diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 9d38e65a82..2f93a09df1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -21,7 +21,7 @@ ms.author: v-anbic Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. -To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with attack surface reduction rules. +To use attack surface reduction rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). With an E3 license, you won't have these advanced capabilities, but you can develop your own monitoring and reporting tools to use in conjunction with attack surface reduction rules. Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). @@ -63,11 +63,11 @@ The rules apply to the following Office apps: - Microsoft PowerPoint - Microsoft OneNote -Except where specified, attack surface reduction rules do not apply to any other Office apps. +Except where specified, attack surface reduction rules don't apply to any other Office apps. ### Block executable content from email client and webmail -This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): +This rule blocks the following file types from launching from email in Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) @@ -81,7 +81,7 @@ GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 ### Block all Office applications from creating child processes -Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. @@ -95,7 +95,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. -Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. +Office apps won't be able to use extensions. Typically, these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. Intune name: Office apps/macros creating executable content @@ -105,9 +105,9 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899 ### Block Office applications from injecting code into other processes -Office apps, including Word, Excel, or PowerPoint, will not be able to inject code into other processes. +This rule prevents Office apps, including Word, Excel, or PowerPoint, from injecting code into other processes. -This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. +This helps prevent attacks where malware runs malicious code in an attempt to hide the activity from antivirus scanning engines. Intune name: Office apps injecting code into other processes (no exceptions) @@ -117,12 +117,12 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 ### Block JavaScript or VBScript From launching downloaded executable content -JavaScript and VBScript scripts can be used by malware to launch other malicious apps. +Malware often uses JavaScript and VBScript scripts to launch other malicious apps. -This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. +This rule prevents these scripts from launching apps, helping to prevent malicious use of the scripts to spread malware and infect machines. >[!IMPORTANT] ->File and folder exclusions do not apply to this attack surface reduction rule. +>File and folder exclusions don't apply to this attack surface reduction rule. Intune name: js/vbs executing payload downloaded from Internet (no exceptions) @@ -134,7 +134,7 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. -This rule prevents scripts that appear to be obfuscated from running. +This rule prevents potentially obfuscated scripts from running. Intune name: Obfuscated js/vbs/ps/macro code @@ -144,9 +144,9 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC ### Block Win32 API calls from Office macro -Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. +Malware can use macro code in Office files to import and load Win32 DLLs, which the malware then uses to make API calls to allow further infection throughout the system. -This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. +This rule attempts to block Office files that contain macro code that can import Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. Intune name: Win32 imports from Office macro code @@ -156,7 +156,7 @@ GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B ### Block executable files from running unless they meet a prevalence, age, or trusted list criteria -This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: +This rule blocks the following file types from launching unless they either meet prevalence or age criteria set by admins, or they're in a trusted list or exclusion list: - Executable files (such as .exe, .dll, or .scr) @@ -171,7 +171,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 ### Use advanced protection against ransomware -This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. +This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. >[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. @@ -187,7 +187,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. >[!NOTE] - >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. This rule will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. + >The coding in some apps enumerate all running processes and attempt opening them with exhaustive permissions. This causes the app to access LSASS even when it's not necessary. This rule denies the app's process open action and logs the details to the security event log. By itself, this event log entry doesn't necessarily indicate a malicious threat. Intune name: Flag credential stealing from the Windows local security authority subsystem @@ -203,7 +203,7 @@ This rule blocks processes through PsExec and WMI commands from running, to prev >File and folder exclusions do not apply to this attack surface reduction rule. >[!WARNING] ->Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly. +>Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly. Intune name: Process creation from PSExec and WMI commands