diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index 9aa2358b1c..8f59231036 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -90,7 +90,7 @@ You can right-click on the output window and click **Open Event Viewer** to see >You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules. >[!NOTE] ->What does leave dirty do? Does delay work? +>TODO: Need to remove dirty + delay from tool @@ -125,13 +125,13 @@ Random | A scenario will be randomly chosen from this list | Microsoft Outlook o Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook Mail Client Script Archive | Script archive files (such as .????) | Microsoft Outlook -WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as ??? (only outlook/hotmail? Or anything? Any browser or only Edge/IE?) +WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail WebMail Script Archive | Script archive files (such as .????) | Web mail >[!NOTE] ->What is a script archive file? +>Todo: Add example script archive file >[!NOTE] >WebMail rules are currently being engineered and may not work as expected @@ -143,12 +143,9 @@ WebMail Script Archive | Script archive files (such as .????) | Web mail Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. ->[!NOTE] ->Note sure if this accurate - ### Rule: Block Office applications from creating executable content -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware spreading and infection technique. +This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique. The following scenarios can be individually chosen: @@ -161,7 +158,7 @@ The following scenarios can be individually chosen: >[!NOTE] ->Note sure if this accurate +>Todo: add desription on MZ Block @@ -199,13 +196,7 @@ Malware and other threats can attempt to obfuscate or hide their malicious code - AntiMalwareScanInterface - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script - OnAccess - - Potentially obfuscated scripts will be blocked when an attempt is made to run them - - ->[!NOTE] ->Note sure if this accurate - - + - Potentially obfuscated scripts will be blocked when an attempt is made to access them ## Review Attack Surface Reduction events in Windows Event Viewer