deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 11:23:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Added new beta rule

Browse Source
This commit is contained in:
Andrea Bichsel (Aquent LLC)
2018-07-30 18:50:27 +00:00
parent f1ef1b81ea
commit 9cd7e1c4da
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 06/29/2018 ms.date: 07/30/2018
--- ---
@ -103,6 +103,7 @@ Block credential stealing from the Windows local security authority subsystem (l
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
@ -214,12 +215,16 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr) - Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Block Office communication applications from creating child processes ### Rule: Block Office communication applications from creating child processes (available for beta testing)
Office communication apps will not be allowed to create child processes. This includes Outlook. Office communication apps will not be allowed to create child processes. This includes Outlook.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Rule: Block Adobe Reader from creating child processes (available for beta testing)
This rule blocks Adobe Reader from creating child processes.
## Review Attack surface reduction events in Windows Event Viewer ## Review Attack surface reduction events in Windows Event Viewer
You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):