From cbf9fa503667e7e718f929b9f7f255cbcd8350bf Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 14:54:28 -0700 Subject: [PATCH 1/3] added caveat about excluded apps --- .../customize-attack-surface-reduction.md | 16 +++++++--------- ...customize-controlled-folders-exploit-guard.md | 9 +++++---- .../enable-attack-surface-reduction.md | 4 ++-- .../enable-controlled-folders-exploit-guard.md | 6 +++--- 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 6dbb17c57d..fe9741366e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/08/2019 +ms.date: 05/13/2019 --- # Customize attack surface reduction rules @@ -31,20 +31,18 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. - -This could potentially allow unsafe files to run and infect your devices. +You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. >[!WARNING] ->Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -> ->If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). +>This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. +An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules. + +An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). -Exclusions apply to all attack surface reduction rules. Rule description | GUID -|:-:|- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index bf18867655..deed0e6c2e 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/07/2019 +ms.date: 05/13/2019 --- # Customize controlled folder access @@ -89,13 +89,14 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. >[!IMPORTANT] ->By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. +>By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. >You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. -You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders. - When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. +An allowed application or service only has write access to a controlled flder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. + + ### Use the Windows Defender Security app to allow specific apps 1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 1a68651c4f..3b305feed9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/29/2019 +ms.date: 05/13/2019 --- # Enable attack surface reduction rules @@ -51,7 +51,7 @@ You can exclude files and folders from being evaluated by most attack surface re >- Block process creations originating from PSExec and WMI commands >- Block JavaScript or VBScript from launching downloaded executable content -You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. +You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index d761ebfc85..f6e6986c98 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/29/2019 +ms.date: 05/13/2019 --- # Enable controlled folder access @@ -61,7 +61,7 @@ For more information about disabling local list merging, see [Prevent or allow u 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) >[!NOTE] - >Wilcard is supported for applications, but not for folders. Subfolders are not protected. + >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. @@ -76,7 +76,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt 1. Enter a name and a description, click **Controlled folder access**, and click **Next**. 1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. >[!NOTE] - >Wilcard is supported for applications, but not for folders. Subfolders are not protected. + >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. 1. Review the settings and click **Next** to create the policy. 1. After the policy is created, click **Close**. From ddddfbbf4d4a8080cdf8e9cb625dd020253d2917 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 15:16:26 -0700 Subject: [PATCH 2/3] edits --- .../customize-attack-surface-reduction.md | 4 ++-- .../customize-controlled-folders-exploit-guard.md | 6 +++--- .../enable-attack-surface-reduction.md | 4 ++-- .../enable-controlled-folders-exploit-guard.md | 4 ++-- .../enable-exploit-protection.md | 2 +- .../enable-network-protection.md | 3 ++- 6 files changed, 12 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index fe9741366e..20e1ca5eda 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -74,9 +74,9 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to 4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. -### Use PowerShell to exclude files and folderss +### Use PowerShell to exclude files and folders -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index deed0e6c2e..28a78453b2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -94,7 +94,7 @@ You can specify if certain apps should always be considered safe and given write When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. -An allowed application or service only has write access to a controlled flder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. +An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. ### Use the Windows Defender Security app to allow specific apps @@ -107,7 +107,7 @@ An allowed application or service only has write access to a controlled flder af 4. Click **Add an allowed app** and follow the prompts to add apps. - ![Screenshot of the add an allowed app button](images/cfa-allow-app.png) + ![Screenshot of how to add an allowed app button](images/cfa-allow-app.png) ### Use Group Policy to allow specific apps @@ -121,7 +121,7 @@ An allowed application or service only has write access to a controlled flder af ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 3b305feed9..57d6a0abd8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -26,7 +26,7 @@ Each ASR rule contains three settings: To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. -You can enable attack surface reduction rules by using any of the these methods: +You can enable attack surface reduction rules by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) @@ -131,7 +131,7 @@ Value: c:\path|e:\path|c:\Whitelisted.exe >[!WARNING] >If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index f6e6986c98..0f4dcde83d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 05/13/2019 [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019. -You can enable controlled folder access by using any of the these methods: +You can enable controlled folder access by using any of these methods: - [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune) @@ -100,7 +100,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 58cb4ad00c..56932bf8a1 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -26,7 +26,7 @@ Many features from the Enhanced Mitigation Experience Toolkit (EMET) are include You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. -You can enable each mitigation separately by using any of the these methods: +You can enable each mitigation separately by using any of these methods: - [Windows Security app](#windows-security-app) - [Microsoft Intune](#intune) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 8df4d37da6..75c4d76f00 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -22,7 +22,8 @@ ms.date: 04/22/2019 [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. -You can enable network protection by using any of the these methods: + +You can enable network protection by using any of these methods: - [Microsoft Intune](#intune) - [Mobile Device Management (MDM)](#mdm) From 4a8b2dc1f690a7f0edfce207b4608dd30d5de124 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 13 May 2019 15:17:29 -0700 Subject: [PATCH 3/3] edits --- .../enable-network-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 75c4d76f00..a3cad38060 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/22/2019 +ms.date: 05/13/2019 --- # Enable network protection @@ -88,7 +88,7 @@ You can confirm network protection is enabled on a local computer by using Regis ## PowerShell -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```