diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 394c6a49ae..5dc4ec4a49 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -127,10 +127,10 @@ ### [Configure and manage capabilities](windows-defender-atp/onboard.md) #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) -####Hardware-based isolation -##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) -##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md) -###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) +#####Hardware-based isolation +###### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) +###### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md) +####### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### Device control ###### [Control USB devices](device-control/control-usb-devices-using-intune.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index f1870b1c48..eaf851f409 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/16/2018 +ms.date: 03/26/2019 --- # Evaluate exploit protection @@ -20,26 +20,45 @@ ms.date: 11/16/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. +[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices. +It consists of a number of mitigations that can be applied to either the operating system or an individual app. +Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. - -This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md). +This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. +You can enable audit mode for any mitigation to see how it will work in a test environment. +This lets you see a record of what *would* have happened if you had enabled the mitigation in production. +You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use audit mode to measure impact -You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations. +1. Go to the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) and download the [EP xml config file](https://demo.wd.microsoft.com/Content/ProcessMitigation.xml?). -This lets you see a record of what *would* have happened if you had enabled the mitigation. +1. Open an elevated PowerShell windows and run: -You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period. + ```powershell + Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml + Set-ProcessMitigation –help + ``` + +1. Tp verify the configuration, run: -See the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. + ```powershell + Get-ProcessMitigation + ``` + +2. Type **event viewer** in the Start menu and open **Event Viewer**. + +3. Click **Action** > **Import Custom View...** + + ![Animation highlighting Import custom view on the left of Event viewer](images/events-import.gif) + +4. Select the XML > **Open** > **OK**. + +You can see the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode. -For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). ## Related topics - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 7f7c825798..239170b7f1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -27,7 +27,7 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Security, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities @@ -35,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page. -You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. +You can also manually navigate to the event area that corresponds to the feature. For more details, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic. ### Import an existing XML custom view @@ -45,9 +45,9 @@ You can also manually navigate to the event area that corresponds to the feature - Attack surface reduction events custom view: *asr-events.xml* - Network protection events custom view: *np-events.xml* -1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**. +1. Type **event viewer** in the Start menu and open **Event Viewer**. -3. On the left panel, under **Actions**, click **Import Custom View...** +3. Click **Action** > **Import Custom View...** ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif)