From 209ac57f8b3ac1fd730bc7549ac0c8f61d1ba83c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 2 Apr 2019 09:22:07 -0700 Subject: [PATCH 1/4] added table --- .../attack-surface-reduction-exploit-guard.md | 11 +---------- .../evaluate-attack-surface-reduction.md | 12 +++++++++++- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index ab6498dcae..a799cf3c7d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/26/2018 +ms.date: 04/02/2019 --- # Reduce attack surfaces with attack surface reduction rules @@ -236,15 +236,6 @@ SCCM name: Not applicable GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -## Review attack surface reduction events in Windows Event Viewer - -You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: - -Event ID | Description -5007 | Event when settings are changed -1121 | Event when an attack surface reduction rule fires in audit mode -1122 | Event when an attack surface reduction rule fires in block mode - ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 5e3d8457aa..f54bdb311e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 04/02/2019 --- # Evaluate attack surface reduction rules @@ -45,6 +45,16 @@ This enables all attack surface reduction rules in audit mode. >If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md). +## Review attack surface reduction events in Windows Event Viewer + +You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: + +| Event ID | Description | +|----------|-------------| +|5007 | Event when settings are changed | +| 1121 | Event when an attack surface reduction rule fires in audit mode | +| 1122 | Event when an attack surface reduction rule fires in block mode | + ## Customize attack surface reduction rules During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. From 14dc5c5d52bbbfceb0ef78b10835cc114dea635b Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 2 Apr 2019 09:37:14 -0700 Subject: [PATCH 2/4] fixed tables --- .../evaluate-exploit-protection.md | 3 ++- .../evaluate-network-protection.md | 14 +++++++------- .../exploit-protection-exploit-guard.md | 3 ++- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 47eb5e8ced..6ae70924c7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/26/2019 +ms.date: 04/02/2019 --- # Evaluate exploit protection @@ -109,6 +109,7 @@ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code in - [Enable exploit protection](enable-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) - [Enable network protection](enable-network-protection.md) - [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) - [Enable attack surface reduction](enable-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index ea6a20bdcc..74605b559a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/01/2019 +ms.date: 04/02/2019 --- # Evaluate network protection @@ -20,7 +20,7 @@ ms.date: 04/01/2019 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain. @@ -55,11 +55,11 @@ The network connection will be allowed and a test message will be displayed. To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. -Event ID | Provide/Source | Description --|- -5007 | Windows Defender (Operational) | Event when settings are changed -1125 | Windows Defender (Operational) | Event when a network connection is audited -1126 | Windows Defender (Operational) | Event when a network connection is blocked +| Event ID | Provide/Source | Description | +|-|-|-| +|5007 | Windows Defender (Operational) | Event when settings are changed | +|1125 | Windows Defender (Operational) | Event when a network connection is audited | +|1126 | Windows Defender (Operational) | Event when a network connection is blocked | ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 3d5b5df71f..72869c7925 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/26/2018 +ms.date: 04/02/2019 --- # Protect devices from exploits @@ -154,5 +154,6 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check - [Enable exploit protection](enable-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) From 86f3a834c35e088aa706d6ff3ccfbb223ed2f82f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 2 Apr 2019 09:41:39 -0700 Subject: [PATCH 3/4] fixed table --- .../audit-windows-defender-exploit-guard.md | 20 ++----------------- .../evaluate-attack-surface-reduction.md | 3 ++- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 5f21c349ae..4f416ca95d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/18/2018 +ms.date: 04/02/2019 --- @@ -41,28 +41,12 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs) Audit options | How to enable audit mode | How to view events - | - | - Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) -Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) +Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) -You can also use the a custom PowerShell script that enables the features in audit mode automatically: -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine. - -1. Type **powershell** in the Start menu. - -2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. - -3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode: - ```PowerShell - Set-ExecutionPolicy Bypass -Force - \Enable-ExploitGuardAuditMode.ps1 - ``` - - Replace \ with the folder path where you placed the file. - - A message should appear to indicate that audit mode was enabled. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index f54bdb311e..307b13fd20 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -47,7 +47,8 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s ## Review attack surface reduction events in Windows Event Viewer -You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: +To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. + | Event ID | Description | |----------|-------------| From 0ea7d2ec1398281b0770c2836c71d018dc188ccf Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 2 Apr 2019 09:53:00 -0700 Subject: [PATCH 4/4] fixed table --- .../audit-windows-defender-exploit-guard.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 4f416ca95d..5d82fb8254 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -37,15 +37,12 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs) >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. - -Audit options | How to enable audit mode | How to view events -- | - | - -Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) -Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) -Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) -Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) - - +|Audit options | How to enable audit mode | How to view events | +|- | - | - | +|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) | +|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) | +|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) | +|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) | ## Related topics