From a8f869749b47abae45adbce4b57ea2a267b3c570 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 12:18:20 +0200 Subject: [PATCH 01/10] Update attack-surface-reduction.md Added note to avoid customer questions and support cases on ASR running in passive mode (which can't work) --- .../microsoft-defender-atp/attack-surface-reduction.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index c0c77ae782..8d36dbefc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,6 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later +- Microsoft Defender antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From a5401ac9b5dd57fc5035d576a6932cf5be74c753 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 14:42:24 +0200 Subject: [PATCH 02/10] Update attack-surface-reduction.md Removed en-us to not break localization --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 8d36dbefc9..49da59cd29 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -- Microsoft Defender antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +- Microsoft Defender antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From ee27514dbf3fc1cd9c4503cda2356959f8a774b9 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 14:48:31 +0200 Subject: [PATCH 03/10] Update attack-surface-reduction.md changed to Antivirus with capital A --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 49da59cd29..bd4aac0ddc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -- Microsoft Defender antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +- Microsoft Defender Antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From 75cafe24fec496d12d4e8caf0bb986df565d1a0f Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 14:53:56 +0200 Subject: [PATCH 04/10] Update attack-surface-reduction.md minor change to note to make it more logical as we are describing 'supported on devices running the following versions of Windows' --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index bd4aac0ddc..02d23be40a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -- Microsoft Defender Antivirus with Real-time protection running in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From ad1767c4ef0e5ab96d9d1f71b5e242cc673041b3 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 14:54:54 +0200 Subject: [PATCH 05/10] Update attack-surface-reduction.md missing - --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 02d23be40a..70e2fcf02b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,7 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +- Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From 2ec659de3431aa0f79af1eefcf05905205f6fe74 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 15:04:34 +0200 Subject: [PATCH 06/10] Update attack-surface-reduction.md remove '-' and lowered one line to avoid coloring in purple --- .../microsoft-defender-atp/attack-surface-reduction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 70e2fcf02b..1378e9274d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -63,7 +63,8 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -- Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) + +Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From ac57c10f4fbc62cc000c46bfd6ad9a4e5e28ec5a Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 20:06:19 +0200 Subject: [PATCH 07/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 1378e9274d..febb1d419b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -64,7 +64,7 @@ Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state) +Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed - Minimum platform release requirement: `4.18.2008.9` From 0728cd56c66fca2f393a26fca18a1cfc27ef6fc7 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Wed, 20 Jan 2021 20:06:39 +0200 Subject: [PATCH 08/10] Update windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index febb1d419b..52f0a3ddf6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -66,7 +66,7 @@ Warn mode is supported on devices running the following versions of Windows: Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). -In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed. - Minimum platform release requirement: `4.18.2008.9` - Minimum engine release requirement: `1.1.17400.5` From 5ed21322d0b66b4c73b15eaf3e3104299d645813 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:33:35 -0800 Subject: [PATCH 09/10] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 52f0a3ddf6..72473b65c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -14,7 +14,7 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 01/08/2021 +ms.date: 01/20/2021 --- # Use attack surface reduction rules to prevent malware infection @@ -24,7 +24,7 @@ ms.date: 01/08/2021 **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Why attack surface reduction rules are important From 2650f302b61b16b5037656a2360d00a652c7e20c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:35:51 -0800 Subject: [PATCH 10/10] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 72473b65c6..cf10e80626 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -64,7 +64,7 @@ Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later -Note that Microsoft Defender Antivirus must be running with Real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). +Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed. - Minimum platform release requirement: `4.18.2008.9` @@ -126,13 +126,9 @@ DeviceEvents You can review the Windows event log to view events generated by attack surface reduction rules: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. - 3. Under **Actions**, select **Import custom view...**. - 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). - 5. Select **OK**. You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: @@ -465,9 +461,6 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` ## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) - - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - - [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)