From d635a4926568b944a3d8189827fc03acb9265f93 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Wed, 1 Nov 2017 14:11:34 -0700 Subject: [PATCH 1/6] add ASR troubleshoot topics --- windows/threat-protection/TOC.md | 1 + .../audit-windows-defender-exploit-guard.md | 3 +- ...lect-cab-files-exploit-guard-submission.md | 66 ++++++++++ .../troubleshoot-asr.md | 120 ++++++++++++++++++ 4 files changed, 188 insertions(+), 2 deletions(-) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md create mode 100644 windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index ce3a47ceb7..28bf69bbc5 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -229,6 +229,7 @@ #### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) #### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) #### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) +### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md) ### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) #### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md) #### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index c63d4747c8..f44be6d234 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -71,8 +71,7 @@ You can also use the a custom PowerShell script that enables the features in aud ## Related topics -Topic | Description ----|--- + - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) - [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) - [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md new file mode 100644 index 0000000000..2e32d63748 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -0,0 +1,66 @@ +--- +title: Submit cab files related to Windows Defender EG problems +description: Use the command-line tool to obtain .cab file that can be used to investigate ASR rule issues. +keywords: troubleshoot, error, fix, asr, windows defender eg, exploit guard, attack surface reduction +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 11/01/2017 +--- + +# Collect diagnostic data for Windows Defender Exploit Guard file submissions + +**Applies to:** + +- Windows 10, version 1709 + +**Audience** + +- IT administrators + +This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard. + +In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](#) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md). + +Before attempting this process, ensure you have read the [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) topic, met all required pre-requisites, and taken any other suggested troubleshooting steps. + + +1. On the endpoint where the rule is not functioning, obtain the .cab diagnostic file by following this process: + + 1. Open an administrator-level version of the command prompt: + + 1. Open the **Start** menu. + + 2. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**. + + 3. Enter administrator credentials or approve the prompt. + + 2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example: + + ```Dos + cd c:\program files\windows\defender + ``` + + 3. Enter the following command and press **Enter** + + ```Dos + mpcmdrun -getfiles + ``` + + 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. + +2. Attach this .cab file to the submission form where indicated. + + + + +## Related topics + +- [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md) + diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md new file mode 100644 index 0000000000..cd9a452a41 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -0,0 +1,120 @@ +--- +title: Troubleshoot problems with Attack surface reduction rules +description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues +keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 09/06/2017 +--- + +# Troubleshoot Attack surface reduction rules + +**Applies to:** + +- Windows 10, version 1709 + +**Audience** + +- IT administrators + +When you use [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: + +- A rule blocks a file, process, or performs some other action that it should not (false positive) +- A rule does not work as described, or does not block a file or process that it should (false negative) + + + +There are four steps to troubleshooting these problems: + +1. Confirm that you have met all pre-requisites +2. Use audit mode to test the rule +3. Add exclusions for the specified rule (for false positives) +3. Submit support logs + + + +## Confirm pre-requisites + +Windows Defender Exploit Guard will only work on devices with the following conditions: + +>[!div class="checklist"] +> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update). +> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. +> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-attack-surface-reduction-rules). + + +If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. + +## Use audit mode to test the rule + +There are two ways that you can test if the rule is working. + +You can use a pre-configured demo tool to confirm ASR is generally working on the device, or you can use audit mode, which enables the rule for reporting only. + +The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the ASR feature as a whole is operating correctly. + +If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites). + +You should follow the instructions in the section [Use the demo tool to see how ASR works](evaluate-attack-surface-reduction.md#use-the-demo-tool-to-see-how-attack-surface-reduction-works) to test the specific rule you are encountering problems with. + +>[!TIP] +>While the instructions for using the demo tool are intended for evaluating or seeing how ASR works, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature. + +Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run. + +1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-attack-surface-reduction-rules). +2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). +3. [Review the ASR event logs](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. + + +>[!TIP] +>Audit mode will stop the rule from blocking the file or process. +> +>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. +> +>Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed. + + +If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: + +1. If the ASR rule is blocking something that it should not block (also known as a false positive), you can [first add an ASR exclusion](#add-exclusions-for-a-false-positive). +2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immeidately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data). + +## Add exclusions for a false positive + +You can add exclusions to ASR to prevent ASR rules from evaluating the excluded files or folders. + +This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us. + +To add an exclusion, see the [Customize Attack surface reduction](customize-attack-surface-reduction.md) topic. + +>[!IMPORTANT] +>You can specify individual files and folders to be excluded, but you cannot specify individual rules. +> +>This means any files or folders that are excluded will be excluded from all ASR rules. + + +If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us. + +## Collect diagnostic data + +> [!div class="nextstepaction"] +> [Collect and submit diagnostic data for ASR rules](collect-cab-files-exploit-guard-submission.md) + + + + + + +## Related topics + +- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Attack surface reduction](attack-surface-reduction-exploit-guard.md) From 46e6b279ae68f52e8b7ccd35be2e8092b1f9cdb8 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Wed, 1 Nov 2017 14:14:19 -0700 Subject: [PATCH 2/6] typo fixes --- .../audit-windows-defender-exploit-guard.md | 4 ++-- .../windows-defender-exploit-guard/troubleshoot-asr.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index f44be6d234..025616a35a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -28,7 +28,7 @@ ms.date: 08/25/2017 - Enterprise security administrators -You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. +You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. @@ -58,7 +58,7 @@ You can also use the a custom PowerShell script that enables the features in aud 2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. -3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audie mode: +3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode: ```PowerShell Set-ExecutionPolicy Bypass -Force \Enable-ExploitGuardAuditMode.ps1 diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index cd9a452a41..8845aed6d0 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -86,7 +86,7 @@ Audit mode allows the rule to report as if it actually blocked the file or proce If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: 1. If the ASR rule is blocking something that it should not block (also known as a false positive), you can [first add an ASR exclusion](#add-exclusions-for-a-false-positive). -2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immeidately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data). +2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data). ## Add exclusions for a false positive From 7225c56cd24169b2319ff60ec9e8e5ff0b4bcacb Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Wed, 1 Nov 2017 14:50:12 -0700 Subject: [PATCH 3/6] typo fixes --- .../collect-cab-files-exploit-guard-submission.md | 6 +++++- .../windows-defender-exploit-guard/troubleshoot-asr.md | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 2e32d63748..6bfc03a524 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -62,5 +62,9 @@ Before attempting this process, ensure you have read the [Troubleshoot Windows D ## Related topics -- [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md) +## Related topics + +- [Troubleshoot Attack surface reduction rules](#troubleshoot-asr.md) +- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Attack surface reduction](attack-surface-reduction-exploit-guard.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 8845aed6d0..9786190612 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: iaanw ms.author: iawilt -ms.date: 09/06/2017 +ms.date: 11/01/2017 --- # Troubleshoot Attack surface reduction rules From fc2cad035932d05b1a0eb405e74ff107ddfddc31 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 2 Nov 2017 13:11:22 -0700 Subject: [PATCH 4/6] add NP troubleshooting, change add TOC, update ASR with info on file attachment. --- windows/threat-protection/TOC.md | 3 +- ...lect-cab-files-exploit-guard-submission.md | 13 +-- .../troubleshoot-asr.md | 12 +- .../troubleshoot-np.md | 104 ++++++++++++++++++ 4 files changed, 122 insertions(+), 10 deletions(-) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 28bf69bbc5..785b581814 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -229,10 +229,11 @@ #### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) #### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) #### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md) -### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md) +#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md) ### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md) #### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md) #### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md) +#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md) ### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md) #### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md) #### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 6bfc03a524..3a742ae53e 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -26,12 +26,15 @@ ms.date: 11/01/2017 This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard. -In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](#) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md). +In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](#) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md). -Before attempting this process, ensure you have read the [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) topic, met all required pre-requisites, and taken any other suggested troubleshooting steps. +Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics: +- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) +- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) -1. On the endpoint where the rule is not functioning, obtain the .cab diagnostic file by following this process: + +1. On the endpoint with the issue, obtain the Windows Defender .cab diagnostic file by following this process: 1. Open an administrator-level version of the command prompt: @@ -58,10 +61,6 @@ Before attempting this process, ensure you have read the [Troubleshoot Windows D 2. Attach this .cab file to the submission form where indicated. - - -## Related topics - ## Related topics - [Troubleshoot Attack surface reduction rules](#troubleshoot-asr.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index 9786190612..fa2e646efd 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -42,7 +42,7 @@ There are four steps to troubleshooting these problems: ## Confirm pre-requisites -Windows Defender Exploit Guard will only work on devices with the following conditions: +Attack surface reduction (ASR) will only work on devices with the following conditions: >[!div class="checklist"] > - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update). @@ -106,8 +106,16 @@ If you have followed all previous troubleshooting steps, and you still have a pr ## Collect diagnostic data +You can use the [Windows Defender Security Intelligence web-based submission form](#) to report a problem with ASR. + +When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). + +You must also attach associated files in a .zip file (such as the file or executable that is not being blocked, or being incorrectly blocked) along with a diagnostic .cab file to your submission. + +Follow the link below for instructions on how to collect the .cab file: + > [!div class="nextstepaction"] -> [Collect and submit diagnostic data for ASR rules](collect-cab-files-exploit-guard-submission.md) +> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md new file mode 100644 index 0000000000..10c6d0c060 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -0,0 +1,104 @@ +--- +title: Troubleshoot problems with Network protection +description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues +keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: iaanw +ms.author: iawilt +ms.date: 11/02/2017 +--- + +# Troubleshoot Network protection + +**Applies to:** + +- Windows 10, version 1709 + +**Audience** + +- IT administrators + +When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as: + +- Network protection blocks a website that is safe (false positive) +- Network protection fails to block a suspicious or known malicious website (false negative) + + + +There are four steps to troubleshooting these problems: + +1. Confirm that you have met all pre-requisites +2. Use audit mode to test the rule +3. Add exclusions for the specified rule (for false positives) +3. Submit support logs + + + +## Confirm pre-requisites + +Windows Defender Exploit Guard will only work on devices with the following conditions: + +>[!div class="checklist"] +> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update). +> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. +> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. +> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-attack-surface-reduction-rules). + + +If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. + +## Use audit mode to test the rule + +There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode. + +You can enable Network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by Network protection. See the [evaluate Network protection](evaluate-network-protection.md) topic for instructions. + +If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites). + +>[!TIP] +>While the instructions for using the demo website are intended for evaluating or seeing how Network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. + +You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets Network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run. + +1. Enable audit mode for Network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). +2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). +3. [Review the Network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. + + +>[!IMPORTANT] +>Audit mode will stop the Network protection from blocking known malicious connections. +> +>If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. +> +>Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed. + + +If you've tested the feature with the demo site and with audit mode, and Network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. + +## Report a false positive or false negative + +You can use the [Windows Defender Security Intelligence web-based submission form](#) to report a problem with Network protection. + +When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). + +You can also attach a diagnostic .cab file to your submission if you wish (this is not required). Follow the link below for instructions on how to collect the .cab file: + +> [!div class="nextstepaction"] +> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md) + + + + + + +## Related topics + +- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) +- [Network protection](network-protection-exploit-guard.md) From a649d3e3b6133df2112ec84cf90bb08ffa9574a5 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Mon, 4 Dec 2017 17:56:02 -0800 Subject: [PATCH 5/6] Update with WDSI submission form URL and fix errant \ --- .../collect-cab-files-exploit-guard-submission.md | 8 ++++---- .../windows-defender-exploit-guard/troubleshoot-asr.md | 2 +- .../windows-defender-exploit-guard/troubleshoot-np.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 3a742ae53e..c1370393e5 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -26,7 +26,7 @@ ms.date: 11/01/2017 This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard. -In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](#) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md). +In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md). Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics: - [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) @@ -47,7 +47,7 @@ Before attempting this process, ensure you have met all required pre-requisites 2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example: ```Dos - cd c:\program files\windows\defender + cd c:\program files\windows defender ``` 3. Enter the following command and press **Enter** @@ -63,7 +63,7 @@ Before attempting this process, ensure you have met all required pre-requisites ## Related topics -- [Troubleshoot Attack surface reduction rules](#troubleshoot-asr.md) +- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) +- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) - [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) -- [Attack surface reduction](attack-surface-reduction-exploit-guard.md) diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index fa2e646efd..a2c448b3b1 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -106,7 +106,7 @@ If you have followed all previous troubleshooting steps, and you still have a pr ## Collect diagnostic data -You can use the [Windows Defender Security Intelligence web-based submission form](#) to report a problem with ASR. +You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with ASR. When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 10c6d0c060..0d9362f88a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -84,7 +84,7 @@ If you've tested the feature with the demo site and with audit mode, and Network ## Report a false positive or false negative -You can use the [Windows Defender Security Intelligence web-based submission form](#) to report a problem with Network protection. +You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with Network protection. When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). From af9874bbe9bd9cae68b07b1194ac7a792bce568c Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Mon, 4 Dec 2017 18:37:22 -0800 Subject: [PATCH 6/6] fix broken anchors --- .../windows-defender-exploit-guard/troubleshoot-asr.md | 4 ++-- .../windows-defender-exploit-guard/troubleshoot-np.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index a2c448b3b1..cf7916a5c3 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -48,7 +48,7 @@ Attack surface reduction (ASR) will only work on devices with the following cond > - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update). > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-attack-surface-reduction-rules). +> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. @@ -70,7 +70,7 @@ You should follow the instructions in the section [Use the demo tool to see how Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run. -1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-attack-surface-reduction-rules). +1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). 3. [Review the ASR event logs](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 0d9362f88a..2616bba67b 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -49,7 +49,7 @@ Windows Defender Exploit Guard will only work on devices with the following cond > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-attack-surface-reduction-rules). +> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. @@ -73,7 +73,7 @@ You can also use audit mode and then attempt to visit the site or IP (IPv4) addr >[!IMPORTANT] ->Audit mode will stop the Network protection from blocking known malicious connections. +>Audit mode will stop Network protection from blocking known malicious connections. > >If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. >