From a0595f5b749e7988cc523e153329ad013c19e0aa Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 26 Mar 2019 13:07:27 -0700 Subject: [PATCH 01/17] revised toc and ep topics --- windows/security/threat-protection/TOC.md | 8 ++-- .../evaluate-exploit-protection.md | 39 ++++++++++++++----- .../event-views-exploit-guard.md | 8 ++-- 3 files changed, 37 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 394c6a49ae..5dc4ec4a49 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -127,10 +127,10 @@ ### [Configure and manage capabilities](windows-defender-atp/onboard.md) #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) -####Hardware-based isolation -##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) -##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md) -###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) +#####Hardware-based isolation +###### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) +###### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md) +####### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### Device control ###### [Control USB devices](device-control/control-usb-devices-using-intune.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index f1870b1c48..eaf851f409 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 03/26/2019 --- # Evaluate exploit protection @@ -20,26 +20,45 @@ ms.date: 11/16/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. +[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices. +It consists of a number of mitigations that can be applied to either the operating system or an individual app. +Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. - -This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md). +This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. +You can enable audit mode for any mitigation to see how it will work in a test environment. +This lets you see a record of what *would* have happened if you had enabled the mitigation in production. +You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use audit mode to measure impact -You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations. +1. Go to the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) and download the [EP xml config file](https://demo.wd.microsoft.com/Content/ProcessMitigation.xml?). -This lets you see a record of what *would* have happened if you had enabled the mitigation. +1. Open an elevated PowerShell windows and run: -You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period. + ```powershell + Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml + Set-ProcessMitigation –help + ``` + +1. Tp verify the configuration, run: -See the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. + ```powershell + Get-ProcessMitigation + ``` + +2. Type **event viewer** in the Start menu and open **Event Viewer**. + +3. Click **Action** > **Import Custom View...** + + ![Animation highlighting Import custom view on the left of Event viewer](images/events-import.gif) + +4. Select the XML > **Open** > **OK**. + +You can see the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. -For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). ## Related topics - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 7f7c825798..239170b7f1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -27,7 +27,7 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Security, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities @@ -35,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page. -You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. +You can also manually navigate to the event area that corresponds to the feature. For more details, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic. ### Import an existing XML custom view @@ -45,9 +45,9 @@ You can also manually navigate to the event area that corresponds to the feature - Attack surface reduction events custom view: *asr-events.xml* - Network protection events custom view: *np-events.xml* -1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**. +1. Type **event viewer** in the Start menu and open **Event Viewer**. -3. On the left panel, under **Actions**, click **Import Custom View...** +3. Click **Action** > **Import Custom View...** ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif) From dc5d7eeccdf7e49efb0d222db6b8892207c63daf Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 26 Mar 2019 15:10:40 -0700 Subject: [PATCH 02/17] edits --- .../enable-exploit-protection.md | 11 ++-- .../evaluate-exploit-protection.md | 61 +++++++++++++------ 2 files changed, 46 insertions(+), 26 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 2349416c84..94a268aca9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 02/14/2019 +ms.date: 03/26/2019 --- # Enable exploit protection @@ -24,16 +24,13 @@ ms.date: 02/14/2019 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. -## Enable and audit exploit protection +## Enable exploit protection You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. -The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. +The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. You can customize the configuration to suit your organization and then deploy that configuration across your network. -You can also set mitigations to [audit mode](audit-windows-defender-exploit-guard.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. - ->[!WARNING] ->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying in production. +You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index eaf851f409..1f34932458 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -25,40 +25,63 @@ It consists of a number of mitigations that can be applied to either the operati Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. -You can enable audit mode for any mitigation to see how it will work in a test environment. +You can enable audit mode for certain app-level mitigations to see how they will work in a test environment. This lets you see a record of what *would* have happened if you had enabled the mitigation in production. You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. -## Use audit mode to measure impact +## Enable exploit protection in audit mode -1. Go to the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) and download the [EP xml config file](https://demo.wd.microsoft.com/Content/ProcessMitigation.xml?). +To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet. -1. Open an elevated PowerShell windows and run: +Configure each mitigation in the following format: - ```powershell - Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml - Set-ProcessMitigation –help - ``` - -1. Tp verify the configuration, run: - ```powershell - Get-ProcessMitigation - ``` +```PowerShell +Set-ProcessMitigation - - ,, +``` -2. Type **event viewer** in the Start menu and open **Event Viewer**. +Where: -3. Click **Action** > **Import Custom View...** +- \: + - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. +- \: + - `-Enable` to enable the mitigation + - `-Disable` to disable the mitigation +- \: + - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma. - ![Animation highlighting Import custom view on the left of Event viewer](images/events-import.gif) +| Mitigation | Audit mode cmdlet | +| - | - | +|Arbitrary code guard (ACG) | AuditDynamicCode | +|Block low integrity images | AuditImageLoad | +|Block untrusted fonts | AuditFont, FontAuditOnly | +|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned | +|Disable Win32k system calls | AuditSystemCall | +|Do not allow child processes | AuditChildProcess | -4. Select the XML > **Open** > **OK**. +For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: -You can see the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. +```PowerShell +Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode +``` +You can disable audit mode by replacing `-Enable` with `-Disable`. + +## Review exploit protection audit events + +To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log. + +Feature | Provider/source | Event ID | Description +:-|:-|:-:|:- +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit ## Related topics - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) From 5aaeac378772ad3ca6a3e72ae7c329aaf3ba5b7d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 26 Mar 2019 16:33:37 -0700 Subject: [PATCH 03/17] consolidated exploit protection topics --- .../evaluate-exploit-protection.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 1f34932458..47eb5e8ced 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -34,6 +34,27 @@ You can make sure it doesn't affect your line-of-business apps, and see which su ## Enable exploit protection in audit mode +You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell. + +### Windows Security app + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. + +3. Go to **Program settings** and choose the app you want to apply mitigations to: + + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + +4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. + +5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. + +### PowerShell + To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet. Configure each mitigation in the following format: From e58007cd1c8cfbc8bf3ecd88aa55c6c611ca7a87 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 26 Mar 2019 16:37:09 -0700 Subject: [PATCH 04/17] edits --- windows/security/threat-protection/TOC.md | 1 - .../windows-defender-atp/TOC.md | 1 - .../customize-exploit-protection.md | 25 +-- .../enable-exploit-protection.md | 195 ++++++++++++++++-- 4 files changed, 190 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 5dc4ec4a49..2721c30191 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -139,7 +139,6 @@ ######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) ######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md) -###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md) ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) ##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md) ##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index e5c320eaa7..dbc99248fb 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -136,7 +136,6 @@ ####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) ####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md) -##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md) ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) #### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md) #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index ce3d7cb53f..d66b74b3af 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -106,7 +106,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. -3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: +3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation @@ -114,32 +114,23 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi >[!NOTE] >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may required a restart, which will be indicated in red text underneath the setting. + Changing some settings may require a restart. 4. Repeat this for all the system-level mitigations you want to configure. -You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. +3. Go to the **Program settings** section and choose the app you want to apply mitigations to: -Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. - -### Configure app-specific mitigations with the Windows Security app - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings** at the bottom of the screen. - -3. Go to the **Program settings** section and choose the app you want to apply mitigations to: - - 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. - -You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. + + +You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 94a268aca9..c030233ef0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -24,20 +24,192 @@ ms.date: 03/26/2019 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. -## Enable exploit protection - -You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. - -The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. You can customize the configuration to suit your organization and then deploy that configuration across your network. - You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. -You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using. +## Enable exploit protection + +You enable and configure each exploit protection mitigation separately either by using the Windows Security app or PowerShell. +They are configured by default in Windows 10. + +You can set each mitigation to on, off, or to its default value. +Some mitigations have additional options. + +You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy it to other machines by using Group Policy. + +### Windows Security app + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. + +3. Go to **Program settings** and choose the app you want to apply mitigations to: + + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + +4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. + +5. Repeat this for all the apps and mitigations you want to configure. + +3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: + - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation + +5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. + +If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: + +Enabled in **Program settings** | Enabled in **System settings** | Behavior +:-: | :-: | :-: +[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** +[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** +[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** +[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option + +**Example 1** + +Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. + +Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. + +The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. + +**Example 2** + +Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. + +Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. + +Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. + +The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. +CFG will be enabled for *miles.exe*. + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. + +3. Go to **Program settings** and choose the app you want to apply mitigations to: + + 1. If the app you want to configure is already listed, click it and then click **Edit** + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + +4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. + +5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. + + + +### PowerShell + +You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: + +```PowerShell +Get-ProcessMitigation -Name processName.exe +``` + +>[!IMPORTANT] +>System-level mitigations that have not been configured will show a status of `NOTSET`. +> +>For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> +>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. +> +>The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app). + +Use `Set` to configure each mitigation in the following format: + +```PowerShell +Set-ProcessMitigation - - ,, +``` +Where: + +- \: + - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag. + - `-System` to indicate the mitigation should be applied at the system level +- \: + - `-Enable` to enable the mitigation + - `-Disable` to disable the mitigation +- \: + - The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. + +For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: + +```PowerShell +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation +``` + +>[!IMPORTANT] +>Separate each mitigation option with commas. + +If you wanted to apply DEP at the system level, you'd use the following command: + +```PowerShell +Set-Processmitigation -System -Enable DEP +``` + +To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. + +If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: + +```PowerShell +Set-Processmitigation -Name test.exe -Remove -Disable DEP +``` + +This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. + + +Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet +- | - | - | - +Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available +Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available +Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available +Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available +Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available +Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available +Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode +Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad +Block remote images | App-level only | BlockRemoteImages | Audit not available +Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly +Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned +Disable extension points | App-level only | ExtensionPoint | Audit not available +Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall +Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess +Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available +Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available +Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available +Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available +Validate handle usage | App-level only | StrictHandle | Audit not available +Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available +Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available + + + +\[1\]: Use the following format to enable EAF modules for dlls for a process: + +```PowerShell +Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll +``` + + +## Customize the notification + +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. + + + + + + + + -See the following topics for instructions on configuring exploit protection mitigations and importing, exporting, and converting configurations: -1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md) -2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md). ## Related topics @@ -45,6 +217,3 @@ See the following topics for instructions on configuring exploit protection miti - [Evaluate exploit protection](evaluate-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) - - - From 14f1456a01a143cc0401929b618f44d145c0acbe Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 26 Mar 2019 17:29:49 -0700 Subject: [PATCH 05/17] fixed link, edited --- .../exploit-protection-exploit-guard.md | 52 +++++-------------- 1 file changed, 12 insertions(+), 40 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 41018cb2ea..53ff480b35 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/29/2018 +ms.date: 03/26/2018 --- # Protect devices from exploits @@ -20,47 +20,33 @@ ms.date: 11/29/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. +Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later. +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803. >[!TIP] >You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). - You [configure these settings using the Windows Security app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. +You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple domain-joined devices at once. - When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. - You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled. +You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled. - Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. +Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. - >[!IMPORTANT] - >If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. +>[!IMPORTANT] +>If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. >[!WARNING] >Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. - ## Review exploit protection events in Windows Event Viewer +## Review exploit protection events in Windows Event Viewer You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. - -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...