deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update attack-surface-reduction.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-12-09 17:34:22 -08:00
parent 3fa1f05776
commit 9ad86a5736
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -44,7 +44,7 @@ For more information about configuring attack surface reduction rules, see [Enab
You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm).
:::image type="content" source="images/asrrecommendation.png" alt-text="Security recommendation for ASR rule":::
:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule":::
In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.
@ -54,7 +54,7 @@ Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduc
## Silent auditing
(**NEW**!) To add security value, a sample of attack surface reduction audit events are now collected on devices that do not have attack surface reduction rules enabled in either audit mode or block mode.
(**NEW**!) To add security value, a sample of attack surface reduction audit events is now collected on devices that do not have attack surface reduction rules enabled in either audit mode or block mode. The collected events are throttled to 100 events per device
By default, attack surface reduction rules are not enabled in audit mode. Silent auditing is a new capability that collects events for the following four attack surface reduction rules:
- [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)
@ -69,7 +69,7 @@ The other attack surface reduction rules that are not configured will not have a
## Warn mode for users
(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. WHen a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes.
Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks.
@ -136,7 +136,7 @@ You can review the Windows event log to view events generated by attack surface
5. Select **OK**.
This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
|Event ID | Description |
|---|---|
@ -212,7 +212,7 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
### Block all Office applications from creating child processes
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.