From 32c6075c2baf097942419e76095c5a2012e8ab72 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 14:45:00 -0700 Subject: [PATCH 01/13] Update .openpublishing.redirection.json Exploit Guard --- .openpublishing.redirection.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 2d38cfdbca..ce071db2f8 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -747,17 +747,17 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection", +"redirect_url": "https://docs.microsoft.com/windows/security/microsoft-defender-atp/customize-exploit-protection", "redirect_document_id": true }, { From 25cca6aa07a8a7f4ed79f7024d0fc4728ab7c955 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:11:03 -0700 Subject: [PATCH 02/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ce071db2f8..c86d479aa3 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -762,7 +762,7 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", "redirect_document_id": true }, { From 2d2fa4ae42effdd1f32dea733710e94e49478d5b Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:11:54 -0700 Subject: [PATCH 03/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c86d479aa3..bd67db658f 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -767,7 +767,7 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction", "redirect_document_id": true }, { From 11968cded1badd9c8faa5e60dd44a51df0619b88 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:13:28 -0700 Subject: [PATCH 04/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bd67db658f..6207a8b371 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -772,17 +772,17 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection", "redirect_document_id": true }, { From 9bc007b64132ec8d61e3a7471075c191612c732b Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:14:04 -0700 Subject: [PATCH 05/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6207a8b371..dc4c065a16 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -787,7 +787,7 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction", "redirect_document_id": true }, { From 5c4bfa9b5b90895a383221c2b8179d06d54d9a2a Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:16:30 -0700 Subject: [PATCH 06/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index dc4c065a16..a0aab77e69 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -792,12 +792,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection", "redirect_document_id": true }, { From 80419e5940bd451d8ea1bc9e4a258df0c6291bf8 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:17:07 -0700 Subject: [PATCH 07/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a0aab77e69..1dc338d1d8 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -802,7 +802,7 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection", "redirect_document_id": true }, { From 8f5afcf5f0def5f4bc51a8a1a76c23802821f0a9 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:19:16 -0700 Subject: [PATCH 08/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1dc338d1d8..fe4dd1b727 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -822,12 +822,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/graphics", -"redirect_document_id": true +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", +"redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml", "redirect_document_id": true }, { From 8e6f5dfb0b1f98e6c2608db35f7d933aaa0db3e7 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:20:50 -0700 Subject: [PATCH 09/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index fe4dd1b727..164d6efa6b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -842,12 +842,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/prerelease", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prerelease", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", "redirect_document_id": true }, { From 6ea91ce20140ffef3db0f80d0b14a666383e10a2 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:23:02 -0700 Subject: [PATCH 10/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 164d6efa6b..bba8290cd5 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -852,12 +852,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np", "redirect_document_id": true }, { From bfe7e40a68318d9a99396740e345f0b34fe22cdb Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:30:44 -0700 Subject: [PATCH 11/13] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bba8290cd5..f8f801cca2 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -732,7 +732,7 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package", "redirect_document_id": true }, { @@ -3158,7 +3158,7 @@ }, { "source_path": "windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection", "redirect_document_id": true }, { @@ -12198,8 +12198,8 @@ }, { "source_path": "windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity", -"redirect_document_id": true +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection", +"redirect_document_id": false }, { "source_path": "windows/keep-secure/requirements-for-deploying-applocker-policies.md", From 1528326301bd8d1a0ff925ce1895560151b435fe Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:40:20 -0700 Subject: [PATCH 12/13] Update evaluate-exploit-protection.md --- .../evaluate-exploit-protection.md | 59 +++++++++---------- 1 file changed, 27 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index 4d70c50373..d0ad0448da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -1,7 +1,7 @@ --- title: See how exploit protection works in a demo description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps. -keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation +keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -10,9 +10,9 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: levinec -ms.author: ellevin -ms.date: 04/02/2019 +author: denisebmsft +ms.author: deniseb +ms.date: 10/21/2019 ms.reviewer: manager: dansimp --- @@ -23,21 +23,16 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. -It consists of a number of mitigations that can be applied to either the operating system or an individual app. -Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. +[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](emet-exploit-protection.md) are included in exploit protection. -This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. -You can enable audit mode for certain app-level mitigations to see how they will work in a test environment. -This lets you see a record of what *would* have happened if you had enabled the mitigation in production. -You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur. +This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur. > [!TIP] > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. ## Enable exploit protection in audit mode -You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell. +You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell. ### Windows Security app @@ -45,12 +40,12 @@ You can set mitigations in audit mode for specific programs either by using the 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. -3. Go to **Program settings** and choose the app you want to apply mitigations to: +3. Go to **Program settings** and choose the app you want to apply protection to: 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. @@ -76,14 +71,14 @@ Where: * \: * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma. - Mitigation | Audit mode cmdlet --|- - Arbitrary code guard (ACG) | AuditDynamicCode - Block low integrity images | AuditImageLoad - Block untrusted fonts | AuditFont, FontAuditOnly - Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned - Disable Win32k system calls | AuditSystemCall - Do not allow child processes | AuditChildProcess + |Mitigation | Audit mode cmdlet | +|---|---| + |Arbitrary code guard (ACG) | AuditDynamicCode | + |Block low integrity images | AuditImageLoad + |Block untrusted fonts | AuditFont, FontAuditOnly | + |Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned | + |Disable Win32k system calls | AuditSystemCall | + |Do not allow child processes | AuditChildProcess | For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: @@ -97,14 +92,14 @@ You can disable audit mode by replacing `-Enable` with `-Disable`. To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log. -Feature | Provider/source | Event ID | Description --|-|-|- - Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit - Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit - Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit - Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit - Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit - Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit +|Feature | Provider/source | Event ID | Description | +|---|---|--|---| + |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit | + |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit | + |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit | + |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit | + |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit | + |Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit | ## Related topics From 3caa611e0e9e2b364e86069a45997255fa84c9ec Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Mon, 21 Oct 2019 16:41:32 -0700 Subject: [PATCH 13/13] Update manage-incidents.md --- .../microsoft-defender-atp/manage-incidents.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index 56e0d4eeb2..249d6de806 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 010/08/2018 +ms.date: 10/08/2018 --- # Manage Microsoft Defender ATP incidents