deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Removed mention of EG eval package.

Browse Source
This commit is contained in:
Andrea Bichsel
2019-01-28 10:41:52 -08:00
parent f8563c8c07
commit bb08591be6
1 changed files with 1 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -67,11 +67,10 @@ The rules apply to the following Office apps:
- Microsoft PowerPoint
- Microsoft OneNote
Except where specified, the rules do not apply to any other Office apps.
Except where specified, ASR rules do not apply to any other Office apps.
### Rule: Block executable content from email client and webmail
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
- Executable files (such as .exe, .dll, or .scr)
@ -164,38 +163,6 @@ This is a typical malware behavior, especially for macro-based attacks that atte
This rule blocks Adobe Reader from creating child processes.
## Review attack surface reduction rule events in Windows Event Viewer
You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
![Animation showing the import custom view on the Event viewer window](images/events-import.gif)
4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
5. Click **OK**.
6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
### Event fields
- **ID**: matches with the Rule-ID that triggered the block/audit.
- **Detection time**: Time of detection
- **Process Name**: The process that performed the "operation" that was blocked/audited
- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
## Related topics
Topic | Description