From b829576491a039eba086ceae3360dd07ebf2d8e3 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 9 Nov 2017 12:52:52 -0800
Subject: [PATCH] updates to ASR exclusions to indicate which rules can't use
 them

---
 .../attack-surface-reduction-exploit-guard.md |  5 ++--
 .../customize-attack-surface-reduction.md     | 30 +++++++++++++++++--
 .../enable-attack-surface-reduction.md        |  6 ++--
 .../images/svg/check-no.svg                   |  7 +++++
 .../images/svg/check-yes.svg                  |  7 +++++
 5 files changed, 48 insertions(+), 7 deletions(-)
 create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
 create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg

diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 5173d88d30..7aed2de7ad 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -64,7 +64,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
 
 The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
 
-Rule name | GUIDs 
+Rule name | GUID
 -|-
 Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
@@ -93,7 +93,8 @@ This rule blocks the following file types from being run or launched from an ema
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 - Script archive files
 
-
+>[!IMPORTANT]
+>Exclusions do not apply to this rule.
 
 ### Rule: Block Office applications from creating child processes
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index e68c054cde..da4006d74f 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -43,9 +43,35 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 
 ## Exclude files and folders
 
-You can exclude files and folders from being evaluated by Attack surface reduction rules. 
+You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running. 
+
+This could potentially allow unsafe files to run and infect your devices.
+
+>[!WARNING]
+>Excluding files or folders can severly reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+> 
+>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
+
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
+
+Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
+
+>[!IMPORTANT] 
+>Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). 
+
+
+Rule description | Rule honors exclusions | GUID 
+-|-
+Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | ![Check mark yes](images/svg/check-yes.svg) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block execution of potentially obfuscated scripts | ![Check mark yes](images/svg/check-yes.svg) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | ![Check mark yes](images/svg/check-yes.svg) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Office applications from creating executable content | ![Check mark no](images/svg/check-no.svg) | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting into other processes | ![Check mark no](images/svg/check-no.svg) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Impede JavaScript and VBScript to launch executables | ![Check mark no](images/svg/check-no.svg) | D3E037E1-3EB8-44C8-A917-57927947596D
+
+See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
 
 ### Use Group Policy to exclude files and folders
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index e4853782de..7c56eff7bf 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -50,7 +50,7 @@ Attack surface reduction rules are identified by their unique rule ID.
 
 You can manually add the rules by using the GUIDs in the following table:
 
-Rule description | GUIDs 
+Rule description | GUID
 -|-
 Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
@@ -62,7 +62,7 @@ Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DD
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
-### Use Group Policy to enable Attack surface reduction rules
+### Use Group Policy to enable or audit Attack surface reduction rules
 
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -84,7 +84,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
 
         
 
- ### Use PowerShell to enable Attack surface reduction rules
+ ### Use PowerShell to enable or audit Attack surface reduction rules
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
new file mode 100644
index 0000000000..89a87afa8b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
@@ -0,0 +1,7 @@
+<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
+    <title>Check mark no</title>
+    <polygon 
+        fill='#d83b01' 
+        points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'
+     />
+</svg>
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
new file mode 100644
index 0000000000..483ff5fefc
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
@@ -0,0 +1,7 @@
+<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
+    <title>Check mark yes</title>
+    <path
+        fill='#0E8915' 
+        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
+    />
+</svg>
\ No newline at end of file