Updated evaluate-attack-surface-reduction.md

updated evaluate ASR

windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md

@@ -90,7 +90,7 @@ You can right-click on the output window and click **Open Event Viewer** to see
 >You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
 
 >[!NOTE]
->What does leave dirty do? Does delay work?
+>TODO: Need to remove dirty + delay from tool
 
 
 
@@ -125,13 +125,13 @@ Random | A scenario will be randomly chosen from this list | Microsoft Outlook o
 Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
 Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
 Mail Client Script Archive | Script archive files (such as .????) | Microsoft Outlook
-WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as ??? (only outlook/hotmail? Or anything? Any browser or only Edge/IE?)
+WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
 WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file)  | Web mail
 WebMail Script Archive | Script archive files (such as .????) | Web mail
 
 
 >[!NOTE]
->What is a script archive file?
+>Todo: Add example script archive file
 
 >[!NOTE]
 >WebMail rules are currently being engineered and may not work as expected
@@ -143,12 +143,9 @@ WebMail Script Archive | Script archive files (such as .????) | Web mail
 
 Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
->[!NOTE]
->Note sure if this accurate
-
 ### Rule: Block Office applications from creating executable content
 
-This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware spreading and infection technique.
+This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
 
 The following scenarios can be individually chosen:
 
@@ -161,7 +158,7 @@ The following scenarios can be individually chosen:
 
 
 >[!NOTE]
->Note sure if this accurate
+>Todo: add desription on MZ Block
 
 
 
@@ -199,13 +196,7 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
 - AntiMalwareScanInterface
     - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
 - OnAccess
-    - Potentially obfuscated scripts will be blocked when an attempt is made to run them
+    - Potentially obfuscated scripts will be blocked when an attempt is made to access them
-
-
->[!NOTE]
->Note sure if this accurate
-
-
 
 
 ## Review Attack Surface Reduction events in Windows Event Viewer