From 2044a5b1683658a6af75a8e725c4d95445b38263 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 8 Oct 2019 14:18:48 -0700 Subject: [PATCH 1/4] Update language and links --- .../attack-surface-reduction.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index c630ee1d51..9f5e6bd8d2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/07/2019 ms.reviewer: manager: dansimp --- @@ -28,7 +27,7 @@ manager: dansimp Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -42,11 +41,11 @@ Triggered rules display a notification on the device. You can [customize the not For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -## Review attack surface reduction events in the Microsoft Security Center +## Review attack surface reduction events in the Microsoft Defender Security Center Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. Here is an example query: @@ -228,7 +227,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. > [!NOTE] -> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 @@ -329,4 +328,4 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b * [Enable attack surface reduction rules](enable-attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility) +* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility) From 8bed0d93a7b036ba3c6f94c1a155643dbcf2dac1 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 8 Oct 2019 14:32:26 -0700 Subject: [PATCH 2/4] update keywords and spelling --- .../microsoft-defender-atp/attack-surface-reduction.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 9f5e6bd8d2..7739216489 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -1,7 +1,7 @@ --- title: Use attack surface reduction rules to prevent malware infection description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware -keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +keywords: Attack surface reduction, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -27,7 +27,7 @@ manager: dansimp Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. -To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From 4d81e00ca4606b55a853f07928914929134a3289 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 8 Oct 2019 14:42:08 -0700 Subject: [PATCH 3/4] update links --- .../microsoft-defender-atp/attack-surface-reduction.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 7739216489..0f46201ee1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -207,7 +207,7 @@ This rule blocks the following file types from launching unless they either meet * Executable files (such as .exe, .dll, or .scr) > [!NOTE] -> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. > [!IMPORTANT] > The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. @@ -227,7 +227,7 @@ GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25 This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list. > [!NOTE] -> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule. This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 @@ -328,4 +328,4 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b * [Enable attack surface reduction rules](enable-attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility) +* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) From 9f1b3c2a1630f7613c060957ec20170c1c7e1dc4 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 8 Oct 2019 15:00:35 -0700 Subject: [PATCH 4/4] revise text --- .../microsoft-defender-atp/attack-surface-reduction.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 0f46201ee1..a858f74cac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -1,7 +1,7 @@ --- title: Use attack surface reduction rules to prevent malware infection description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware -keywords: Attack surface reduction, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, +keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -27,7 +27,7 @@ manager: dansimp Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019. -To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can use Event Viewer to review attack surface reduction rule events. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: @@ -45,7 +45,7 @@ For information about configuring attack surface reduction rules, see [Enable at Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment. +You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: