mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-18 00:07:23 +00:00
Merge pull request #8596 from kurtsarens/patch-26
Update enable-exploit-protection.md
This commit is contained in:
Denise Vangel-MSFT
GitHub
commit
b9141d17ba
@ -10,7 +10,7 @@ ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
author: denisebmsft
|
||||
ms.author: deniseb
|
||||
ms.reviewer:
|
||||
ms.reviewer: ksarens
|
||||
manager: dansimp
|
||||
---
|
||||
|
||||
@ -54,8 +54,8 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
|
||||
3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
|
||||
- If the app you want to configure is already listed, click it and then click **Edit**.
|
||||
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
|
||||
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
|
||||
|
||||
@ -70,12 +70,12 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
|
||||
|
||||
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
|
||||
|
||||
Enabled in **Program settings** | Enabled in **System settings** | Behavior
|
||||
-|-|-
|
||||
[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
|
||||
[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
|
||||
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
|
||||
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
|
||||
|Enabled in **Program settings** | Enabled in **System settings** | Behavior |
|
||||
|:---|:---|:---|
|
||||
|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** |
|
||||
|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** |
|
||||
|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** |
|
||||
|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option |
|
||||
|
||||
### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
|
||||
|
||||
@ -98,8 +98,8 @@ The result will be that DEP will be enabled for *test.exe*. DEP will not be enab
|
||||
3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
|
||||
- If the app you want to configure is already listed, click it and then click **Edit**.
|
||||
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
|
||||
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
|
||||
|
||||
@ -209,41 +209,41 @@ Set-Processmitigation -Name test.exe -Remove -Disable DEP
|
||||
|
||||
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
|
||||
|
||||
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
|
||||
- | - | - | -
|
||||
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
|
||||
Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
|
||||
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available
|
||||
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
|
||||
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
|
||||
Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
|
||||
Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
|
||||
Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
|
||||
Block remote images | App-level only | BlockRemoteImages | Audit not available
|
||||
Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
|
||||
Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
|
||||
Disable extension points | App-level only | ExtensionPoint | Audit not available
|
||||
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
|
||||
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
|
||||
Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available
|
||||
Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
|
||||
Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
|
||||
Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
|
||||
Validate handle usage | App-level only | StrictHandle | Audit not available
|
||||
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
|
||||
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
|
||||
|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
|
||||
|:---|:---|:---|:---|
|
||||
|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available |
|
||||
|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available |
|
||||
|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available |
|
||||
|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
|
||||
|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
|
||||
|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
|
||||
|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
|
||||
|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
|
||||
|Block remote images | App-level only | BlockRemoteImages | Audit not available
|
||||
|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
|
||||
|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
|
||||
|Disable extension points | App-level only | ExtensionPoint | Audit not available
|
||||
|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
|
||||
|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
|
||||
|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||
||Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||
|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||
|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||
|Validate handle usage | App-level only | StrictHandle | Audit not available |
|
||||
|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available |
|
||||
|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available<a href="#r2" id="t2">\[2\]</a> |
|
||||
|
||||
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
|
||||
|
||||
```PowerShell
|
||||
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
|
||||
```
|
||||
|
||||
<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell cmdlets.
|
||||
## Customize the notification
|
||||
|
||||
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
|
||||
|
||||
## Related topics
|
||||
## See also
|
||||
|
||||
* [Evaluate exploit protection](evaluate-exploit-protection.md)
|
||||
* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user