -Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). +Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. @@ -179,14 +178,14 @@ Malware and other threats can attempt to obfuscate or hide their malicious code - Random - A scenario will be randomly chosen from this list - AntiMalwareScanInterface - - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script + - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script - OnAccess - Potentially obfuscated scripts will be blocked when an attempt is made to access them ## Review Attack surface reduction events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). +You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index 56695c3814..53d18d4333 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- @@ -19,9 +19,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 - +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -34,9 +32,9 @@ ms.date: 05/30/2018 - Group Policy - PowerShell -Controlled folder access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). +[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. -It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. +It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. @@ -54,7 +52,7 @@ Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder acce The tool is part of the Windows Defender Exploit Guard evaluation package: - [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) -This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. +This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. @@ -83,7 +81,7 @@ You can enable Controlled folder access, run the tool, and see what the experien ## Review Controlled folder access events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). +You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. @@ -133,5 +131,5 @@ See the main [Protect important folders with Controlled folder access](controlle ## Related topics - [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) -- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) -- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) \ No newline at end of file +- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) +- [Use audit mode](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 499c186d35..60f56670e7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -20,8 +20,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -94,7 +93,7 @@ Lastly, we can disable the mitigation so that Internet Explorer works properly a ## Review Exploit protection events in Windows Event Viewer -You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). +You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index 1f004b79b7..1f089d9fac 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- # Evaluate Network protection @@ -20,8 +20,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10 Enterprise edition, version 1709 or later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -72,7 +71,7 @@ You will get a 403 Forbidden response in the browser, and you will see a notific ## Review Network protection events in Windows Event Viewer -You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events). +You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index f070b8407e..1685de880e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -1,5 +1,5 @@ --- -title: Import custom views to see Windows Defender Exploit Guard events +title: Import custom views to see attack surface reduction events description: Use Windows Event Viewer to import individual views for each of the features. keywords: event view, exploit guard, audit, review, events search.product: eADQiWindows 10XVcnh @@ -12,38 +12,37 @@ ms.date: 04/16/2018 ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/08/2018 --- -# View Windows Defender Exploit Guard events +# View attack surface reduction events **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** - Enterprise security administrators -Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windows Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. +You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled. This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Defender Security Center, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). -## Use custom views to review Windows Defender Exploit Guard features +## Use custom views to review attack surface reduction capabilities -You can create custom views in the Windows Event Viewer to only see events for specific features and settings. +You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page. -You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details. +You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. ### Import an existing XML custom view @@ -143,10 +142,10 @@ You can also manually navigate to the event area that corresponds to the Windows -## List of all Windows Defender Exploit Guard events +## List of attack surface reduction events -All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. +All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table. You can access these events in Windows Event viewer: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 64d6627554..209f9cf3b9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- @@ -21,8 +21,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 77b9114470..e0bd4564d9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -21,7 +21,8 @@ ms.date: 04/30/2018 **Applies to:** -- Windows 10, version 1709 and later + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -166,7 +167,7 @@ You can use Group Policy to deploy the configuration you've created to multiple 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**. +5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**. ![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png) @@ -182,7 +183,7 @@ You can use Group Policy to deploy the configuration you've created to multiple ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) - [Evaluate Exploit protection](evaluate-exploit-protection.md) - [Enable Exploit protection](enable-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index 7ac4ae1438..a24d063a73 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: iaanw ms.author: iawilt -ms.date: 02/20/2018 +ms.date: 08/09/2018 --- @@ -21,8 +21,9 @@ ms.date: 02/20/2018 **Applies to:** -- Windows 10, version 1709 -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. + + diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index df6a6b9037..a8f3f5336d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- @@ -20,8 +20,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 or higher -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 71dea75d8e..7f6b58df27 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -12,8 +12,8 @@ ms.date: 10/20/2017 # Requirements and deployment planning guidelines for virtualization-based protection of code integrity **Applies to** -- Windows 10 -- Windows Server 2016 + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in Windows Defender Device Guard. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 412c817281..568de38e49 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -18,8 +18,7 @@ ms.date: 05/17/2018 **Applies to:** -- Windows 10, version 1709 or higher -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 8410be06b9..27504f748c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 08/09/2018 --- @@ -21,8 +21,7 @@ ms.date: 05/30/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -205,7 +204,7 @@ You can manually remove unwanted mitigations in Windows Defender Security Center ``` -If you haven’t already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) to complete your Exploit protection customization. +If you haven’t already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) to complete your Exploit protection customization. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 2b7764fdb5..76b0784faa 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 08/09/2018 --- # Troubleshoot Network protection **Applies to:** -- Windows 10, version 1709 or higher +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 90ebc28935..1e780c30f7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 08/09/2018 --- @@ -21,8 +21,7 @@ ms.date: 08/08/2018 **Applies to:** -- Windows 10, version 1709 and later -- Windows Server 2016 +- Windows Defender Advanced Threat Protection (Windows Defender ATP) **Audience** @@ -52,13 +51,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. -Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes: -- [Windows Defender Security Center](../windows-defender-atp/windows-defender-security-center-atp.md) -- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md) -- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) +Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. -You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. +You can use the Windows Defender Security Center to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. ## Requirements @@ -91,9 +86,9 @@ The following table lists which features in Windows Defender EG require enabling Topic | Description ---|--- -[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. -[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. -[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors. +[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. +[Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. +[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors. [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.