diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index ab42d2eb12..fa3402a679 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 11/03/2020 +ms.date: 01/21/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -146,7 +146,7 @@ There is a known issue such that if you change the Exploit Protection settings f ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. -1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**. +1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. 2. Disable IpNat.sys from ICS load as follows:
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` @@ -159,6 +159,28 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli 5. Reboot the device. +### Why doesn't the container fully load when device control policies are enabled? +Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. + +Policy: Allow installation of devices that match any of these device IDs +- `SCSI\DiskMsft____Virtual_Disk____` +- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` +- `VMS_VSF` +- `root\Vpcivsp` +- `root\VMBus` +- `vms_mp` +- `VMS_VSP` +- `ROOT\VKRNLINTVSP` +- `ROOT\VID` +- `root\storvsp` +- `vms_vsmp` +- `VMS_PP` + +Policy: Allow installation of devices using drivers that match these device setup classes +- `{71a27cdd-812a-11d0-bec7-08002be2092f}` + + + ## See also -[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) \ No newline at end of file +[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index c0c77ae782..cf10e80626 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -14,7 +14,7 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 01/08/2021 +ms.date: 01/20/2021 --- # Use attack surface reduction rules to prevent malware infection @@ -24,7 +24,7 @@ ms.date: 01/08/2021 **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Why attack surface reduction rules are important @@ -63,8 +63,10 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later + +Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). -In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed. - Minimum platform release requirement: `4.18.2008.9` - Minimum engine release requirement: `1.1.17400.5` @@ -124,13 +126,9 @@ DeviceEvents You can review the Windows event log to view events generated by attack surface reduction rules: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. - 3. Under **Actions**, select **Import custom view...**. - 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). - 5. Select **OK**. You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: @@ -463,9 +461,6 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` ## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) - - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - - [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 91a6dc887a..2ff87af1ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -46,13 +46,13 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au ## Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**. +1. Open the Windows Security app by selecting the shield icon in the task bar or by searching the start menu for **Security**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. @@ -60,12 +60,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au 5. Repeat steps 3-4 for all the apps and mitigations you want to configure. -6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+6. Under the **System settings** section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the **Program settings** section use the settings that are configured here.
- **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation -7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat step 6 for all the system-level mitigations you want to configure. Select **Apply** when you're done setting up your configuration. If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -80,7 +80,7 @@ If you add an app to the **Program settings** section and configure individual m Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. -The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. +The result is that DEP is enabled only for *test.exe*. All other apps will not have DEP applied. ### Example 2: Josie configures Data Execution Prevention in system settings to be off by default @@ -88,66 +88,84 @@ Josie adds the app *test.exe* to the **Program settings** section. In the option Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. -The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. +The result is that DEP is enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
+ - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -2. Click **Device configuration** > **Profiles** > **Create profile**. +2. Go to **Device configuration** > **Profiles** > **Create profile**. + +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. -3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. +4. Select **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. -5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](../images/enable-ep-intune.png)
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: -6. Click **OK** to save each open blade and click **Create**. + ![Enable network protection in Intune](../images/enable-ep-intune.png)
-7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +6. Select **OK** to save each open blade, and then choose **Create**. + +7. Select the profile **Assignments** tab, assign the policy to **All Users & All Devices**, and then select **Save**. ## MDM Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode. +## Microsoft Endpoint Manager + +1. In Microsoft Endpoint Manager, go to **Endpoint Security** > **Attack surface reduction**. + +2. Select **Create Policy** > **Platform**, and for **Profile**, choose **Exploit Protection**. Then select **Create**. + +3. Specify a name and a description, and then choose **Next**. + +4. Select **Select XML File** and browse to the location of the exploit protection XML file. Select the file, and then choose **Next**. + +5. Configure **Scope tags** and **Assignments** if necessary. + +6. Under **Review + create**, review the configuration and then choose **Create**. + + ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -2. Click **Home** > **Create Exploit Guard Policy**. +2. Select **Home** > **Create Exploit Guard Policy**. -3. Enter a name and a description, click **Exploit protection**, and click **Next**. +3. Specify a name and a description, select **Exploit protection**, and then choose **Next**. -4. Browse to the location of the exploit protection XML file and click **Next**. +4. Browse to the location of the exploit protection XML file and select **Next**. -5. Review the settings and click **Next** to create the policy. +5. Review the settings, and then choose **Next** to create the policy. -6. After the policy is created, click **Close**. +6. After the policy is created, select **Close**. ## Group Policy 1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. -4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. +4. Select **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard), and then choose **OK**. ## PowerShell @@ -207,41 +225,41 @@ This table lists the individual **Mitigations** (and **Audits**, when available) | Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter | | :-------------- | :--------- | :---------------------------------- | :-------------------------- | -| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | -| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | -| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | -| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available | -| Validate heap integrity | System and app-level | TerminateOnError | Audit not available | -| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode | -| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad | -| Block remote images | App-level only | BlockRemoteImages | Audit not available | -| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly | -| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned | -| Disable extension points | App-level only | ExtensionPoint | Audit not available | -| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall | -| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess | -| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | -| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | -| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | -| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | -| Validate handle usage | App-level only | StrictHandle | Audit not available | -| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | -| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | +| Control flow guard (CFG) | System and app-level | `CFG`, `StrictCFG`, `SuppressExports` | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | `DEP`, `EmulateAtlThunks` | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | `ForceRelocateImages` | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | `BottomUp`, `HighEntropy` | Audit not available +| Validate exception chains (SEHOP) | System and app-level | `SEHOP`, `SEHOPTelemetry` | Audit not available | +| Validate heap integrity | System and app-level | `TerminateOnError` | Audit not available | +| Arbitrary code guard (ACG) | App-level only | `DynamicCode` | `AuditDynamicCode` | +| Block low integrity images | App-level only | `BlockLowLabel` | `AuditImageLoad` | +| Block remote images | App-level only | `BlockRemoteImages` | Audit not available | +| Block untrusted fonts | App-level only | `DisableNonSystemFonts` | `AuditFont`, `FontAuditOnly` | +| Code integrity guard | App-level only | `BlockNonMicrosoftSigned`, `AllowStoreSigned` | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | `ExtensionPoint` | Audit not available | +| Disable Win32k system calls | App-level only | `DisableWin32kSystemCalls` | `AuditSystemCall` | +| Do not allow child processes | App-level only | `DisallowChildProcessCreation` | `AuditChildProcess` | +| Export address filtering (EAF) | App-level only | `EnableExportAddressFilterPlus`, `EnableExportAddressFilter` \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | `EnableImportAddressFilter` | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | `EnableRopSimExec` | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | `EnableRopCallerCheck` | Audit not available\[2\] | +| Validate handle usage | App-level only | `StrictHandle` | Audit not available | +| Validate image dependency integrity | App-level only | `EnforceModuleDepencySigning` | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | `EnableRopStackPivot` | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for DLLs for a process: ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` -\[2\]: Audit for this mitigation is not available via Powershell cmdlets. +\[2\]: Audit for this mitigation is not available via PowerShell cmdlets. ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article for more information about customizing the notification when a rule is triggered and blocks an app or file. ## See also -* [Evaluate exploit protection](evaluate-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)