diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 320ea854bf..d02a1ec13a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -64,10 +64,10 @@ Rule name | GUIDs Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B ### Rule: Block executable content from email client and webmail @@ -94,7 +94,7 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. -### Rule: Block Office applications from injecting into other processes +### Rule: Block Office applications from injecting code into other processes Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. @@ -103,7 +103,7 @@ This is typically used by malware to run malicious code in an attempt to hide th -### Rule: Impede JavaScript and VBScript to launch executables +### Rule: Block JavaScript ok VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. @@ -119,7 +119,11 @@ This rule prevents scripts that appear to be obfuscated from running. It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. +### Rule: Block Win32 API calls from Office macro +Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. + +This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs.