deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update exploit-protection-reference.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2021-01-06 18:23:39 -08:00
parent 77e3493391
commit c299ce4d75
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md
View File

@ -324,7 +324,7 @@ This includes:
### Compatibility considerations ### Compatibility considerations
Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application. Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application.
### Configuration options ### Configuration options
@ -341,7 +341,7 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com
### Compatibility considerations ### Compatibility considerations
This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.
### Configuration options ### Configuration options
@ -379,18 +379,18 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo
### Configuration options ### Configuration options
**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules: **Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for other commonly attacked modules:
- mshtml.dll - `mshtml.dll`
- flash*.ocx - `flash*.ocx`
- jscript*.ocx - `jscript*.ocx`
- vbscript.dll - `vbscript.dll`
- vgx.dll - `vgx.dll`
- mozjs.dll - `mozjs.dll`
- xul.dll - `xul.dll`
- acrord32.dll - `acrord32.dll`
- acrofx32.dll - `acrofx32.dll`
- acroform.api - `acroform.api`
Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory. Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory.