deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #8990 from amirsc3/patch-46

Browse Source 
Update attack-surface-reduction.md
This commit is contained in:
Denise Vangel-MSFT 2021-01-20 16:36:59 -08:00 committed by GitHub
commit a5728c9130
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -14,7 +14,7 @@ ms.author: deniseb
ms.reviewer: sugamar, jcedola ms.reviewer: sugamar, jcedola
manager: dansimp manager: dansimp
ms.custom: asr ms.custom: asr
ms.date: 01/08/2021 ms.date: 01/20/2021
--- ---
# Use attack surface reduction rules to prevent malware infection # Use attack surface reduction rules to prevent malware infection
@ -24,7 +24,7 @@ ms.date: 01/08/2021
**Applies to:** **Applies to:**
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
## Why attack surface reduction rules are important ## Why attack surface reduction rules are important
@ -63,8 +63,10 @@ Warn mode helps your organization have attack surface reduction rules in place w
Warn mode is supported on devices running the following versions of Windows: Warn mode is supported on devices running the following versions of Windows:
- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later
- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later
Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
- Minimum platform release requirement: `4.18.2008.9` - Minimum platform release requirement: `4.18.2008.9`
- Minimum engine release requirement: `1.1.17400.5` - Minimum engine release requirement: `1.1.17400.5`
@ -124,13 +126,9 @@ DeviceEvents
You can review the Windows event log to view events generated by attack surface reduction rules: You can review the Windows event log to view events generated by attack surface reduction rules:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.
3. Under **Actions**, select **Import custom view...**. 3. Under **Actions**, select **Import custom view...**.
4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
5. Select **OK**. 5. Select **OK**.
You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
@ -463,9 +461,6 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
## See also ## See also
- [Attack surface reduction FAQ](attack-surface-reduction-faq.md) - [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) - [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)