** - - ![Antimated GIF highlighting the import custom view button on the right pane ](images/events-import.gif) - -4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -5. Click **OK**. - -6. This will create a custom view that filters to only show the following events related to Exploit protection: - Provider/source | Event ID | Description -|:-:|- Security-Mitigations | 1 | ACG audit @@ -97,22 +83,8 @@ Win32K | 260 | Untrusted Font > >You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. - -Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. - -EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques. - -After July 31, 2018, it will not be supported. - -For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: - -- [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) - -## Feature comparison - - The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard. +This section compares exploit protection in Windows Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference. +The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.   | Windows Defender Exploit Guard | EMET -|:-:|:-: From ff0a652c8d6971a8b213cc0c70db15ae777f9725 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 26 Mar 2019 17:58:03 -0700 Subject: [PATCH 06/17] added new section --- .../attack-surface-reduction-exploit-guard.md | 11 +++++++++++ .../exploit-protection-exploit-guard.md | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 653d7f2a5e..6a7af471f3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,6 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic +ms.date: 03/26/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -235,6 +236,16 @@ SCCM name: Not applicable GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +## Review attack surface reduction in Windows Event Viewer + +You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: + +Event ID | Description +5007 | Event when settings are changed +1121 | Event when an attack surface reduction rule fires in audit mode +1122 | Event when an attack surface reduction rule fires in block mode + + ## Related topics - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 53ff480b35..3d5b5df71f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -29,11 +29,11 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple domain-joined devices at once. +You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once. When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled. +You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled. Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. From 55f2f9d785c053c57a43c0a12e506970bd7c60c6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 26 Mar 2019 19:06:16 -0700 Subject: [PATCH 07/17] fixed links --- .../attack-surface-reduction-exploit-guard.md | 2 +- .../audit-windows-defender-exploit-guard.md | 6 +++--- .../customize-exploit-protection.md | 4 ++-- .../enable-exploit-protection.md | 2 +- .../evaluate-controlled-folder-access.md | 9 ++++++++- .../event-views-exploit-guard.md | 10 +++++----- 6 files changed, 20 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 6a7af471f3..ab6498dcae 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -236,7 +236,7 @@ SCCM name: Not applicable GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -## Review attack surface reduction in Windows Event Viewer +## Review attack surface reduction events in Windows Event Viewer You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 13222c4b4d..c9effc018d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -40,9 +40,9 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs) Audit options | How to enable audit mode | How to view events - | - | - -Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer) -Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md) -Audit applies to all events | [Enable network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) +Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folders.md#review-controlled-folder-access-events-in-windows-event-viewer) +Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) +Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index d66b74b3af..c49eae7912 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 03/26/2019 --- # Customize exploit protection @@ -156,7 +156,7 @@ Get-ProcessMitigation -Name processName.exe > >For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > ->The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app). +>The default setting for each system-level mitigation can be seen in the Windows Security. Use `Set` to configure each mitigation in the following format: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index c030233ef0..04abdfa702 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -120,7 +120,7 @@ Get-ProcessMitigation -Name processName.exe > >For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > ->The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app). +>The default setting for each system-level mitigation can be seen in the Windows Security. Use `Set` to configure each mitigation in the following format: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index a34952ae85..667c554a43 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -45,7 +45,14 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode >If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md). -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +## Review controlled folder access events in Windows Event Viewer + +The following controlled folder access events appear in Windows Event Viewer. + +Event ID | Description +5007 | Event when settings are changed +1124 | Audited controlled folder access event +1123 | Blocked controlled folder access event ## Customize protected folders and apps diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 239170b7f1..c15f7d5f95 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -12,7 +12,7 @@ ms.date: 04/16/2018 ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 03/26/2019 --- # View attack surface reduction events @@ -35,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page. -You can also manually navigate to the event area that corresponds to the feature. For more details, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic. +You can also manually navigate to the event area that corresponds to the feature. ### Import an existing XML custom view @@ -43,7 +43,7 @@ You can also manually navigate to the event area that corresponds to the feature - Controlled folder access events custom view: *cfa-events.xml* - Exploit protection events custom view: *ep-events.xml* - Attack surface reduction events custom view: *asr-events.xml* - - Network protection events custom view: *np-events.xml* + - Network/ protection events custom