deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Corrected ASR rules.

Browse Source
This commit is contained in:
Andrea Bichsel (Aquent LLC)
2018-10-17 19:38:24 +00:00
parent 46c6d7ae13
commit ade3a129d7
1 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -56,7 +56,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps: The rules apply to the following Office apps:
@ -120,8 +120,6 @@ Malware and other threats can attempt to obfuscate or hide their malicious code
This rule prevents scripts that appear to be obfuscated from running. This rule prevents scripts that appear to be obfuscated from running.
It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
### Rule: Block Win32 API calls from Office macro ### Rule: Block Win32 API calls from Office macro
Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.