deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 15:23:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 11750: additional updates for rs5 (from pr 11748)

Browse Source
This commit is contained in:
Jeanie Decker
2018-10-02 15:38:14 +00:00
parent f01fb6dac8
commit 951a08abdd
52 changed files with 327 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,20 +11,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 10/02/2018
---
# Reduce attack surfaces with attack surface reduction rules
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
@ -170,13 +168,13 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block only Office communication applications from creating child processes (available for beta testing)
### Rule: Block only Office communication applications from creating child processes
Office communication apps will not be allowed to create child processes. This includes Outlook.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Rule: Block Adobe Reader from creating child processes (available for beta testing)
### Rule: Block Adobe Reader from creating child processes
This rule blocks Adobe Reader from creating child processes.

4
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 10/02/2018
---
# Protect important folders with controlled folder access
@ -20,7 +20,7 @@ ms.date: 08/08/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.

6
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 10/02/2018
---
# Customize attack surface reduction rules
@ -20,7 +20,7 @@ ms.date: 08/08/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
@ -96,7 +96,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusio
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics

24
windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 10/02/2018
---
# Customize controlled folder access
@ -20,9 +20,9 @@ ms.date: 08/08/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to customize the following settings of the controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
- [Add additional folders to be protected](#protect-additional-folders)
- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
@ -43,11 +43,11 @@ Adding other folders to controlled folder access can be useful, for example, if
You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
You can use the Windows Security app or Group Policy to add and remove additional protected folders.
### Use the Windows Defender Security Center app to protect additional folders
### Use the Windows Security app to protect additional folders
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
@ -76,7 +76,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"
```
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png)
@ -92,16 +92,16 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
>[!IMPORTANT]
>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.
>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
>You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders.
When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
### Use the Windows Defender Security app to allow specific apps
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
@ -135,7 +135,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
```
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png)
@ -148,7 +148,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications]
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)

22
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -1,7 +1,7 @@
---
title: Enable or disable specific mitigations used by Exploit protection
keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations.
description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -22,11 +22,11 @@ ms.date: 08/08/2018
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
>[!WARNING]
>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
@ -102,9 +102,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
>CFG will be enabled for *miles.exe*.
### Configure system-level mitigations with the Windows Defender Security Center app
### Configure system-level mitigations with the Windows Security app
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
@ -126,9 +126,9 @@ You can now [export these settings as an XML file](import-export-exploit-protect
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
### Configure app-specific mitigations with the Windows Defender Security Center app
### Configure app-specific mitigations with the Windows Security app
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings** at the bottom of the screen.
@ -153,9 +153,9 @@ Exporting the configuration as an XML file allows you to copy the configuration
## PowerShell reference
You can use the Windows Defender Security Center app to configure Exploit protection, or you can use PowerShell cmdlets.
You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets.
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
>[!IMPORTANT]
>Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
@ -173,7 +173,7 @@ Get-ProcessMitigation -Name processName.exe
>
>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
>The default setting for each system-level mitigation can be seen in the Windows Defender Security Center, as described in the [Configure system-level mitigations with the Windows Defender Security Center app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
>The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
Use `Set` to configure each mitigation in the following format:
@ -267,7 +267,7 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics

6
windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
View File

@ -46,15 +46,15 @@ For more information about the individual features and mitigations available in
&nbsp; | Windows Defender Exploit Guard | EMET
-|:-:|:-:
Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] <br />All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]<br />Ends after July 31, 2018
Updates | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]<br />No planned updates or development
Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))<br />[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited set of mitigations
Attack surface reduction<sup id="ref2-1">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited ruleset configuration only for modules (no processes)
Network protection<sup id="ref2-2">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
Controlled folder access<sup id="ref2-3">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps protect important folders](controlled-folders-exploit-guard.md)<br/>[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires installation and use of EMET tool
Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires installation and use of EMET tool
Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Available
Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires use of EMET tool (EMET_CONF)
System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 10/02/2018
---
# Enable attack surface reduction rules
@ -20,7 +20,7 @@ ms.date: 08/08/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
## Enable and audit attack surface reduction rules

