deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 23:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Updated evaluate-attack-surface-reduction.md

Browse Source 
updated evaluate ASR
This commit is contained in:
Misha Kutsovsky 2017-08-22 01:53:05 +00:00
parent fcdf248c11
commit 91c20c2190
1 changed files with 6 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -90,7 +90,7 @@ You can right-click on the output window and click **Open Event Viewer** to see
>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
>[!NOTE]
>What does leave dirty do? Does delay work?
>TODO: Need to remove dirty + delay from tool
@ -125,13 +125,13 @@ Random | A scenario will be randomly chosen from this list | Microsoft Outlook o
Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
Mail Client Script Archive | Script archive files (such as .????) | Microsoft Outlook
WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as ??? (only outlook/hotmail? Or anything? Any browser or only Edge/IE?)
WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail
WebMail Script Archive | Script archive files (such as .????) | Web mail
>[!NOTE]
>What is a script archive file?
>Todo: Add example script archive file
>[!NOTE]
>WebMail rules are currently being engineered and may not work as expected
@ -143,12 +143,9 @@ WebMail Script Archive | Script archive files (such as .????) | Web mail
Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
>[!NOTE]
>Note sure if this accurate
### Rule: Block Office applications from creating executable content
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware spreading and infection technique.
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
The following scenarios can be individually chosen:
@ -161,7 +158,7 @@ The following scenarios can be individually chosen:
>[!NOTE]
>Note sure if this accurate
>Todo: add desription on MZ Block
@ -199,13 +196,7 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
- AntiMalwareScanInterface
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- OnAccess
- Potentially obfuscated scripts will be blocked when an attempt is made to run them
>[!NOTE]
>Note sure if this accurate
- Potentially obfuscated scripts will be blocked when an attempt is made to access them
## Review Attack Surface Reduction events in Windows Event Viewer