add eval guide bits - cfa near ready

windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md

@@ -169,6 +169,23 @@ You can specify if certain apps should always be considered safe and given write
 
 ## Review event logs for controlled folder access
 
-How do you see these event logs? Are they under specific codes/areas?
+Component | Configuration available with | Event ID | Corresponds to…
+-|-|-|-
+Controlled Folder access | GP, MDM & UI | Provider: Windows Defender |
+| | |  Event when settings are changed | <Evt-ID: 5007>
+| | |  Event when CFA fires in Audit-mode | <Evt-ID: 1124>
+| | |  Event when CFA fires in Block-mode | <Evt-ID: 1123>
 
-Also - is there any SCCM, Intune, or MDM functionality here? Can't see anything in the SCCM console.
+
+## MDM policy settings for Controlled Folder Access 
+
+./Vendor/MSFT/Policy/Config/Defender/EnableGuardMyFolders
+
+## Audit/block modes
+
+Controlled folder access has mitigations that can be individually enabled in audit or blocking mode. 
+
+Component  |Description |Rule/mitigation description |
+-|-|-|-
+Controlled folder access |Automatically blocks access to content to protected folders. - This can be enabled in audit/block mode |Protected folders |Folders that are shielded by this component.
+| | | Allowed apps |Apps that are allowed to write into protected folders