15
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,28 +11,27 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 10/02/2018
---
# Enable controlled folder access
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
## Enable and audit controlled folder access
You can enable controlled folder access with the Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
>[!NOTE]
>The Controlled folder access feature will display the state in the Windows Defender Security Center app under **Virus & threat protection settings**.
>If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device.
>If the feature is set to **Audit mode** with any of those tools, the Windows Defender Security Center app will show the state as **Off**.
>The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**.
>If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
>See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works.
><p>
>Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
@ -42,7 +41,7 @@ You can enable controlled folder access with the Security Center app, Group Poli
### Use the Windows Defender Security app to enable controlled folder access
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 10/02/2018
---
# Evaluate attack surface reduction rules
@ -20,7 +20,7 @@ ms.date: 08/08/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/08/2018
ms.date: 10/02/2018
---
# Evaluate controlled folder access
@ -20,7 +20,7 @@ ms.date: 08/08/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps.
[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.

2
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -37,7 +37,7 @@ This topic helps you evaluate exploit protection. For more information about wha
For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app:
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**

2
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -49,7 +49,7 @@ You can also carry out the processes described in this topic in audit or disable
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
![Example notification that says Connection blocked: Your IT administrator caused Windows Defender Security center to block this network connection. Contact your IT help desk.](images/np-notif.png)
![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png)
## Review network protection events in Windows Event Viewer

2
windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -27,7 +27,7 @@ Reviewing the events is also handy when you are evaluating the features, as you
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
You can also get detailed reporting into events and blocks as part of Windows Defender Security Center, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
You can also get detailed reporting into events and blocks as part of Windows Security, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
## Use custom views to review attack surface reduction capabilities

8
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -29,7 +29,7 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md
Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
You [configure these settings using the Windows Security app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
@ -117,15 +117,15 @@ For more information about the individual features and mitigations available in
&nbsp; | Windows Defender Exploit Guard | EMET
-|:-:|:-:
Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] <br />All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]<br />Ends after July 31, 2018
Updates | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]<br />No planned updates or development
Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))<br />[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited set of mitigations
Attack surface reduction<sup id="ref2-1">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited ruleset configuration only for modules (no processes)
Network protection<sup id="ref2-2">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
Controlled folder access<sup id="ref2-3">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps protect important folders](controlled-folders-exploit-guard.md)<br/>[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires installation and use of EMET tool
Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires installation and use of EMET tool
Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Available
Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires use of EMET tool (EMET_CONF)
System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available

14
windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
View File

@ -26,13 +26,13 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in exploit protection.
You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
## Create and export a configuration file
@ -40,15 +40,15 @@ Before you export a configuration file, you need to ensure you have the correct
You should first configure exploit protection on a single, dedicated machine. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
### Use the Windows Defender Security Center app to export a configuration file
### Use the Windows Security app to export a configuration file
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
![Highlight of the Exploit protection settings option in the Windows Defender Security Center app](images/wdsc-exp-prot.png)
![Highlight of the Exploit protection settings option in the Windows Security app](images/wdsc-exp-prot.png)
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
@ -75,7 +75,7 @@ Change `filename` to any name or location of your choosing.
You can import an exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app.
After importing, the settings will be instantly applied and can be reviewed in the Windows Security app.
### Use PowerShell to import a configuration file

2
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
View File

@ -22,7 +22,7 @@ ms.date: 08/09/2018
When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
You can manually remove unwanted mitigations in Windows Security, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
1. Remove all process mitigations with this PowerShell script:

4
windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -43,9 +43,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work.
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
Windows Defender EG can be managed and reported on in the Windows Security app as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
You can use the Windows Defender Security Center to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
## Requirements