view: *np-events.xml* 1. Type **event viewer** in the Start menu and open **Event Viewer**. @@ -55,7 +55,7 @@ You can also manually navigate to the event area that corresponds to the feature 4. Click **Open**. -5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events). +5. This will create a custom view that filters to only show the events related to that feature. ### Copy the XML directly @@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the feature 4. Click **OK**. Specify a name for your filter. -5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events). +5. This will create a custom view that filters to only show the events related to that feature. ### XML for attack surface reduction rule events From 7d902ce298616eec5a47427d6ebb0c84b025852c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 27 Mar 2019 09:06:31 -0700 Subject: [PATCH 08/17] added deployment options --- ...enable-controlled-folders-exploit-guard.md | 4 +-- .../enable-network-protection.md | 36 ++++++++++++------- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 8d9f86a947..ea057afc07 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -38,13 +38,13 @@ You can enable controlled folder access with the Security Center app, Group Poli >- System Center Endpoint Protection **Allow users to add exclusions and overrides** >For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). -### Use the Windows Defender Security app to enable controlled folder access +## Windows Security app to enable controlled folder access 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. -3. Set the switch for **Controlled folder access** to **On**. +3. Set the switch for **Controlled folder access** to **On**. ### Use Group Policy to enable Controlled folder access diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index d07a56a851..0d20bf5ec0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 02/14/2019 +ms.date: 03/27/2019 --- # Enable network protection @@ -20,17 +20,30 @@ ms.date: 02/14/2019 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +You can enable network protection by using any of the these methods: -This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). +- Windows Security app +- Intune +- MDM +- Group Policy +- SCCM +- PowerShell cmdlets -## Enable and audit network protection +You can also [audit network protection](evaluate-network-protection.md) to see which apps would be blocked before you enable it. -You can enable network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP. +## Windows Security app -For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +1. Click **Start**, type **Windows Security** and press Enter to open the app. +1. Click -### Use Group Policy to enable or audit network protection +## Intune + +## MDM + +Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure network protection. + +## Group Policy 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -47,7 +60,9 @@ For background information on how audit mode works, and when you might want to u >[!IMPORTANT] >To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. - ### Use PowerShell to enable or audit network protection +## SCCM + +## PowerShell 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -65,11 +80,6 @@ Set-MpPreference -EnableNetworkProtection AuditMode Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. -### Use MDM CSPs to enable or audit network protection - -Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure network protection. - - ## Related topics - [Protect your network](network-protection-exploit-guard.md) From 96084b317d79fc68c4cce6f6fde2c88c52d2b9f1 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 27 Mar 2019 10:26:32 -0700 Subject: [PATCH 09/17] fixed link --- .../audit-windows-defender-exploit-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index c9effc018d..5f21c349ae 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -40,10 +40,10 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs) Audit options | How to enable audit mode | How to view events - | - | - -Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folders.md#review-controlled-folder-access-events-in-windows-event-viewer) +Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) -Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) +Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) You can also use the a custom PowerShell script that enables the features in audit mode automatically: From e6fe78c6f3b2b6aec222f2c250cf9df56dc44f25 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 27 Mar 2019 10:27:30 -0700 Subject: [PATCH 10/17] fixed headings --- .../enable-network-protection.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 0d20bf5ec0..e1050f038c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -23,21 +23,14 @@ ms.date: 03/27/2019 [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can enable network protection by using any of the these methods: -- Windows Security app -- Intune + - MDM - Group Policy -- SCCM - PowerShell cmdlets You can also [audit network protection](evaluate-network-protection.md) to see which apps would be blocked before you enable it. -## Windows Security app -1. Click **Start**, type **Windows Security** and press Enter to open the app. -1. Click - -## Intune ## MDM @@ -60,7 +53,6 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d >[!IMPORTANT] >To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. -## SCCM ## PowerShell From 11c088404e8e1c538014e04025b36f7a74955ab9 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 27 Mar 2019 10:30:09 -0700 Subject: [PATCH 11/17] fixed links --- .../windows-defender-exploit-guard/troubleshoot-np.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index f7a384b615..bf9ddc6ff3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 03/27/2019 --- # Troubleshoot network protection @@ -43,7 +43,7 @@ Network protection will only work on devices with the following conditions: > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). +> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable network protection topic](enable-network-protection.md#group-policy). If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. @@ -60,7 +60,7 @@ If you encounter problems when running the evaluation scenario, check that the d You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run. -1. Enable audit mode for network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). +1. Enable audit mode for network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable network protection topic](enable-network-protection.md#group-policy). 2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). 3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. From a40de7657af916d364b1850d3a3d3747770e3dcf Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 27 Mar 2019 10:43:12 -0700 Subject: [PATCH 12/17] added logs file --- windows/security/threat-protection/TOC.md | 1 + windows/security/threat-protection/windows-defender-atp/TOC.md | 2 ++ .../windows-defender-exploit-guard/troubleshoot-np.md | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 2721c30191..28f571a37e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -413,6 +413,7 @@ ####Troubleshoot attack surface reduction ##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md) ##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md) +##### [Collect diagnostic data for files](windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md) #### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index dbc99248fb..59b8186134 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -402,5 +402,7 @@ ###Troubleshoot attack surface reduction #### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md) #### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md) +#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md) + ### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index bf9ddc6ff3..7065ec7e12 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -43,7 +43,7 @@ Network protection will only work on devices with the following conditions: > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable network protection topic](enable-network-protection.md#group-policy). +> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. From 93cf8d657911aa991b2569ec9959e5922a5f309e Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 27 Mar 2019 10:47:18 -0700 Subject: [PATCH 13/17] changed syntx --- .../collect-cab-files-exploit-guard-submission.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 2906976656..3ed20a187b 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -42,13 +42,13 @@ Before attempting this process, ensure you have met all required pre-requisites 2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example: - ```Dos + ```console cd c:\program files\windows defender ``` 3. Enter the following command and press **Enter** - ```Dos + ```console mpcmdrun -getfiles ``` From 87de801eb7eb4e22a27e1b718d37b0a1f5f71fe3 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 27 Mar 2019 10:52:35 -0700 Subject: [PATCH 14/17] add machine not sending signals --- ...ty-sensors-windows-defender-advanced-threat-protection.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 3a5158d272..f6ed806476 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -44,6 +44,11 @@ A reinstalled or renamed machine will generate a new machine entity in Windows D **Machine was offboarded**
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. + +**Machine is not sending signals** +If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive. + + Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). ## Misconfigured machines From dc23e68c53716efa4a5437d9445913e8c1a9c5ee Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 27 Mar 2019 11:01:33 -0700 Subject: [PATCH 15/17] edits --- .../enable-network-protection.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index e1050f038c..9c6868f35a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -21,16 +21,13 @@ ms.date: 03/27/2019 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. You can enable network protection by using any of the these methods: - - MDM - Group Policy - PowerShell cmdlets -You can also [audit network protection](evaluate-network-protection.md) to see which apps would be blocked before you enable it. - - ## MDM From ec239ae72b4e9c446d533f5d71e176f4d49fa55f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 27 Mar 2019 11:40:43 -0700 Subject: [PATCH 16/17] add note and xref --- ...cked-list-windows-defender-advanced-threat-protection.md | 5 +++++ ...cked-list-windows-defender-advanced-threat-protection.md | 6 ++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md index 5f648b914c..c11ff2b24d 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -55,6 +55,11 @@ On the top navigation you can: 5. Review the details in the Summary tab, then click **Save**. + +>[!NOTE] +>Blocking IPs, domains, or URLs is currently available on limited preview only. This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforeced. While the option is not yet generally available, it will only be used when identified during an investigation. + + ## Manage indicators 1. In the navigation pane, select **Settings** > **Allowed/blocked list**. diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index 47c3f41079..5afed1e6df 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -15,14 +15,11 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 06/14/2018 --- # Manage automation allowed/blocked lists **Applies to:** - - - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -70,4 +67,5 @@ You can define the conditions for when entities are identified as malicious or s ## Related topics - [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) -- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +- [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) From 544887c60508564d316af1758a4da6e2b0c16d89 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 27 Mar 2019 11:44:28 -0700 Subject: [PATCH 17/17] update tocs --- windows/security/threat-protection/TOC.md | 4 ++-- .../security/threat-protection/windows-defender-atp/TOC.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 394c6a49ae..b7e83ad191 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -388,8 +388,8 @@ #####Rules ###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md) -###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -###### [Manage allowed/blocked](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage automation allowed/blocked lists](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +###### [Manage allowed/blocked lists](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) ###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) ###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index e5c320eaa7..0307d758f6 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -375,8 +375,8 @@ ####Rules ##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md) -##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) -##### [Manage allowed/blocked](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +##### [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md) +##### [Manage allowed/blocked lists](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md) ##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md) ##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)