windows/threat-protection/windows-defender-exploit-guard/evaluate-asr.md

@@ -0,0 +1,165 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+# Attack surface reduction
+
+## Attack surface reduction rules 
+
+Component | Configuration available with | Event ID | Corresponds to…
+-|-|-|-
+Attack Surface Reduction (ASR) | GP & MDM | Provider: Windows Defender |
+| | | Event when settings are changed | <Evt-ID: 5007>
+| | | Event when rule fires in Audit-mode | <Evt-ID: 1122>
+| | | Event when rule fires in Block-mode | <Evt-ID: 1121>
+
+
+### Audit/block modes
+
+Each of these components can individually be enabled in audit or blocking mode. 
+
+Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode. 
+
+Component  |Description |Rule/mitigation description |
+-|-|-|-
+Attack surface reduction (ASR) | Provides rules that allow you to prevent macro, script and email threats. - Each rule can be enabled in audit/block mode - Supports file/folder exclusions applied to all rules |Rules to prevent macro threats |Block office application from creating executable content
+| | | | Block obfuscated js/vbs/ps/macro code
+| | | | Block office application from launching child processes
+| | | | Block office application from injecting into other processes
+| | | | Block Win32 imports from macro code in Office
+| | | Rules to prevent script threats |Block js/vbs from executing payload downloaded from Internet
+| | | | Block obfuscated js/vbs/ps/macro code
+| | | Rules to prevent email threats |Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client).
+
+
+## Policy settings for Windows Defender EG
+
+The MDM policy settings for Windows Defender EG are listed in this section, along with example settings. 
+
+
+### Attack Surface Reduction 
+
+- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
+- ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules  
+-- Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1 
+  
+
+#### Rule-GUIDs for ASR
+
+Rule description | GUIDs 
+-|-
+Office rules | 
+Block office application from injecting into other processes | {75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84}
+ | OMA URI : “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules”
+ | Value as String Data Type : {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:1 
+ | 1 = Block, 2 = Audit, 0 = Disabled.
+Block office application/macros from creating executable content  | {3b576869-a4ec-4529-8536-b80a7769e899}
+ | Replace the above GUID with the corresponding Rule GUID
+Block office application from launching child processes | {d4f940ab-401b-4efc-aadc-ad5f3c50688a}
+ | Replace the above GUID with the corresponding Rule GUID
+Block Win32 imports from Macro code in Office | {92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B}
+  | Replace the above GUID with the corresponding Rule GUID
+Block obfuscated js/vbs/ps/macro code  | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
+ | Replace the above GUID with the corresponding Rule GUID
+Script rules | 
+Block obfuscated js/vbs/ps/macro code  | {5beb7efe-fd9a-4556-801d-275e5ffc04cc}
+ | Replace the above GUID with the corresponding Rule GUID [Note: same rule as above, but also covers scripts hence written here]
+Block js/vbs from executing payload downloaded from Internet. | {d3e037e1-3eb8-44c8-a917-57927947596d}
+ | Replace the above GUID with the corresponding Rule GUID
+Email rule | 
+Block execution of executable content (exe, dll, ps, js, vbs, etc) dropped from email (webmail/mail-client). | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
+ | Replace the above GUID with the corresponding Rule GUID [Currently working for Mail-client (Outlook). Personal Webmail (Outlook.com, Gmail, Yahoo) work in progress]
+
+
+
+ ## Evaluate
+
+### Using the standalone configuration tool 
+
+We’ve provided an easy-to-use configuration tool for testing purposes, called TestHIPS. The tool can be used to:
+
+1. Enable the chosen ASR rule in either block or audit mode by creating a local GPO and running a test file that triggers the rule.
+
+2. Enable the chosen ASR rule in either block or audit mode by creating a local GPO. 
+
+The result of the activity can be viewed in the event log and corresponding notification (if the rule was triggered in block mode). 
+
+You can find the tool in the evaluation package alongside this guide:
+- ExploitGuardCustomerFiles/AntiMalware.Tools.TestHIPS.exe
+- 
+Note: You may need to change the extension in the filename from **AntiMalware.Tools.TestHIPS.rename** to **AntiMalware.Tools.TestHIPS.exe**.
+
+For additional help with the tool, use the “-?” parameter.
+ 
+
+### Using the DemoExploitGuard tool to simulate WD-EG Rules with a GUI
+
+You can use an additional tool, called DemoExploitGuard, to test various rules by simulating scenarios that would cause the rule to issue a block or audit event, depending on the mode. DemoExploitGuard uses the TestHIPS tool to enable and configure the rules.
+
+You can find the tool in the evaluation package alongside this guide:
+- ExploitGuardCustomerFiles\AntiMalware.Tools.DemoExploitGuard.exe
+
+Note: You may need to change the extension in the filename from **AntiMalware.Tools.DemoExploitGuard.rename** to **AntiMalware.Tools.DemoExploitGuard.exe**
+**Rules**: Select one of the seven attack surface reduction rules to run.
+**Mode**: Sets the behavior of the Demo Tool. 
+Note: If the rule is applied by GP, this should not be an option
+- **Disabled**: This scenario will execute normally and complete
+- **Block**: This scenario should get blocked [ExploitGuard Block] and a notification will appear to indicate the block
+- **Audit**: This scenario will not block, but will show up in the event log. Right-click the output area to go directly to the event logs for Windows Defender EG
+  
+
+### Manually enabling the attack surface reduction rules
+
+You can also manually use GP or MDM-URIs to enable the ASR rules:
+
+From the rules tables above, choose the ASR rules that you want to enable and set the following policy. For each rule select the right GUID.
+
+After you’ve chosen your rules, use one of the tools above to simulate a rule to fire.
+- “./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules”
+- Value as String Data Type: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}:2
+ 
+
+### View event logs
+
+Note: event logs are not the primary mechanism for investigation. The Windows Defender ATP portal receives much richer information that allows for investigation. Information is also presented in an interactive machine-timeline view.
+
+
+#### Event fields
+- **ID**: matches with the Rule-ID that triggered the block/audit.
+- **Detection time**: Time of detection
+- **Process Name**: The process that performed the “operation” that was blocked/audited
+- **Description**: 
+
+Windows Defender Antivirus has audited an operation that is not allowed by your IT administrator.
+
+For more information please contact your IT administrator.
+-- ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+-- Detection time: 2017-06-21T11:52:29.062Z
+-- User: SYSTEM
+-- Path: C:\Windows\System32\notepad.exe
+-- Process Name: C:\Program Files\Microsoft Office\Office16\winword.exe
+-- Signature Version: 1.245.730.0
+-- Engine Version: 1.1.13902.0
+-- Product Version: 4.12.16228.1000
+
+
+### View the alert notification
+
+If you configure the test to block, a notification will be displayed from the Action Center.  This notification is customizable with your organization and contact information.
+ 
+
+### Customizing Windows Defender
+
+Customizing the Windows Defender Security Center is a simple task that provides users with a clear way to contact support.
+Simply navigate in Group Policy to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Security Center\Enterprise Customization**. From there, you will be able to enable your custom notification, set your organization name and contact information.

windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md

@@ -0,0 +1,95 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+# Evaluate Controlled Folder Access
+
+
+Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). 
+
+This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
+
+
+## Use the File Creator tool to demo Controlled Folder Access
+
+Use the File Creator tool to test controlled folder access. The tool is part of the Windows Defender Exploit Guard evaluation package:
+- [Download the Exploit Guard Evaluation Package](#)
+
+This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from making changes to files in any of your protected folders.
+
+You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
+
+
+
+1. Open the Exploit Guard Evaluation Package and copy the file *Filecreator* to a location on your PC that is easy to access (such as your desktop).
+
+    >[!TIP]
+    >You may need to change the extension in the filename from *Filecreator.rename* to *Filecreator.exe*
+
+2. Open the **Local Group Policy Editor** by typing **Edit group policy** in the Start menu. 
+
+3.  Under **Local Computer Policy**, expand **Computer configuration** > **Administrative templates** > **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled Folder Access**.
+
+4. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the **Options** section select **Enable**.
+
+>[!IMPORTANT]
+>To fully enable the controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+
+![](images/cfa-gp-enable.png)
+ 
+4. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. 
+
+5. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
+
+![](images/cfa-filecreator.png)
+
+7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
+
+![](images/cfa-notif.png)
+
+8. You can also review the Windows Event log to see the events there were created:
+    1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+    2. On the left panel, under **Actions**, click **Import custom view...**
+    3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*.
+    4. Click **OK**.
+    5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
+
+    Event ID | Description
+    -|-
+    Event when settings are changed | 5007
+    Audited Controlled Folder Access event | 1124
+    Blocked Controlled Folder Access event | 1123
+
+## Use auditing mode to measure impact
+
+As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in auditing mode. This lets you see a record of what *would* have happened if you had enabled the setting.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+
+To enable audit mode, see the GP option to **Audit Mode**.
+
+![](images/cfa-audit-gp.png)
+
+>[!TIP]
+>You will need to use a GP management tool, such as the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), to deploy this policy change to see how Controlled Folder Access would work in your network.
+
+## Customize protected folders and apps
+
+During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. 
+
+See the following sections in the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with the Windows Defender Security Center, Group Policy, or mobile device management (MDM) policies:
+
+- [Protect additional folders](controlled-folders-exploit-guard.md#protect-additional-folders)
+- [Allow specifc apps to make changes to controlled folders](controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders)

windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md

@@ -0,0 +1,196 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+
+## Exploit protection
+
+
+
+Component | Configuration available with | Event ID | Corresponds to…
+-|-|-|-
+Exploit Protection | GP, MDM, PS & UI | Provider: Security-Mitigations |
+| | | 1 | ACG audit
+| | | 2 | ACG enforce
+| | | 3 | Do not allow child processes audit
+| | | 4 | Do not allow child processes block
+| | | 5 | Block low integrity images audit
+| | | 6 | Block low integrity images block
+| | | 7 | Block remote images audit
+| | | 8 | Block remote images block
+| | | 9 | Disable win32k system calls audit
+| | | 10 | Disable win32k system calls block
+| | | 11 | Code integrity guard audit
+| | | 12 | Code integrity guard block
+| | | 13 | EAF audit
+| | | 14 | EAF enforce
+| | | 15 | EAF+ audit
+| | | 16 | EAF+ enforce
+| | | 17 | IAF audit
+| | | 18 | IAF enforce
+| | | 19 | ROP StackPivot audit
+| | | 20 | ROP StackPivot enforce
+| | | 21 | ROP CallerCheck audit
+| | | 22 | ROP CallerCheck enforce
+| | | 23 | ROP SimExec audit
+| | | 24 | ROP SimExec enforce
+Exploit Protection | GP, MDM, PS & UI |Provider: WER-Diagnostics | 
+| | | 5 | CFG Block
+Exploit Protection | GP, MDM, PS & UI | Provider: Win32K |
+| | | 260 | Untrusted Font
+
+
+
+### Audit/block modes
+Each of these components can individually be enabled in audit or blocking mode. 
+
+Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode. 
+
+
+
+Component  |Description |Rule/mitigation description |
+-|-|-|-
+Exploit protection |Provides memory, control flow and policy restrictions that can be used to protect an application from exploits. - Each mitigation can be enabled in audit/block mode |Memory exploit mitigation | DEP
+| | | | ForceASLR
+| | | | BottomUpASLR
+| | | | HeapTermination
+| | | | SEHOP
+| | | | CFG
+| | | | Strict handle checks
+| | | | ACG
+| | | | Untrusted font blocking
+| | | | No child process
+| | | | Win32k syscall disable
+| | | | Extension point disable
+| | | | Various image loading restrictions
+| | | | Anti-ROP (CallerCheck, SimExec, StackPivot) 
+| | | | EAF, EAF+
+| | | Control Flow mitigation |
+| | | Process restrictions |
+
+
+
+## Policy settings for Windows Defender EG
+The MDM policy settings for Windows Defender EG are listed in this section, along with example settings. 
+### Exploit protection
+Exploit protection has an improved manageability experience over EMET, including support for SCCM, Intune, Powershell, and Group Policy management.
+>
+> Note: SCCM and Intune will be supported in furture releases.
+You can specify a common set of WD Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured.
+Note, however, that there are some prerequisites before you can enable this setting:
+- Manually configure a device's system and application mitigation settings using the *Set-ProcessMitigation* PowerShell cmdlet, the *ConvertTo-ProcessMitigationPolicy* PowerShell cmdlet, or directly in the Windows Defender Security Center
+>
+> Note: Endpoints that have this GP setting set to **Enabled** must be able to access the XML file, otherwise the settings will not be applied.
+- Generate an XML file with the settings from the device by running the *Get-ProcessMitigation* PowerShell cmdlet or using the **Export** button at the bottom of the **Exploit Protection** area in the Windows Defender Security Center.
+- Place the generated XML file in a shared or local path. 
+
+#### Group policy
+
+The exploit protection feature can be configured with the following Group Policy details: 
+- Location:  \Microsoft\Windows Defender Exploit Guard\Exploit Protection
+- Name:  Use a common set of exploit protection settings
+- Values: **Enabled**: Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
+-- C:\MitigationSettings\Config.XML
+--  \\Server\Share\Config.xml
+--  https://localhost:8080/Config.xml
+
+The settings in the XML file will be applied to the endpoint. 
+
+**Disabled:** Common settings will not be applied, and the locally configured settings will be used instead.
+
+**Not configured:** Same as **Disabled**.
+
+#### PowerShell
+
+You can also use powershell to set these mitigation policies and to convert EMET policies to Windows Defender EG, as demonstrated in the following examples: 
+
+Get the current settings in the registry for processName.exe
+```
+Get-ProcessMitigation -Name processName.exe 
+```
+
+Exports the current settings to the filename.xml
+```
+Get-ProcessMitigation -RegistryConfigFilePath filename.xml 
+```
+
+Imports the settings in filename.xml to the system.
+```
+Set-ProcessMitigation -PolicyFilePath filename.xml 
+```
+
+Enables a list of mitigations
+```
+Set-ProcessMitigation -Name processName.exe -Enable SEHOP,DEP 
+```
+
+Disables a list of mitigations
+```
+Set-ProcessMitigation -Name processName.exe -Disable SEHOP,DEP 
+```
+
+Sets the EAFModules for dllName1.dll & dllName2.dll for processName.exe
+```
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll 
+```
+
+Converts an emet file named, emetFile.xml, to the new windows 10 format called, filename.xml
+```
+ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml 
+```
+
+
+### Make sure things are working
+
+1. Apply a mitigation setting:
+a. Launch PowerShell as an admin and run **Set—ProcessMitigation –Name iexplore.exe –Enable DisallowChildProcessCreation** 
+2. Validate that the setting is correctly applied: 
+a. Open Windows Defender Security Center -> App & browser control
+b. Scroll to the bottom and under **Exploit protection**, click **Exploit protection settings** and navigate to the **Program settings** pivot
+c. Scroll down to **iexplore.exe**, click on it and click **Edit**
+d. Find the **Do not allow child processes** setting and make sure that **Override System settings** and **On** are set
+3. Validate that Internet Explorer won’t run:
+a. Try launching iexplore.exe via the run dialog
+b. An IE frame should appear and then close
+4. Validate that event viewer reports that the mitigation fired: 
+a. Open Event Viewer
+b. Navigate to Applications and Services Log -> Microsoft -> Windows -> Security-Mitigations -> Kernel Mode
+c. Check for the following entry for Internet Explorer (event ID 4)
+
+Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. 
+
+5. Undo the mitigation setting:
+a. Open Windows Defender Security Center -> App & browser control
+b. Scroll to the bottom and under **Exploit protection**, click on **Exploit protection settings** and navigate to the **Program settings** pivot
+c. Scroll down to **iexplore.exe**, click on it and click **Edit**
+d. Find the **Do not allow child processes **setting and toggle the **On** to **Off**
+e. Click **Apply**
+6. Validate that Internet Explorer runs:
+a. Try launching iexplore.exe via the run dialog
+b. IE should open as expected
+
+
+### Converting and Applying an EMET config:
+1. Export the existing EMET configuration. This can be done from the "Export" button in the GUI, or by running the command: **emet_conf.exe –export emetConfig.xml** 
+2. In an elevated PowerShell window, convert the exported configuration with: **ConvertTo-ProcessMitigationPolicy -EMETFilePath emetConfig.xml -OutputFilePath win10Config.xml** 
+3. Note that this may give you some warnings, but these should be safe to ignore. 
+4. Apply the new configuration: from an elevated PowerShell window run **Set-ProcessMitigation -RegistryConfigFilePath win10Config.xml **
+5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively. 
+
+
+### Managing exploit protection through Group Policy
+1. Launch Group Policy Management Console (gpmc.msc) and from within and existing or new GPO navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection** and open the policy named *Use a common set of exploit protection settings*.
+2. Enable the setting as seen below and point to an accessible location for the client machines to the recently created XML.
+3. Apply the new GP to targeted machines by direction OU membership, Security Group or WMI filter.

windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md

@@ -0,0 +1,128 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+## Policy settings for Windows Defender EG
+The MDM policy settings for Windows Defender EG are listed in this section, along with example settings. 
+### Network Filter
+
+In Windows 10, Version 1709, you can enable Windows Defender EG network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+
+You can enable network protection in either block or audit mode (non-blocking, ATP events only) with Group Policy, WMI/PowerShell, or MDM settings with CSP.
+
+
+#### Group Policy
+
+The network filter feature can be configured with the following Group Policy details: 
+- Location:  \Microsoft\Windows Defender Exploit Guard
+- Name:  Prevent users and apps from accessing dangerous websites
+- Values: **Enabled**: Specify the mode in the **Options** section:
+    **Block**: Users and applications will not be able to access dangerous domains
+    **Audit**: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to block, then a record of the event will be in the event logs 
+
+The settings in the XML file will be applied to the endpoint
+
+**Disabled**: Users and applications will not be blocked from connecting to dangerous domains.
+
+**Not configured**: Same as **Disabled**.
+
+To enable network protection in block mode, select the **Enabled** value and specify **Enabled** in the drop-down sub-option menu.
+
+
+#### Windows Management Instrumentation/PowerShell
+
+Use the following cmdlet to configure network protection:
+```
+Set-MpPreference -EnableNetworkProtection [Disabled|Enabled|AuditMode]
+```
+
+To enable network protection in Block mode, use: 
+```
+Set-MpPreference -EnableNetworkProtection Enabled
+```
+
+
+#### Mobile device management/Configuration service provider
+
+Use this CSP to configure network protection:
+- Policy area: Defender
+- Name: Defender\EnableNetworkProtection
+- Supported Values:
+-- 0: Disabled
+-- 1: Enabled (Block Mode)
+-- 2: Audit Mode
+
+To enable network protection in block mode, set **Defender\EnableNetworkProtection** to integer 1.
+
+
+
+## Network Protection
+
+
+
+Component | Configuration available with | Event ID | Corresponds to…
+-|-|-|-
+Network Filter | GP, MDM | Provider: Windows Defender |
+| | |  Event when settings are changed | <Evt-ID: 5007>
+| | |  Event when NW filter fires in Audit-mode | <Evt-ID: 1125>
+| | |  Event when NW filter fires in Block-mode | <Evt-ID: 1126>
+
+
+
+### Audit/block modes
+Each of these components can individually be enabled in audit or blocking mode. 
+
+Attack surface reduction and controlled folder access also have mitigations that can be individually enabled in audit or blocking mode. 
+
+
+
+Component  |Description |Rule/mitigation description |
+-|-|-|-
+Network Filter |Blocks outbound connection from any app to low rep IP/domain - This can be enabled in audit/block mode |Enable/disable/audit |Puts the feature in enable/disable or audit mode.
+
+### Visit a malicious domain in block mode using Internet Explorer or Google Chrome
+1. Enable network protection in block mode.
+1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
+1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
+
+You will get a 403 Forbidden response in the browser, and you will see an Action Center message saying that Windows Defender EG blocked a connection to a malicious site.
+ 
+### Visit a malicious domain in audit mode using Internet Explorer or Google Chrome
+1. Enable network protection in audit mode.
+1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
+1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
+You will be able to navigate successfully to the site. However, you can see an audit event in Windows Defender ATP or in the Windows Event Log (under Windows Defender > Operational).
+
+
+### Visit a malicious domain in Microsoft Edge
+1. Enable network protection in bmode.
+1. Ensure that SmartScreen is enabled. (Start -> Windows Defender Security Center -> App & browser -> SmartScreen in Microsoft Edge -> Block or Warn)
+1. Open Microsoft Edge.
+1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net)
+You will see a SmartScreen malware/phishing warning. This is the 1st class experience for Microsoft Edge.
+
+
+## Enabling Windows Defender EG rules in audit mode
+Use the script Enable-ExploitGuardAuditMode.ps1 to turn on the ASR rules and Controlled Folder Access into audit mode via Local GP on a device. This allows one to observe how the rules would perform across various machines in your system, and determine which can be turned on in Block mode and if any exclusions need to be applied. 
+**Note:** Rename Enable-ExploitGuardAuditMode.rename to Enable-ExploitGuardAuditMode.ps1
+Run the following in an elevated powershell prompt:
+- Set-ExecutionPolicy Bypass -Force
+- .\Enable-ExploitGuardAuditMode.ps1
+Successful output should indicate ASR and Controlled Folder Access were turned on in audit mode 
+
+
+## Monitoring with Windows Defender Advanced Threat Protection
+Windows Defender EG events can be found in event logs, or if the enterprise uses Windows Defender ATP, the Windows Defender Security Center
+ 

windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md

@@ -0,0 +1,40 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+msft.author: iawilt
+---
+
+
+
+# Evaluate Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
+
+You can use Windows Defender EG to:
+
+- Apply exploit mitigation techniques to apps your organization uses, both individually and to all apps, with [exploit protection](exploit-protection-exploit-guard.md)
+- Reduce the attack surface that exploits can leverage, by utlizing rules that go beyond standard host-intrusion prevention systems (HIPS) with [attack surface reduction rules](attack-surface-reduction-exploit.guard.md)
+- Extend the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity outside of the browser with [network protection](network-protection-exploit-guard.md)
+- Protect files in key system folders from changes made by malicious and suspicious apps with [controlled folder access](controlled-folders-exploit-guard.md)
+
+There are a few ways you can get started evaluating Windows Defender EG to see how it works and how it could help protect your network. This topic brings together the evaluation topics for each of the four features in Windows Defender EG.
+
+

windows/threat-protection/windows-defender-exploit-guard/scripts/cfa-events.xml

@@ -0,0 +1 @@
+<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled folder access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>

windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md

@@ -40,33 +40,33 @@ Evaluate Windows Defender EG with our evaluation and set-up guide, which provide
 
 You can also [enable audit mode](audit-mode-exploit-guard.md) for Windows Defender EG, which provides with reporting and event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
 
-Windows Defender EG is a component of the new Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. Other components of Windows Defender Advanced Threat Protection include:
- - [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
+- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
 - [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
- - [Windows Defender SmartScreen]
- - [Windows Defender Device Guard]
- - [Windows Defender Application Control]
+- [Windows Defender SmartScreen]
+- [Windows Defender Device Guard]
+- [Windows Defender Application Control]
 
- Each of the features in Windows Defender EG have slightly different requirements:
+Each of the features in Windows Defender EG have slightly different requirements:
 
- Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license 
- -|-|-|-
- Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
- Attack surface reduction | 16232 | Must be enabled | Required
- Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
- Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
+Feature | Minimum Windows 10 Insider Preview build | Windows Defender Antivirus | Windows Defender Advanced Threat Protection license 
+-|-|-|-
+Exploit protection | 16232 | No requirement | Required for reporting in the Windows Defender ATP console
+Attack surface reduction | 16232 | Must be enabled | Required
+Network protection | not released | Must be enabled | Required for reporting in the Windows Defender ATP console
+Controlled folder access | 16232 | Must be enabled | Required for reporting in the Windows Defender ATP console
 
 > [!NOTE]
 > Each feature's requirements are further described in the individual topics in this library.
 
- The way in which the features can be managed, configured, and reported on also varies:
+The way in which the features can be managed, configured, and reported on also varies:
 
-  Feature | Configuration available with | Reporting available with
- -|-|-
- Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center  | Windows Event logs
- Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
- Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
- Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | x
+ Feature | Configuration available with | Reporting available with
+-|-|-
+Exploit protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, PowerShell, Windows Defender Security Center  | Windows Event logs
+Attack surface reduction | Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | 
+Network protection | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | 
+Controlled folder access | System Center Configuration Manager, Group Policy, Microsoft Intune, Mobile device management policies, Windows Defender Security Center  | 
 
 
  ## In this library