deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-05 17:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 2919: move ASR rule descriptions to make the flow more logical

Browse Source 
move ASR rule descriptions to make the flow more logical
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-08-28 20:44:05 +00:00
commit 7a97d40b40
3 changed files with 75 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -49,10 +49,78 @@ The feature is comprised of a number of rules, each of which target specific beh
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
See the [Attack Surface Reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
## Attack Surface Reduction rules
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
Rule name | GUIDs
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Rule: Block executable content from email client and webmail
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
### Rule: Block Office applications from creating child processes
Office apps, such as Word or Excel, will not be allowed to create child processes.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Rule: Block Office applications from creating executable content
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
### Rule: Block Office applications from injecting into other processes
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
### Rule: Impede JavaScript and VBScript to launch executables
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
This rule prevents scripts that appear to be obfuscated from running.
It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
## Requirements
@ -64,6 +132,8 @@ Windows 10 version | Windows Defender Antivirus
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review Attack Surface Reduction events in Windows Event Viewer
You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited):

8
windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -48,13 +48,11 @@ For further details on how audit mode works, and when you might want to use it,
Attack Surface Reduction rules are identified by their unique rule ID.
Rule IDs willl be populated on machines that are enrolled in an E5 license. These machines will also properly report their Attack Surface Reduction rule history in the Windows Defender Security Center web console.
You can also manually add the rules from the following table:
You can manually add the rules by using the GUIDs in the following table:
Rule description | GUIDs
-|-
Block executable content from email client and webmail. | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
@ -62,7 +60,7 @@ Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-5
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
See the [Evaluate Attack Surface Reduction rules](evaluate-attack-surface-reduction.md) topic for details on each rule.
See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
### Use Group Policy to enable Attack Surface Reduction rules

4
windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -80,9 +80,9 @@ You can review the Windows event log to see events that are created when Exploit
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
6. This will create a custom view that filters to only show the following events related to Exploit Protection:
Provider/source | Event ID | Description
-|:-:|-